How to access remote lan machines through a ipsec / xl2ptd vpn (maybe iptables related)

Posted by Simon on Server Fault See other posts from Server Fault or by Simon
Published on 2012-12-06T11:51:22Z Indexed on 2012/12/09 5:06 UTC
Read the original article Hit count: 457

Filed under:
|
|
|

I’m trying to do the setup of a IPSEC / XL2TPD VPN for our office, and I’m having some problems accessing the remote local machines after connecting to the VPN.

I can connect, and I can browse Internet sites trough the VPN, but as said, I’m unable to connect or even ping the local ones.

My Network setup is something like this:

INTERNET > eth0 > ROUTER / VPN > eth2 > LAN

These are some traceroutes behind the VPN:

traceroute to google.com (173.194.78.94), 64 hops max, 52 byte packets
 1  192.168.1.80 (192.168.1.80)  74.738 ms  71.476 ms  70.123 ms
 2  10.35.192.1 (10.35.192.1)  77.832 ms  77.578 ms  77.865 ms
 3  10.47.243.137 (10.47.243.137)  78.837 ms  85.409 ms  76.032 ms
 4  10.47.242.129 (10.47.242.129)  78.069 ms  80.054 ms  77.778 ms
 5  10.254.4.2 (10.254.4.2)  86.174 ms
    10.254.4.6 (10.254.4.6)  85.687 ms
    10.254.4.2 (10.254.4.2)  85.664 ms

traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 52 byte packets
 1  * * *
 2  *traceroute: sendto: No route to host
traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *
traceroute: sendto: Host is down
 3 traceroute: wrote 192.168.1.3 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 192.168.1.3 52 chars, ret=-1

These are my iptables rules:

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow lan to router traffic
iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT

# dns
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE

# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7

# block all other traffic
iptables -A INPUT -j DROP

And here are some firewall log lines:

Dec  6 11:11:57 router kernel: [8725820.003323] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=62174 PROTO=UDP SPT=61910 DPT=53 LEN=40 
Dec  6 11:12:29 router kernel: [8725852.035826] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=15344 PROTO=UDP SPT=56329 DPT=8612 LEN=24 
Dec  6 11:12:36 router kernel: [8725859.121606] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11767 PROTO=UDP SPT=63962 DPT=8612 LEN=24 
Dec  6 11:12:44 router kernel: [8725866.203656] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11679 PROTO=UDP SPT=57101 DPT=8612 LEN=24 
Dec  6 11:12:51 router kernel: [8725873.285979] iptables denied: IN=ppp0 OUT= MAC= SRC=192.168.1.81 DST=224.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=39165 PROTO=UDP SPT=62625 DPT=8612 LEN=24 

I’m pretty sure that the problem should be related with iptables, but after trying a lot of different confs, I was unable to find the right one.

Any help will be greetly appreciated ;). Kind regards, Simon.

EDIT:

This is my route table:

default         62.43.193.33.st 0.0.0.0         UG    100    0        0 eth0
62.43.193.32    *               255.255.255.224 U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth2
192.168.1.81    *               255.255.255.255 UH    0      0        0 ppp0

© Server Fault or respective owner

Related posts about vpn

Related posts about iptables