Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Solved] Forward between L2TP/IPsec and ethernet

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
disa
Posts: 5
Joined: 2018-09-12 10:19

[Solved] Forward between L2TP/IPsec and ethernet

#1 Post by disa »

Hello all,
I've set up a server with a public IP to connect to a VPN server via L2TP/IPsec, the configuration is ok and the connection works. The VPN server assigns to my server addresses like 192.168.6.A.
Now I have to connect to a machine under the VPN that has address like 192.168.X.Y (X is not 6), so first of all I tried to ping it and these are the results:

Code: Select all

ping -c 3 192.168.X.Y --> all packets loss
ping -c 3 -I 192.168.6.A 192.168.X.Y --> all packets loss
ping -c 3 -I ppp0 192.168.X.Y --> all packets received
I read on the internet that I have to change the deafult route (the command is: route add default dev ppp0) but I can't because eth0 address is public so I imagine the best solution is to create a forward between ppp0 and eth0.

I tried to do like that:

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
But it didn't work. Any suggestion?
Last edited by disa on 2018-09-13 17:42, edited 1 time in total.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Forward between L2TP/IPsec and ethernet

#2 Post by p.H »

Forwarding and masquerading have nothing to do with this. It is a routing issue.
You must add a route to the destination address or prefix using the VPN interface.

For a single address

Code: Select all

ip route add 192.168.X.Y dev ppp0
For a /24 prefix

Code: Select all

ip route add 192.168.X.0/24 dev ppp0
This route is not persistent and will be removed when the interface comes down.
It can be added automatically by a script in /etc/ppp/ip-up.d/ when the interface comes up.

disa
Posts: 5
Joined: 2018-09-12 10:19

Re: Forward between L2TP/IPsec and ethernet

#3 Post by disa »

p.H wrote:Forwarding and masquerading have nothing to do with this. It is a routing issue.
You must add a route to the destination address or prefix using the VPN interface.

For a single address

Code: Select all

ip route add 192.168.X.Y dev ppp0
For a /24 prefix

Code: Select all

ip route add 192.168.X.0/24 dev ppp0
This route is not persistent and will be removed when the interface comes down.
It can be added automatically by a script in /etc/ppp/ip-up.d/ when the interface comes up.
Yeah!! It worked, thank you very much :-)
Just another question: to add this permanently, is the procedure below the right one?
mkdir -p /etc/ppp/ip-up.d/
echo -e "#!/bin/bash\nip route add 192.168.X.0/24 dev ppp0" > /etc/ppp/ip-up.d/my_scipt.sh
chmod +x /etc/ppp/ip-up.d/my_scipt.sh
Last edited by disa on 2018-09-13 17:53, edited 2 times in total.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Forward between L2TP/IPsec and ethernet

#4 Post by p.H »

No.
1) The /etc/ppp/ip-up.d directory should already exist as it is part of the ppp package.

2) Scripts in /etc/ppp/ip-up.d are executed by /etc/ppp/ip-up using run-parts. run-parts has restrictions on files it executes. For example file names containing periods "." are ignored. See the run-parts man page for details.

3) Some parameters are passed to the scripts as command line arguments and environment variables. They include the PPP interface name, the local and remote IP addresses and the value of the "ipparam" option defined in the pppd config. See in the /etc/ppp/ip-up script for details.
As the scripts are run for any PPP connection, I recommend to
- set the ipparam option in the specific pppd config to a unique value and check that value in $PPP_IPPARAM ;
- use $PPP_IFACE containing the PPP interface name in the route creation command.

disa
Posts: 5
Joined: 2018-09-12 10:19

Re: Forward between L2TP/IPsec and ethernet

#5 Post by disa »

p.H wrote:No.
1) The /etc/ppp/ip-up.d directory should already exist as it is part of the ppp package.

2) Scripts in /etc/ppp/ip-up.d are executed by /etc/ppp/ip-up using run-parts. run-parts has restrictions on files it executes. For example file names containing periods "." are ignored. See the run-parts man page for details.

3) Some parameters are passed to the scripts as command line arguments and environment variables. They include the PPP interface name, the local and remote IP addresses and the value of the "ipparam" option defined in the pppd config. See in the /etc/ppp/ip-up script for details.
As the scripts are run for any PPP connection, I recommend to
- set the ipparam option in the specific pppd config to a unique value and check that value in $PPP_IPPARAM ;
- use $PPP_IFACE containing the PPP interface name in the route creation command.
I read all your suggestions and I finally found what I needed. Here the right procedure:

Code: Select all

cat > /etc/ppp/ip-up.d/0010addRouteMyVpn << 'EOF'
#!/bin/sh -e

test "$PPP_IPPARAM" = "myvpn" || exit 0

ip route add 192.168.X.0/24 dev $PPP_IFACE

exit 0
EOF

chmod +x /etc/ppp/ip-up.d/0010addRouteMyVpn
Thank you so much again. I mark as solved ;-)

EDIT: code below was the previous answer

Code: Select all

cat > /etc/ppp/ip-up.d/0010addRouteMyVpn << 'EOF'
#!/bin/sh -e

test "$PPP_IPPARAM" = "myvpn" || exit 0

exec ip route add 192.168.X.0/24 dev $PPP_IFACE

exit 0
EOF

chmod +x /etc/ppp/ip-up.d/0010addRouteMyVpn
Last edited by disa on 2018-09-15 06:44, edited 2 times in total.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [Solved] Forward between L2TP/IPsec and ethernet

#6 Post by p.H »

Glad it helped. Sorry for not providing one of my scripts as sample, but I did not have access to the machine which uses them at the time of my reply.

Why do you use exec to run the ip command ?

disa
Posts: 5
Joined: 2018-09-12 10:19

Re: [Solved] Forward between L2TP/IPsec and ethernet

#7 Post by disa »

Oh don't worry ;-). Anyway, is exec unnecessary?

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: [Solved] Forward between L2TP/IPsec and ethernet

#8 Post by p.H »

Do you know what exec does ?
It replaces the shell executing the script with the specified command in the same process. When it terminates, it does not return to the script execution.
Without exec, the command is executed in a child process. When it terminates, the script execution is resumed.

disa
Posts: 5
Joined: 2018-09-12 10:19

Re: [Solved] Forward between L2TP/IPsec and ethernet

#9 Post by disa »

Ah.... I didn't know. Thanks for information :-). I modify my previous answer and I'll modify my script ;-)

Post Reply