Interesting VPN problem.

I have an interesting VPN problem. I'm trying to reach a linux box behind a
win2K vpn server with a win2K client. All of the computers has real IP
addresses. I connect to the VPN server without any problems and can reach
other win boxes behind the vpn server but when I try to ping the redhat 9
box it does not respond. It's not an iptables problem, because I turned it
off and still have the problem. It seems to me that the linux box somehow
can not update it's routing table with the routing announcement coming from
the vpn server. Any suggestions would be greatly appreciated.

Thanks in advance,

Kerem

"Kerem Tuzemen" <(E-Mail Removed)> wrote in message
news:gaSdnX-U6-(E-Mail Removed)...
> I have an interesting VPN problem. I'm trying to reach a linux box behind
a
> win2K vpn server with a win2K client. All of the computers has real IP
> addresses. I connect to the VPN server without any problems and can reach
> other win boxes behind the vpn server but when I try to ping the redhat 9
> box it does not respond. It's not an iptables problem, because I turned it
> off and still have the problem. It seems to me that the linux box somehow
> can not update it's routing table with the routing announcement coming
from
> the vpn server. Any suggestions would be greatly appreciated.
>
> Thanks in advance,
>
> Kerem
>
>

Hi Kerem,

Can you ping the lead hat box on the internal network?? If not:

#cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

if that returns a 1 then

#echo > 0 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#cat /proc/sys/net/ipv4net.ipv4.icmp_echo_ignore_all

if that returns a 1 then

#echo > 0 /proc/sys/net/ipv4net.ipv4.icmp_echo_ignore_all

Some other points? Is your vpn server assigning an address range on the same
mask as your RH box???

Can't see how the route table would affect anything. You ping an address if
its up its up. Is your RH box on the same mask as the vpn server??

Luke

Hi Luke,

First of all, thanks for your time and suggestions. Here is some additional
information and answers to your questions:

On the internal network which is behind the subject vpn server everything
seems to work normally. i.e. I can ping linux boxes from win boxes and
vice-versa. All of the ip addresses (except the vpn client's original IP)
are real IP addresses and they are on the same mask.
Let me explain what made me think about the routing protocol. Think about
this: at the time of connection to the VPN server two ip addresses from the
vpn pool are used to welcome the vpn client to the network. One of them is
the ip assigned to the client and the other one kinda acts as a gateway and
assigned to the VPN server's vpn port. When the connection is established,
the MS VPN server announces the new route for the vpn client to other
computers on the network (which should update other computers' routing table
to let them know that the assigned vpn client address is reachable via the
gateway ip address on the vpn server) so if the linux box's routing table
doesn't get updated, there's no way for it to know how to reach the vpn
client's ip address since it's reachable via the gateway (second) ip address
assigned to vpn port of the server. So even if it receives the ICMP packets,
it can not send the response back.

Kerem


> Hi Kerem,
>
> Can you ping the lead hat box on the internal network?? If not:
>
> #cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> if that returns a 1 then
>
> #echo > 0 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> #cat /proc/sys/net/ipv4net.ipv4.icmp_echo_ignore_all
>
> if that returns a 1 then
>
> #echo > 0 /proc/sys/net/ipv4net.ipv4.icmp_echo_ignore_all
>
> Some other points? Is your vpn server assigning an address range on the
same
> mask as your RH box???
>
> Can't see how the route table would affect anything. You ping an address
if
> its up its up. Is your RH box on the same mask as the vpn server??
>
> Luke
>
>