[Wylug-help] FC9 Linux gateways, VPN working, IP forwarding isn't
John Leach
john at johnleach.co.uk
Fri Jan 23 19:24:20 UTC 2009
On Fri, 2009-01-23 at 17:54 +0000, Gary Stainburn wrote:
> I've now got a very simple ppp-over-ssh VPN working using the following script
>
> /usr/sbin/pppd updetach noauth passive \
> pty "ssh $HOST -P -o Batchmode=yes /usr/sbin/pppd nodetach notty noauth" \
> $LocIP:$RemIP
>
> I'm using 192.167.127.1 and .2 for the VPN
>
> My local LAN is 10.6.0.0/16 and the remote is 10.1.0.0/16
>
> The VPN works, and from each end I can ssh to the remote end using either it's
> 192. or 10. IP address.
>
> However, I cannot get anything to work except gateway to gateway. Anything
> behind the gateways cannot get past their local gateway.
>
> Anyone know what I've missed?
Hi Gary,
does tcpdump give you any more information? run a ping from one end to
the other, and tcpdump at every interface in turn, starting at the real
interface at the end you're running the ping from (so your eth0 or
whatever, then the ppp interface, then the ppp interface at the remote
end and then the real interfae at the remote end). This should show you
how far the packets are getting and might give you a clue.
One thing that might be catching you out is the rp_filter. If your
packets just aren't getting past one of your interfaces, try disabling
it as a test.
By the way, I heartily recommend openvpn to do your vpn stuff - though
only really tunnel, not transport like ipsec can do. It's very easy to
set up, uses tcp or udp and has been ported to pretty much all modern
OSes too. Debian/Ubuntu have packages that do most of the work for you.
(though it won't solve rp_filter problems on it's own :)
John.
--
http://johnleach.co.uk
More information about the Wylug-help
mailing list