[wellylug] OT: VPN howto

Rob Stockley wellylug at mowgli.net.nz
Fri Mar 25 08:34:49 NZST 2005 

So if I understamd you correctly, the machines with remote access should 
be on a completely different subnet?

 Internet
      ||
      \/
203.79.?.?
firewall 192.168.3.1 <<<===>>>  VPN IP range 192.168.3.0/24
192.168.2.1
      ||
      \/
local IP ranges
192.168.2.0/24

At the moment The VPN range is part of the same IP range as the local 
network.

Rob

Rib

Pete Black wrote:

> You need a route specifying the VPN firewall as the gateway to the 
> 'internal' network on the client - this should be setup by the IPSEC 
> client, but check it anyway, and you also need to ensure that the VPN 
> client's network card and the remote 'internal' subnets are different, 
> or packets will get sent out  eth0 (192.168.0.x) instead of 
> default-gatewayed through the VPN router (to reach internal subnet 
> 192.168.0.x).
>
> The machines on your internal network will also need to gateway (or 
> otherwise route) through the server that handles the VPN in order to 
> reply to connections made from that IP range. That is, ensure that 
> packets sent from the internal network to the IP address block 
> specified in your roadwarrior server config actually end up getting 
> routed to ipsec0 on your VPN server. If the VPN server is the default 
> gateway, this shouldn't be a problem.
>
> I would suspect an ip range mismatch e.g. client internal == server 
> internal or a misconfiguration in the ipsec.conf causing incorrect 
> routes to be set on the server - it should be possible to manually 
> enter routes once the connection is established. Also ensure you are 
> not firewalling packets to/from the ipsecX interfaces in the FORWARD 
> table.
>
> Those would be the most common issues i would look at when 
> troubleshooting.
>
> Let me know if you need more help
>
> -Pete
>
>
>> Please excuse the off-topic nature of this post. This has a tenuous 
>> link with Linux in that my network servers run Debian. Trouble is I 
>> can't access them remotely through the VPN I've set up.
>>
>> The firewall is IPCop1.4 and on it I've configured a roadwarrior VPN 
>> using PSK between IPCop and a laptop running XP SP2. I followed 
>> roughly followed the instructions at:
>> http://www.ipcop.org/1.2.0/en/vpn/html/
>>
>> I can establish a VPN connection using ipsec.exe. I can ping the 
>> firewall's  internal IP address. I can ssh to the firewall using 
>> PuTTY through the VPN (external ssh access is blocked). Trouble is I 
>> can't access anything else within my home network.
>>
>> I expect the next step is to set up some appropriate routing but 
>> search as I may I can't find an appropriate howto. Anyone been here 
>> done that?
>>
>> Rob Stockley
>>
>>
>> -- 
>> Wellington Linux Users Group Mailing List: 
>> wellylug at lists.wellylug.org.nz
>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>
>
>
>


Pete Black wrote:

> You need a route specifying the VPN firewall as the gateway to the 
> 'internal' network on the client - this should be setup by the IPSEC 
> client, but check it anyway, and you also need to ensure that the VPN 
> client's network card and the remote 'internal' subnets are different, 
> or packets will get sent out  eth0 (192.168.0.x) instead of 
> default-gatewayed through the VPN router (to reach internal subnet 
> 192.168.0.x).
>
> The machines on your internal network will also need to gateway (or 
> otherwise route) through the server that handles the VPN in order to 
> reply to connections made from that IP range. That is, ensure that 
> packets sent from the internal network to the IP address block 
> specified in your roadwarrior server config actually end up getting 
> routed to ipsec0 on your VPN server. If the VPN server is the default 
> gateway, this shouldn't be a problem.
>
> I would suspect an ip range mismatch e.g. client internal == server 
> internal or a misconfiguration in the ipsec.conf causing incorrect 
> routes to be set on the server - it should be possible to manually 
> enter routes once the connection is established. Also ensure you are 
> not firewalling packets to/from the ipsecX interfaces in the FORWARD 
> table.
>
> Those would be the most common issues i would look at when 
> troubleshooting.
>
> Let me know if you need more help
>
> -Pete
>
>
>> Please excuse the off-topic nature of this post. This has a tenuous 
>> link with Linux in that my network servers run Debian. Trouble is I 
>> can't access them remotely through the VPN I've set up.
>>
>> The firewall is IPCop1.4 and on it I've configured a roadwarrior VPN 
>> using PSK between IPCop and a laptop running XP SP2. I followed 
>> roughly followed the instructions at:
>> http://www.ipcop.org/1.2.0/en/vpn/html/
>>
>> I can establish a VPN connection using ipsec.exe. I can ping the 
>> firewall's  internal IP address. I can ssh to the firewall using 
>> PuTTY through the VPN (external ssh access is blocked). Trouble is I 
>> can't access anything else within my home network.
>>
>> I expect the next step is to set up some appropriate routing but 
>> search as I may I can't find an appropriate howto. Anyone been here 
>> done that?
>>
>> Rob Stockley
>>
>>
>> -- 
>> Wellington Linux Users Group Mailing List: 
>> wellylug at lists.wellylug.org.nz
>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>
>
>

More information about the wellylug mailing list