Find the answer to your Linux question:
Results 1 to 10 of 10
Hi all, I have the following situation and someone may know what I need: I live in a studenthome and I have to use a vpnclient(Cisco) before I can go ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35

    VPNclient


    Hi all,

    I have the following situation and someone may know what I need:
    I live in a studenthome and I have to use a vpnclient(Cisco) before I can go on the internet. I have multiple computers.
    If I want to do an install of linux I always need to do it offline and then install the needed tools because I cant go on the internet to solve the dependecies.
    This is very annoying. Also, I have to connect with each computer (with the same account) if I want to go on the internet with that particular computer.

    Is there any possiblity that I can have 1 computer that connects with the VPNclient and then the others go to the internet through a proxy that I configure on the host with the VPNclient?

    Or do I need to use a gateway?

    Or is this even possible?

    What documentation/HOWTO/... should I read?
    I already read alot of them but they don't help me out what I need.

    Help is very appreciated!

  2. #2
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    720
    An IP Masquerading setup should do what you need. Set up one computer with VPN client which will be the gateway, then follow the instructions in this IP Masquerade HOWTO.

    Your network device will be the internal device and the device created by vpnclient will be the external device.

    If you run into any problems post them here and we will try to help.

    Let us know how you get on,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  3. #3
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35
    Quote Originally Posted by kakariko81280
    An IP Masquerading setup should do what you need. Set up one computer with VPN client which will be the gateway, then follow the instructions in this IP Masquerade HOWTO.

    Your network device will be the internal device and the device created by vpnclient will be the external device.

    If you run into any problems post them here and we will try to help.

    Let us know how you get on,

    Chris...
    First: thanks for your quick reply.

    Second
    I read that howto but it is not that simple to understand all those things.
    So I "read" http://www.linuxhomenetworking.com/w...Using_iptables
    I used this part: Masquerading (Many to One NAT).
    However, I don't use gentoo on the computer that has to be the gateway.
    It is Fedora Core 5

    Then I did this:
    Code:
    modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 \
             -j MASQUERADE
    
    iptables -A FORWARD -t filter -o cipsec0 -m state \
             --state NEW,ESTABLISHED,RELATED -j ACCEPT
     
    iptables -A FORWARD -t filter -i eth0 -m state \
             --state ESTABLISHED,RELATED -j ACCEPT
    (eth0 and cipsec0 use the same physical NIC. So I use eth0 to go on the lan, and cipsec0 uses the same lan(and NIC) to connect to vpn.
    Sorry if this is not clear.

    cipsec0 is the Cisco device but I'm not shure (but if I do ifconfig without the -a option I don't get it in the list, although I am connected with the vpnclient to the internet)

    Problem is: if I use this computer as gateway on another computer(Gentoo), by doing "route add default gw ip-address" on the other computer (where I dont want to connect with the vpn client), I do net get anything after a "ping google.com".

    What am I doing wrong?

    Thanks in advance!

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    720
    The fact you are using Fedora rather than gentoo shouldn't make any difference. Modprobe and iptables are about as universal as commands get.*

    There are two things you will need to check:

    First of all, bring up vpnclient and check that the gateway machine is able to access the Internet. If an interface doesn't show in ifconfig, but does with ifconfig -a it means it is down so nothing will be getting online.

    second, it looks like you have the wrong interface in the first iptables command. I think it should be

    Code:
    iptables -A POSTROUTING -t nat -o cipsec0 -s 192.168.1.0/24 -d 0/0 \
             -j MASQUERADE
    Then set up and try one of the client computers.

    Let us know how you get on.

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  6. #5
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35
    Quote Originally Posted by kakariko81280
    First of all, bring up vpnclient and check that the gateway machine is able to access the Internet. If an interface doesn't show in ifconfig, but does with ifconfig -a it means it is down so nothing will be getting online.
    I logged on with the vpnclient, after that, I did ifconfig, but couldn't see the cipsec interface with ifconfig. Although I could go on the internet.
    I recompiled and installed on that Fedora (RH) and if I then started connected with the vpnclient I could see the cipsec0 if I do ifconfig.

    second, it looks like you have the wrong interface in the first iptables command. I think it should be

    Code:
    iptables -A POSTROUTING -t nat -o cipsec0 -s 192.168.1.0/24 -d 0/0 \
             -j MASQUERADE
    Chris...
    I will try that immediately and post the results here!
    Thanks for your effort!

  7. #6
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35
    I tried the rule you suggested but it does not work.
    Also I did echo "1" > /proc/sys/net/ipv4/ip_forward
    So everything should be ok, isnt it?
    I also flushed the tables "nat" and "filter" before I added those.
    On the host that should use the gateway, the speed of the "route" program is ALOT faster. SO I think this is a step in the good way!

    I also see some examples here: http://gathering.tweakers.net/forum/...ssages/1197817.
    But still, I couldn't get it to work :s

    Is the rules I add the absolute minimum?

    This is the result of route:
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    172.17.2.0      *               255.255.255.0   U     0      0        0 eth0
    default         172.17.2.131    0.0.0.0         UG    0      0        0 eth0
    172.17.2.131 is the machine where vpnclient is connected and where I configured the firewall.

    Thanks in advance!

  8. #7
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    720
    cue that sneaking suspicion that I've made an assumption I shouldn't...

    Can I get you to go onto the gateway PC and run these commands

    Code:
    ifconfig -a
    route -n
    then connect vpnclient and run them again. Redact any routeable IPs and post the output here.

    Also, it might be easier to use a firewall package. I personally use shorewall which makes setting up this kind of thing very easy.

    Let us know how you get on,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  9. #8
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35
    Without VPNclient connect I get this:
    Code:
    cipsec0   Link encap:Ethernet  HWaddr 00:0B:FC:F8:01:8F  
              inet addr:172.197.8.14  Mask:255.255.255.0
              NOARP  MTU:1500  Metric:1
              RX packets:118 errors:0 dropped:1436 overruns:0 frame:0
              TX packets:184 errors:0 dropped:10 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:9730 (9.5 KiB)  TX bytes:21316 (20.8 KiB)
    
    eth0      Link encap:Ethernet  HWaddr 00:50:04:D5:30:7F  
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
              Interrupt:11 Base address:0x8000 
    
    eth1      Link encap:Ethernet  HWaddr 00:05:5D:A1:CD:75  
              inet addr:172.17.2.131  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::205:5dff:fea1:cd75/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:2524 errors:0 dropped:0 overruns:0 frame:0
              TX packets:420 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:346596 (338.4 KiB)  TX bytes:58720 (57.3 KiB)
              Interrupt:5 Base address:0x4000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:490 errors:0 dropped:0 overruns:0 frame:0
              TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:86885 (84.8 KiB)  TX bytes:86885 (84.8 KiB)
    
    sit0      Link encap:IPv6-in-IPv4  
              NOARP  MTU:1480  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
    
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    172.17.2.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
    169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 lo
    0.0.0.0         172.17.2.254    0.0.0.0         UG    0      0        0 eth1
    With the vpnclient connected I get:
    Code:
    cipsec0   Link encap:Ethernet  HWaddr 00:0B:FC:F8:01:8F  
              inet addr:172.197.1.15  Mask:255.255.255.0
              inet6 addr: fe80::20b:fcff:fef8:18f/64 Scope:Link
              UP RUNNING NOARP  MTU:1356  Metric:1
              RX packets:118 errors:0 dropped:1453 overruns:0 frame:0
              TX packets:184 errors:0 dropped:20 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:9730 (9.5 KiB)  TX bytes:21316 (20.8 KiB)
    
    eth0      Link encap:Ethernet  HWaddr 00:50:04:D5:30:7F  
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
              Interrupt:11 Base address:0x8000 
    
    eth1      Link encap:Ethernet  HWaddr 00:05:5D:A1:CD:75  
              inet addr:172.17.2.131  Bcast:172.17.2.255  Mask:255.255.255.0
              inet6 addr: fe80::205:5dff:fea1:cd75/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:2582 errors:0 dropped:0 overruns:0 frame:0
              TX packets:445 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:356093 (347.7 KiB)  TX bytes:67062 (65.4 KiB)
              Interrupt:5 Base address:0x4000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:603 errors:0 dropped:0 overruns:0 frame:0
              TX packets:603 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:122261 (119.3 KiB)  TX bytes:122261 (119.3 KiB)
    
    sit0      Link encap:IPv6-in-IPv4  
              NOARP  MTU:1480  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
    
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    193.190.126.26  172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    192.168.112.1   172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    193.190.126.30  172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    193.191.155.1   172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    172.16.1.20     172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    193.191.155.2   172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    172.99.0.10     172.17.2.254    255.255.255.255 UGH   0      0        0 eth1
    192.168.100.0   172.17.2.254    255.255.255.0   UG    0      0        0 eth1
    193.191.154.0   172.17.2.254    255.255.255.0   UG    0      0        0 eth1
    172.17.4.0      172.17.2.254    255.255.255.0   UG    0      0        0 eth1
    172.197.1.0     0.0.0.0         255.255.255.0   U     0      0        0 cipsec0
    172.17.2.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
    172.17.3.0      172.17.2.254    255.255.255.0   UG    0      0        0 eth1
    172.17.1.0      172.17.2.254    255.255.255.0   UG    0      0        0 eth1
    172.18.0.0      172.17.2.254    255.255.0.0     UG    0      0        0 eth1
    169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 lo
    0.0.0.0         172.197.1.15    0.0.0.0         UG    0      0        0 cipsec0

    These are the commands I last tried on the wanna-be-gateway():
    Code:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -F
    iptables -t filter -F
    
    iptables -A POSTROUTING -t nat -o cipsec0 -s 172.17.2.0/24 -d 0/0 -j MASQUERADE
    iptables -A FORWARD -t filter -o cipsec0 -j ACCEPT
    iptables -A FORWARD -t filter -i eth1 -j ACCEPT
    On the other computer I did
    Code:
    route add default gw 172.17.2.131 # this is the one I'm setting up
    route delete default gw 172.17.2.254 # this is the normal one

  10. #9
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    720
    OK, the network setup looks like I expected (phew).

    Can I get you to clear the firewall rules on the gateway and try these instead

    Code:
    iptables -A FORWARD -i cipsec0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -o cipsec0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o cipsec0 -j MASQUERADE
    echo "1" > /proc/sys/net/ipv4/ip_forward
    What you are doing on the client seems fine. What is the actual error when you try to ping something on the Internet?

    Let us know how you get on,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  11. #10
    Just Joined!
    Join Date
    Jan 2006
    Posts
    35
    Quote Originally Posted by kakariko81280
    OK, the network setup looks like I expected (phew).

    Can I get you to clear the firewall rules on the gateway and try these instead

    Code:
    iptables -A FORWARD -i cipsec0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -o cipsec0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o cipsec0 -j MASQUERADE
    echo "1" > /proc/sys/net/ipv4/ip_forward
    What you are doing on the client seems fine. What is the actual error when you try to ping something on the Internet?
    I did exactly the lines you told to do without success :s

    If I try ping: I don't get anything at all :s Not even that I all packets are lost :s
    And the routing table on the client who uses the gateway is:
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    172.17.2.0      *               255.255.255.0   U     0      0        0 eth0
    default         172.17.2.21     0.0.0.0         UG    0      0        0 eth0
    I also did:
    Code:
    iptables -A INPUT -j LOG --log-level 4
    iptables -A OUTPUT -j LOG --log-level 4
    iptables -A FORWARD -j LOG --log-level 4
    I don't get anything that is from the host that wants to use the gateway.
    If I ping to the gateway then I can see it in the log files.

    I'm out of ideas :s

    Im using Fedora Core 5 here. Maybe there is something I need to turn on? (I already enabled the ip_forward)


    Maybe it is interesting to make a little drawing of how the network is organised.
    Code:
    -------------------------------------------------------------- (switch)
               |                                        |
               |                                        |
       ----------------- (my own switch)            PCx (computer of other person)
       |             |
    PC1        PC2 (GW)
    PC1 should use PC2 to go to the internet. PC2 needs the big LAN and VPN connection to go online.
    PC2 only uses eth1. So the cipsec0 adapter goes through the same physical device.

    I hope this creates a clearer view.

    By the way: I use dynamic IP addresses. Could this be the problem? And I my gateway (PC2) gets an IP from a dhcp server on the network.

    Kind regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •