[wellylug] OT: VPN howto

Pete Black pete at marchingcubes.com
Thu Mar 24 22:37:40 NZST 2005


You need a route specifying the VPN firewall as the gateway to the 
'internal' network on the client - this should be setup by the IPSEC 
client, but check it anyway, and you also need to ensure that the VPN 
client's network card and the remote 'internal' subnets are different, 
or packets will get sent out  eth0 (192.168.0.x) instead of 
default-gatewayed through the VPN router (to reach internal subnet 
192.168.0.x).

The machines on your internal network will also need to gateway (or 
otherwise route) through the server that handles the VPN in order to 
reply to connections made from that IP range. That is, ensure that 
packets sent from the internal network to the IP address block 
specified in your roadwarrior server config actually end up getting 
routed to ipsec0 on your VPN server. If the VPN server is the default 
gateway, this shouldn't be a problem.

I would suspect an ip range mismatch e.g. client internal == server 
internal or a misconfiguration in the ipsec.conf causing incorrect 
routes to be set on the server - it should be possible to manually 
enter routes once the connection is established. Also ensure you are 
not firewalling packets to/from the ipsecX interfaces in the FORWARD 
table.

Those would be the most common issues i would look at when 
troubleshooting.

Let me know if you need more help

-Pete


> Please excuse the off-topic nature of this post. This has a tenuous 
> link with Linux in that my network servers run Debian. Trouble is I 
> can't access them remotely through the VPN I've set up.
>
> The firewall is IPCop1.4 and on it I've configured a roadwarrior VPN 
> using PSK between IPCop and a laptop running XP SP2. I followed 
> roughly followed the instructions at:
> http://www.ipcop.org/1.2.0/en/vpn/html/
>
> I can establish a VPN connection using ipsec.exe. I can ping the 
> firewall's  internal IP address. I can ssh to the firewall using PuTTY 
> through the VPN (external ssh access is blocked). Trouble is I can't 
> access anything else within my home network.
>
> I expect the next step is to set up some appropriate routing but 
> search as I may I can't find an appropriate howto. Anyone been here 
> done that?
>
> Rob Stockley
>
>
> -- 
> Wellington Linux Users Group Mailing List: 
> wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug




More information about the wellylug mailing list