Routing issue with Redhat 7.3

[mundell]

Ok need some help here I just setup a VPN Server got everything setup ok at least I think. I connect with my laptop I get the 192.168.1.2 on my laptop which is correct then i should be able to ping a
> 172.28.254.254 ip address but it only let me ping the 172.28.254.235 which
> is the local ip on the vpn server. So I am getting to the vpn server with
> the vpn connection but can't get out. I did enable the ip_forward made it to a 1 instead of 0. Look through these routes i ran below see if you can see anything wrong I connect just can't ping anythign else on the network besides the server.

>
> ==========
> vpn server
> ==========
>
> ppp0 Link encapoint-to-Point Protocol
> inet addr:66.168.134.140 P-t-P:192.168.1.2
> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:157 errors:0 dropped:0 overruns:0 frame:0
> TX packets:131 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:3858 (3.7 Kb) TX bytes:1352 (1.3 Kb)
>
> [root@vpnserver root]# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.1.2 * 255.255.255.255 UH 0 0 0 ppp0
> 172.28.254.0 * 255.255.255.0 U 0 0 0 eth1
> 66.168.132.0 * 255.255.252.0 U 0 0 0 eth0
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default cm1.kycm.nebi.c 0.0.0.0 UG 0 0 0 eth0
> [root@vpnserver root]#
>
>
> ============================
> Laptop making vpn connection
> ============================
>
> Active Routes:
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 66.168.128.1 66.168.128.168 2
> 0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.2 1
> 66.168.128.0 255.255.252.0 66.168.128.168 66.168.128.168 1
> 66.168.128.168 255.255.255.255 127.0.0.1 127.0.0.1 1
> 66.168.134.140 255.255.255.255 66.168.128.254 66.168.128.168 1
> 66.255.255.255 255.255.255.255 66.168.128.168 66.168.128.168 1
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 1
> 192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 1
> 224.0.0.0 224.0.0.0 66.168.128.168 66.168.128.168 1
> 224.0.0.0 224.0.0.0 192.168.1.2 192.168.1.2 1
> 255.255.255.255 255.255.255.255 66.168.128.168 2 1
> Default Gateway: 192.168.1.2
> ===========================================================================
> Persistent Routes:
> None
>
> C:\>

 

[marsd]

Okay so here's the situation:
You have a PTP link (dial-in) that connects you to
VPN server.
That's fine.

But there is one small problem. Your vpn client
doesn't know how to route to the 172.28.x.x network.
You'll see that there is no route to this network.

If you have not you will need to add an ipchains -A FORWARD rule , or iptables -A FORWARD rule for the networks in
question or just a generic -j ACCEPT(not smart security).

Here is what I have done to demonstrate:

I created two pseudo interfaces on one machine:

eth0:1 Link encap:Ethernet HWaddr
inet addr:192.154.30.1 Bcast:192.154.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xf000

eth0:2 Link encap:Ethernet HWaddr
inet addr:172.16.12.1 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xf000

On another machine I created this config:

eth0:1 Link encap:Ethernet HWaddr
inet addr:192.154.30.2 Bcast:192.154.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2400

So I have a basic simulation.

I then added iptables -A FORWARD -j ACCEPT to the
top machines ruleset and of course echo 1 > blah..

Then on the bottom machine I added a route:
route add -net 172.16.0.0/16 gw 192.154.30.1

Now I test:
PING 172.16.12.1 (172.16.12.1): 56 data bytes
64 bytes from 172.16.12.1: icmp_seq=0 ttl=255 time=0.837 ms
64 bytes from 172.16.12.1: icmp_seq=1 ttl=255 time=0.274 ms
64 bytes from 172.16.12.1: icmp_seq=2 ttl=255 time=0.276 ms
64 bytes from 172.16.12.1: icmp_seq=3 ttl=255 time=0.270 ms
--- 172.16.12.1 ping statistics ---

All done

Whether or not your vpn is correctly configured is in
the air of course. I don't have enough info to say.

The iproute2 kit allows you a great deal of flexibility with linux routing and you can do amazing things with
iptables and other , user-space tools for redirecting
traffic.

HTH.