[Openswan Users] VPN ;- Linux as VPN client , routing problem

John Joseph jjk_saji at yahoo.com
Tue Nov 28 07:21:22 EST 2006


--- Paul Wouters <paul at xelerance.com> wrote:

> On Sun, 26 Nov 2006, John Joseph wrote:
> So I am assuming you mean the client obtains an IP
> address,
> and uses that IP address as the default address to
> talk to
> the world, and therefor, it is all getting
> encrypted.
> 
> > >From the Linux client after running
> > echo "c L2TPserver" > /var/run/l2tp-control
> > I am able get the VPN connection
> 
> > At this stage I am able to ping to my VPN server
> local
> > ip "192.168.168.167"
> 
> > Now after modifying the route , using command
> >
> > route add -net 0.0.0.0 dev ppp0
> 
> You should never set routing manually with IPsec.
> Without IPsec
> policies in the kernel, everything you reroute into
> it gets
> dropped. IPsec is not a virtual ethernet device. It
> is a device
> with strong security policies.
> 
> Try "ping -I yourl2tpIP 192.168.168.167"
> and ping -I yourl2tpIP someipintheworld
> 
> or use traceroute -s
> (traceoute -s used to be broken on debian, not sure
> if that is still the case)
> 
> In other words, I think you are just using the wrong
> source ip address,
> and in fact everything is fine, you just default to
> using the wrong ip.
> 
> Perhaps this will work:
> 
> ip route add 0.0.0.0/1 src yourl2tpip via
> 192.168.168.167 dev ppp0
> ip route add 128.0.0.0/1 src yourl2tpip via
> 192.168.168.167 dev ppp0

Hi
  Thanks for the mail .
  After the VPN connection is established
(192.168.168.100 is my Client L2TPD IP address )
  when I give
       ping -I  192.168.168.100  192.168.168.167 , I
get reply
but when I give ping -I 192.168.168.100  66.94.234.13
does not give reply

####
Now after giving

ip route add 0.0.0.0/1 src 192.168.168.100 via
192.168.168.167 dev ppp0
ip route add 128.0.0.0/1 src 192.168.168.100 via
192.168.168.167 dev ppp0

I cannot ping or traceroute at all

####

Now after restarting the l2tpd and getting connected,
I tried out only  
 
[root at localhost ~]# ip route add 0.0.0.0/1 src
192.168.168.100 via 192.168.168.167 dev ppp0

This gives me a ping reply and traceroute through the
l2tpd IP address , only if the destination addresss
is less than or equal to 126.X.X.X
as shown below


[root at localhost ~]# traceroute 66.94.234.13
traceroute to 66.94.234.13 (66.94.234.13), 30 hops
max, 38 byte packets
 1  192.168.168.167 (192.168.168.167)  325.840 ms 
277.033 ms  264.949 ms
 2  204-187-120-1.amah.com (204.187.120.1)  271.728 ms
 262.635 ms  269.588 ms
 3  38.112.240.89 (38.112.240.89)  270.376 ms  270.707
ms  268.068 ms




############################################################

[root at localhost ~]#
[root at localhost ~]# traceroute 166.94.234.13
traceroute to 166.94.234.13 (166.94.234.13), 30 hops
max, 38 byte packets
 1  10.0.0.1 (10.0.0.1)  4.803 ms  4.834 ms  6.923 ms
 2  213.42.8.55 (213.42.8.55)  15.158 ms  18.286 ms 
18.479 ms
 3  213.42.9.114 (213.42.9.114 )  21.195 ms  20.189 ms
 30.852 ms
 4  194.170.0.138 (194.170.0.138)  18.971 ms  23.735
ms  17.470 ms

#############

[root at localhost ~]# traceroute 126.94.234.13
traceroute to 126.94.234.13 (126.94.234.13), 30 hops
max, 38 byte packets
 1  192.168.168.167 (192.168.168.167)  306.629 ms 
307.061 ms  310.109 ms
 2  204-187-120-1.amah.com (204.187.120.1 )  302.881
ms  290.212 ms  318.677 ms
 3  38.112.240.89 (38.112.240.89)  313.269 ms  319.027
ms  321.705 ms





> 
> This will make "more specific routes" then the
> default route, and
> use your internal IP as the new "default ip for
> outgoing connections".
> 
> You could put these commands in a custom leftupdown=
> script.
> (copy the one that is installed and add the commands
> to it)
> 
> Paul
> 


Send instant messages to your online friends
http://uk.messenger.yahoo.com 

Send instant messages to your online friends http://uk.messenger.yahoo.com 


More information about the Users mailing list