[Openswan Users] VPN ;- Linux as VPN client , routing problem

Paul Wouters paul at xelerance.com
Sun Nov 26 14:03:04 EST 2006


On Sun, 26 Nov 2006, John Joseph wrote:

>   I am trying to connect two linux machine , one as
> VPN server and other as VPN client , I am using PSK
> mode of authentication.
>  I am following the links
>
> http://www.jacco2.dds.nl/networking/linux-l2tp.html
> for this purpose.
>
> Our aim is to send all packets ,other than (10.*)
> through the VPN tunnel.

So I am assuming you mean the client obtains an IP address,
and uses that IP address as the default address to talk to
the world, and therefor, it is all getting encrypted.

> >From the Linux client after running
> echo "c L2TPserver" > /var/run/l2tp-control
> I am able get the VPN connection

> At this stage I am able to ping to my VPN server local
> ip "192.168.168.167"

> Now after modifying the route , using command
>
> route add -net 0.0.0.0 dev ppp0

You should never set routing manually with IPsec. Without IPsec
policies in the kernel, everything you reroute into it gets
dropped. IPsec is not a virtual ethernet device. It is a device
with strong security policies.

Try "ping -I yourl2tpIP 192.168.168.167"
and ping -I yourl2tpIP someipintheworld

or use traceroute -s
(traceoute -s used to be broken on debian, not sure if that is still the case)

In other words, I think you are just using the wrong source ip address,
and in fact everything is fine, you just default to using the wrong ip.

Perhaps this will work:

ip route add 0.0.0.0/1 src yourl2tpip via 192.168.168.167 dev ppp0
ip route add 128.0.0.0/1 src yourl2tpip via 192.168.168.167 dev ppp0

This will make "more specific routes" then the default route, and
use your internal IP as the new "default ip for outgoing connections".

You could put these commands in a custom leftupdown= script.
(copy the one that is installed and add the commands to it)

Paul


More information about the Users mailing list