[wellylug] OT: VPN howto

[Stig Telfer]

On 24 Mar 2005, at 10:37, Pete Black wrote:

> You need a route specifying the VPN firewall as the gateway to the 
> 'internal' network on the client - this should be setup by the IPSEC 
> client, but check it anyway, and you also need to ensure that the VPN 
> client's network card and the remote 'internal' subnets are different, 
> or packets will get sent out  eth0 (192.168.0.x) instead of 
> default-gatewayed through the VPN router (to reach internal subnet 
> 192.168.0.x).
>
> The machines on your internal network will also need to gateway (or 
> otherwise route) through the server that handles the VPN in order to 
> reply to connections made from that IP range. That is, ensure that 
> packets sent from the internal network to the IP address block 
> specified in your roadwarrior server config actually end up getting 
> routed to ipsec0 on your VPN server. If the VPN server is the default 
> gateway, this shouldn't be a problem.
>
> I would suspect an ip range mismatch e.g. client internal == server 
> internal or a misconfiguration in the ipsec.conf causing incorrect 
> routes to be set on the server - it should be possible to manually 
> enter routes once the connection is established. Also ensure you are 
> not firewalling packets to/from the ipsecX interfaces in the FORWARD 
> table.
>
> Those would be the most common issues i would look at when 
> troubleshooting.
>
> Let me know if you need more help
>
> -Pete

One other thing you might need to check is whether your gateway 
iptables setup knows about the new VPN network interface, and permits 
forwarding across that to the home intranet.

Running tcpdump on the VPN network interface of the VPN gateway is good 
for troubleshooting:

- No packets received from client suggests that iptables is dropping 
them
- Client packets coming in but nothing going back suggests routing 
needs fixing

Regards,
Stig