VPN trouble, need to add route? How? 2

[SpecSys]

After setting up a vpn recently, all windows computers are accessible, but the two linux machines are not. I know that on the windows machines I need to do a route -p add for the 192.168.2.0 address of the other network. Is there something simalar I need to do on the linux machines? If so, how would you do it?

Linux newb, RedHat 7.2

 

[tarn]

Yes see man route
but its something like:
/sbin/route add -host xxx.xxx.xxx.xxx dev eth0


And Or:
Add a line or similar to the following into the /etc/sysconfig/static-routes file so its there at bootup:

eth0 net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.10

Check routing table with either: netstat -rn or route -n

Good Luck,
Laurie.

 

[SpecSys]

Thanks for the reply, I'll give it a shot

 

[SpecSys]

I modified the static-routes file and added the line:

eth0 net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1

When I ran route -n to check the tables I didn't see anything new added. I also looked through man route and didn't really see the command I needed in the examples. The one you supplied was suggested, but I wasn't sure that was correct, they didn't seem to show how you add the gateway to be used, or is that not neccessary to tell it where the VPN Router is?

I would prefer to add it to the static-routes table, but I'm not sure I am doing that correctly.

 

[tarn]

Ok did you reboot after adding that into the static-routes as that file only gets read at boot?

You need to add the route directly to have it added while server is up and running, so for your example you need to also do:

hoot@toot>route add -net 192.168.2.0 gw 192.168.1.1 netmask 255.255.255.0 dev eth0

Then check your netstat -rn or route -n

Just for clarity ....

Ok to quote from RH7 Unleashed .....(just so I get it right)....

The route command adds or removes routes from the routing table, this is done with the following commands;
route add|del -net|-host target gw gateway netmask netmask dev interface

-net -host indicate if you want to operate on a net or a host route

target is the host address or network number of the destination, you would use the keyword default as the target for setting or deleting the default route.

The optional gateway parameter indicates which gateway to use for this route. If ommited it assumes that the host or network is directly connected to this host. It is important to add a route to the local network after adding an interface with ifconfig:

netmask sets netmask for the route ....

Optional dev sets the interface on which packets to this destination will be sent. .....

Again Good Luck,
Let me know how you get on,
Laurie.

 

[SpecSys]

It won't seem to allow me to add with that line. I am thinking it is because there is currently a route in the routing table from my last attempt that is labled 192.168.2.0 with a gateway of 0.0.0.0. I can't seem to erase it using "route del 192.168.2.0". Is there a way to edit that route to add the correct gateway?

 

[SpecSys]

Update:


I was able to add route:

<b>route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1</b>

The routing table now shows a route with target 192.168.2.0 and a gateway of 192.168.1.1 as it should, and also another entry with 192.168.2.0 with a gw of 0.0.0.0 which I can't erase.

I can ping this linux server over vpn, but I cannot get to it through the network with either \\192.168.1.xxx or with \\redhat. Network Path Not Found.

 

[tarn]

Ok you should be able to remove that old stale route!
But you must use the full syntax (same as you used for the add but with a delso if you done this to add it:

route add -net 192.168.2.0 netmask 255.255.255.0 dev eth1

Then you must do this to remove it:

route del -net 192.168.2.0 netmask 255.255.255.0 dev eth1

I just tried it on my test server and it works ok.

As for your routing failure try again once you sorth out that stale route, if not its probably time to add tcpdump package and watch the traffic (packets) at your interface.

Let me know ...

Laurie.

 

[tarn]

New commands to try and debug with:
From:

http://www.redhat.com/mirrors/LDP/HOWTO/Adv-Routing-HOWTO/

ip route ls

[root@esl2000 /root]# ip route ls
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.17
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.16
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0

ip rule list

[root@esl2000 /root]# ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup 253

ip route list table local

[root@esl2000 /root]# ip route list table local
local 192.168.1.17 dev eth0 proto kernel scope host src 192.168.1.17
broadcast 192.168.1.0 dev eth0 proto kernel scope link src 192.168.1.17
broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.16
local 192.168.1.16 dev eth1 proto kernel scope host src 192.168.1.16
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.255.255 dev eth0 proto kernel scope link src 192.168.1.17
broadcast 192.168.255.255 dev eth1 proto kernel scope link src 192.168.1.16
broadcast 192.168.1.255 dev eth0 proto kernel scope link src 192.168.1.17
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.16
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

ip route list table main

[root@esl2000 /root]# ip route list table main
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.17
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.16
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0

 

[SpecSys]

all right, I just ran the route add -net 192.168....etc...etc on our other linux server (and I did it right the first time) and WALA! It worked! So now...if I can just get rid of that one stale route. I have tried all sorts of combos and i feel so dumb because I cannot remember the syntax I used to finally get that route added and thus I can't delete it!

 

[tarn]

Ok first can you paste the output of your route -n here,

You should be able to get rid of that route by shutting the appropiate interface (if this is an option to you, don't lock yourself out if you dont have access to the console), so you could either do: &quot;ifconfig eth[n] down&quot; and then &quot;ifconfig eth[n] up&quot; or &quot;service network restart&quot; or &quot;init 6&quot; to bounce the box.

If that route is still there then you need to see whats putting it there, check /etc/rc.local and be sure its not in there (added to the bottom of the file).
Also check /etc/sysconfig/network-scripts/ifcfg-eth[n] and /etc/sysconfig/static-routes again.

Let me know ....
Laurie.

 

[SpecSys]

OK, I consulted another linux friend and got that delted. Problem still exists though. It appears the routing table is correct, but the machine is still not found over the vpn.

The other box that is working correctly is an older version of linux, kernel 2.14 or something (sorry I can't be more specific). Is there something I should be doing different for Redhat 7.2?

 

[tarn]

Again from:

http://www.redhat.com/mirrors/LDP/HOWTO/VPN-HOWTO/x265.html

There are some snippets but I dont realy know your setup to help further.

If &quot;I&quot; was still not getting traffic through I'd use tcpdump and snoop teh interface to see what's going (or not) where out of what interface .. sorry its a tricky one to debug via proxy.

<SNIP>
6.1.3. IPv4 Forwarding and 2.2 kernels
In the new 2.2 kernel, you must specifically enable IP forwarding in the kernel at boot up. This with the following command:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Without this, the kernel will not forward any packets, and hence the server will not work, nor will any of the gatewaying clients.

6.1.4. Routing
It should go without saying, but be careful when you are routing real numbers that you don't route traffic destined for the VPN server's external address through the tunnel. It won't make it. (yes, this is from personal experience.)
<END SNIP>

Laurie.

 

[SpecSys]

Thanks Laurie, you've been great help so far, I will look into this more on my own time and take it from here, you've soent enough time with this newb, I can figure it out now I think.

Chris