[Solved] Forward between L2TP/IPsec and ethernet

Kernels & Hardware, configuring network, installing services

[Solved] Forward between L2TP/IPsec and ethernet

Postby disa » 2018-09-12 11:03

Hello all,
I've set up a server with a public IP to connect to a VPN server via L2TP/IPsec, the configuration is ok and the connection works. The VPN server assigns to my server addresses like 192.168.6.A.
Now I have to connect to a machine under the VPN that has address like 192.168.X.Y (X is not 6), so first of all I tried to ping it and these are the results:

Code: Select all
ping -c 3 192.168.X.Y --> all packets loss
ping -c 3 -I 192.168.6.A 192.168.X.Y --> all packets loss
ping -c 3 -I ppp0 192.168.X.Y --> all packets received


I read on the internet that I have to change the deafult route (the command is: route add default dev ppp0) but I can't because eth0 address is public so I imagine the best solution is to create a forward between ppp0 and eth0.

I tried to do like that:
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

But it didn't work. Any suggestion?
Last edited by disa on 2018-09-13 17:42, edited 1 time in total.
disa
 
Posts: 5
Joined: 2018-09-12 10:19

Re: Forward between L2TP/IPsec and ethernet

Postby p.H » 2018-09-12 15:16

Forwarding and masquerading have nothing to do with this. It is a routing issue.
You must add a route to the destination address or prefix using the VPN interface.

For a single address
Code: Select all
ip route add 192.168.X.Y dev ppp0


For a /24 prefix
Code: Select all
ip route add 192.168.X.0/24 dev ppp0


This route is not persistent and will be removed when the interface comes down.
It can be added automatically by a script in /etc/ppp/ip-up.d/ when the interface comes up.
p.H
 
Posts: 631
Joined: 2017-09-17 07:12

Re: Forward between L2TP/IPsec and ethernet

Postby disa » 2018-09-13 12:38

p.H wrote:Forwarding and masquerading have nothing to do with this. It is a routing issue.
You must add a route to the destination address or prefix using the VPN interface.

For a single address
Code: Select all
ip route add 192.168.X.Y dev ppp0


For a /24 prefix
Code: Select all
ip route add 192.168.X.0/24 dev ppp0


This route is not persistent and will be removed when the interface comes down.
It can be added automatically by a script in /etc/ppp/ip-up.d/ when the interface comes up.


Yeah!! It worked, thank you very much :-)
Just another question: to add this permanently, is the procedure below the right one?
mkdir -p /etc/ppp/ip-up.d/
echo -e "#!/bin/bash\nip route add 192.168.X.0/24 dev ppp0" > /etc/ppp/ip-up.d/my_scipt.sh
chmod +x /etc/ppp/ip-up.d/my_scipt.sh
Last edited by disa on 2018-09-13 17:53, edited 2 times in total.
disa
 
Posts: 5
Joined: 2018-09-12 10:19

Re: Forward between L2TP/IPsec and ethernet

Postby p.H » 2018-09-13 13:16

No.
1) The /etc/ppp/ip-up.d directory should already exist as it is part of the ppp package.

2) Scripts in /etc/ppp/ip-up.d are executed by /etc/ppp/ip-up using run-parts. run-parts has restrictions on files it executes. For example file names containing periods "." are ignored. See the run-parts man page for details.

3) Some parameters are passed to the scripts as command line arguments and environment variables. They include the PPP interface name, the local and remote IP addresses and the value of the "ipparam" option defined in the pppd config. See in the /etc/ppp/ip-up script for details.
As the scripts are run for any PPP connection, I recommend to
- set the ipparam option in the specific pppd config to a unique value and check that value in $PPP_IPPARAM ;
- use $PPP_IFACE containing the PPP interface name in the route creation command.
p.H
 
Posts: 631
Joined: 2017-09-17 07:12

Re: Forward between L2TP/IPsec and ethernet

Postby disa » 2018-09-13 17:42

p.H wrote:No.
1) The /etc/ppp/ip-up.d directory should already exist as it is part of the ppp package.

2) Scripts in /etc/ppp/ip-up.d are executed by /etc/ppp/ip-up using run-parts. run-parts has restrictions on files it executes. For example file names containing periods "." are ignored. See the run-parts man page for details.

3) Some parameters are passed to the scripts as command line arguments and environment variables. They include the PPP interface name, the local and remote IP addresses and the value of the "ipparam" option defined in the pppd config. See in the /etc/ppp/ip-up script for details.
As the scripts are run for any PPP connection, I recommend to
- set the ipparam option in the specific pppd config to a unique value and check that value in $PPP_IPPARAM ;
- use $PPP_IFACE containing the PPP interface name in the route creation command.


I read all your suggestions and I finally found what I needed. Here the right procedure:
Code: Select all
cat > /etc/ppp/ip-up.d/0010addRouteMyVpn << 'EOF'
#!/bin/sh -e

test "$PPP_IPPARAM" = "myvpn" || exit 0

ip route add 192.168.X.0/24 dev $PPP_IFACE

exit 0
EOF

chmod +x /etc/ppp/ip-up.d/0010addRouteMyVpn


Thank you so much again. I mark as solved ;-)

EDIT: code below was the previous answer
Code: Select all
cat > /etc/ppp/ip-up.d/0010addRouteMyVpn << 'EOF'
#!/bin/sh -e

test "$PPP_IPPARAM" = "myvpn" || exit 0

exec ip route add 192.168.X.0/24 dev $PPP_IFACE

exit 0
EOF

chmod +x /etc/ppp/ip-up.d/0010addRouteMyVpn
Last edited by disa on 2018-09-15 06:44, edited 2 times in total.
disa
 
Posts: 5
Joined: 2018-09-12 10:19

Re: [Solved] Forward between L2TP/IPsec and ethernet

Postby p.H » 2018-09-14 07:31

Glad it helped. Sorry for not providing one of my scripts as sample, but I did not have access to the machine which uses them at the time of my reply.

Why do you use exec to run the ip command ?
p.H
 
Posts: 631
Joined: 2017-09-17 07:12

Re: [Solved] Forward between L2TP/IPsec and ethernet

Postby disa » 2018-09-14 15:01

Oh don't worry ;-). Anyway, is exec unnecessary?
disa
 
Posts: 5
Joined: 2018-09-12 10:19

Re: [Solved] Forward between L2TP/IPsec and ethernet

Postby p.H » 2018-09-14 19:31

Do you know what exec does ?
It replaces the shell executing the script with the specified command in the same process. When it terminates, it does not return to the script execution.
Without exec, the command is executed in a child process. When it terminates, the script execution is resumed.
p.H
 
Posts: 631
Joined: 2017-09-17 07:12

Re: [Solved] Forward between L2TP/IPsec and ethernet

Postby disa » 2018-09-15 06:42

Ah.... I didn't know. Thanks for information :-). I modify my previous answer and I'll modify my script ;-)
disa
 
Posts: 5
Joined: 2018-09-12 10:19


Return to System configuration

Who is online

Users browsing this forum: No registered users and 12 guests

fashionable
cron