LARTC - Nov 2004 - VPN Routing issues from local IP to Big Internet IPs

Ok ladies and gents, I give up! I just can''t find a solution to the 
problem.

Setup:

I have a linux box with 2.4.22-1.2197.nptl kernel running 2 eth and one 
ppp connection over one of the eth for VPN tunneling.

I have 2 needs:

- masq and forward internal lan hosts via the tunnel on PPP and then on to 
the big internet. No problem there. All works fine.

- Forward ppp0 native connections on to the big internet. And here the 
trouble starts. I can ping the gateway on the other side of the tunnel 
(which has the same subnet mask as the ppp assigne ip), but I cannot ping 
anything beyond that.

I though it could be a firewall (iptables) issue. Nope, it''s not that:
I
turned it off and made no difference.

Maybe the problem lies on the other side. Nope. I tcpdumped ppp0, and I 
get the ping back from the Big Internet host. So the packet goes out and 
comes back correctly, it just does not get "fowarded" on to the 
application level so that the ping program can register it.

So, this is the mess. Any idea on what I screwed up? :)

ivan
-- 
By 1977 or so, PLATO was featuring real-time multiplayer dungeon games, 
not to mention real-time spacewar, IM, chat, email, netnews, and a host of 
other things we now take for granted. All this on high-resolution plasma 
panel terminals connected at 1200 baud to twin Cyber 6600 supercomputer. 
Now you understand why I was kicked out of Cornell for a year; PLATO was 
crack for computer nerds. (Robert Woodhead, co-creator of Wizardry)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Ivan Pintori writes: 
> Maybe the problem lies on the other side. Nope. I tcpdumped ppp0, and I 
> get the ping back from the Big Internet host. So the packet goes out and 
> comes back correctly, it just does not get "fowarded" on to the 
> application level so that the ping program can register it.
Just to give you an idea of what I see with tcpdump, here it comes: 

[root@hoshimaru root]# ping -I ppp0 151.1.1.1
[root@hoshimaru root]# tcpdump -i ppp0
tcpdump: listening on ppp0
16:18:26.387006 172.16.XX.YY > 151.1.1.1: icmp: echo request (DF)
16:18:26.740705 151.1.1.1 > 172.16.XX.YY: icmp: echo reply (DF)
16:18:27.386941 172.16.XX.YY > 151.1.1.1: icmp: echo request (DF)
16:18:27.740039 151.1.1.1 > 172.16.XX.YY: icmp: echo reply (DF)
16:18:28.387023 172.16.XX.YY > 151.1.1.1: icmp: echo request (DF)
16:18:28.755338 151.1.1.1 > 172.16.XX.YY: icmp: echo reply (DF)
16:18:29.386988 172.16.XX.YY > 151.1.1.1: icmp: echo request (DF)
16:18:29.743806 151.1.1.1 > 172.16.XX.YY: icmp: echo reply (DF)
16:18:30.386977 172.16.XX.YY > 151.1.1.1: icmp: echo request (DF)
16:18:30.741172 151.1.1.1 > 172.16.XX.YY: icmp: echo reply (DF) 


And here a traceroute:
[root@hoshimaru root]# traceroute -i ppp0 151.1.1.1
traceroute to 151.1.1.1 (151.1.1.1), 30 hops max, 38 byte packets
1  172.16.0.1 (172.16.0.1)  165.423 ms  166.358 ms  164.800 ms
2  * * *
3  * * *
[etc] 

16:18:45.176421 172.16.XX.YY.34520 > 151.1.1.1.33435: udp 10 [ttl 1]
16:18:45.341516 172.16.0.1 > 172.16.XX.YY: icmp: time exceeded in-transit 
[tos 0xc0]
16:18:45.344151 172.16.XX.YY.34520 > 151.1.1.1.33436: udp 10 [ttl 1]
16:18:45.510231 172.16.0.1 > 172.16.XX.YY: icmp: time exceeded in-transit 
[tos 0xc0]
16:18:45.510560 172.16.XX.YY.34520 > 151.1.1.1.33437: udp 10 [ttl 1]
16:18:45.675086 172.16.0.1 > 172.16.XX.YY: icmp: time exceeded in-transit 
[tos 0xc0]
16:18:45.675423 172.16.XX.YY.34520 > 151.1.1.1.33438: udp 10
16:18:45.842148 SECONDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:18:50.667262 172.16.XX.YY.34520 > 151.1.1.1.33439: udp 10
16:18:50.831541 SECONDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:18:55.667351 172.16.XX.YY.34520 > 151.1.1.1.33440: udp 10
16:18:55.835469 SECONDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:00.667955 172.16.XX.YY.34520 > 151.1.1.1.33441: udp 10
16:19:00.833257 THIRDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:05.667458 172.16.XX.YY.34520 > 151.1.1.1.33442: udp 10
16:19:05.833473 THIRDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:10.667546 172.16.XX.YY.34520 > 151.1.1.1.33443: udp 10
16:19:10.834686 THIRDHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:15.667676 172.16.XX.YY.34520 > 151.1.1.1.33444: udp 10
16:19:15.852906 FORTHHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:20.667643 172.16.XX.YY.34520 > 151.1.1.1.33445: udp 10
16:19:20.855853 FORTHHOP > 172.16.XX.YY: icmp: time exceeded in-transit
16:19:25.667731 172.16.XX.YY.34520 > 151.1.1.1.33446: udp 10
16:19:26.037855 FORTHHOP > 172.16.XX.YY: icmp: time exceeded in-transit 

Now you see why I am so puzzled? The packet goes out with the correct IP and 
comes back to the right IP. Too back that traceroute and ping just time out, 
and so every other application! 

ivan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/