[Openswan Users] can browse internet, cannot ping with l2tpd/pppd
David Bernick
bernz at lextranet.com
Mon Aug 16 11:26:24 CEST 2004
Hello all,
Here is my network setup.
homemachine -> internet->firewall/SWAN->internal network (10.51.0.0/24)
The firewall/SWAN machine is linux 2.4.27 with pppd 2.4.2 and l2tpd
0.69. So it's the latest stuff, as far as I can tell. eth0 is my
internal interface, eth1 is my external interface. I have IPTABLES
running for firewalling.
I can connect via a linux client and everything works well. I can browse
the internal network, I can use the internet. All things work well.
When I use the built-in Windows2000 client, things get interesting.
I'm using the L2TP client that's built into windows. I can connect. I am
verified via the chap-secrets file correctly. I can a DHCP address.
Cool. Now, on that windows machine, I can use my webbrowser and bring up
all sorts of webpages as if i'm on the internet. I am being routed,
however, through the internet, to the OpenSwan box and back out to the
internet via eth1. This is the desired behavior. So it works.
But when i try to use a 10.51.0.0 address of any kind (although my VPN
IP is 10.51.0.166), i can't seem to do anything.
Looking at the ppp0 tcpdump, I am definitely getting the request out,
but no reply.
> tcpdump: listening on ppp0
> 09:10:41.089634 10.51.0.166 > 10.51.0.79: icmp: echo request
> 09:10:42.247877 10.51.0.166 > 10.51.0.79: icmp: echo request
> 09:10:43.747381 10.51.0.166 > 10.51.0.79: icmp: echo request
when i ping, say, Yahoo, from the same machine, everything works:
> 09:22:27.704024 10.51.0.166 > 216.109.118.65: icmp: echo request
> 09:22:27.731738 216.109.118.65 > 10.51.0.166: icmp: echo reply
> 09:22:28.707991 10.51.0.166 > 216.109.118.65: icmp: echo request
> 09:22:28.723848 216.109.118.65 > 10.51.0.166: icmp: echo reply
> 09:22:29.771700 10.51.0.166 > 216.109.118.65: icmp: echo request
> 09:22:29.787802 216.109.118.65 > 10.51.0.166: icmp: echo reply
> 09:22:30.736141 10.51.0.166 > 216.109.118.65: icmp: echo request
> 09:22:30.753490 216.109.118.65 > 10.51.0.166: icmp: echo reply
So I imagine that it's probably a firewall issue more than anything,
though my firewall doesn't seem to be showing me rejected packet logs.
I'm pretty sure it's a FWDing issue, though I can't figure out where I'm
missing IPTABLE rules. In fact, here is my IPTABLES section for the VPN:
> # IKE negotiations
> /sbin/iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
>
>
> /sbin/iptables -A OUTPUT -s $EXTERNAL_IP -p udp -m udp --sport 1701 -j
> ACCEPT
>
>
> /sbin/iptables -A INPUT -p udp --sport 1:65535 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 1:65535 --dport 500 -j ACCEPT
> # ESP encrypton and authentication
> /sbin/iptables -A INPUT -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
> # uncomment for AH authentication header
> /sbin/iptables -A INPUT -p 51 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 51 -j ACCEPT
>
>
> # IKE negotiations
> /sbin/iptables -t filter -A INPUT -i ipsec+ -j ACCEPT
> /sbin/iptables -t filter -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
>
> /sbin/iptables -t filter -A INPUT -p udp --sport 4500 --dport 4500 -j
> ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
>
>
>
>
> # ESP encrypton and authentication
> /sbin/iptables -t filter -A INPUT -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
> /sbin/iptables -t nat -A PREROUTING -i ipsec+ -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o ipsec+ -j ACCEPT
> /sbin/iptables -t nat --append PREROUTING -i ipsec+ -p udp --sport
> 1701 --dport 1701 -j DNAT --to-destination $EXTERNAL_IP
> /sbin/iptables -t filter -A OUTPUT -o ipsec+ -j ACCEPT
> /sbin/iptables -t filter -A FORWARD -i ipsec+ -j ACCEPT
> /sbin/iptables -t nat -A PREROUTING -i ipsec+ -j ACCEPT
Any help would be very appreciated!
Dave
More information about the Users
mailing list