Re: Two routes to a host: how to make sure which noe is used when?

Stefan Monnier <monnier@xxxxxxxxxxxxxxxx> wrote:

I recently bumped into a problem with my VPN:

I've setup my networking as follows:

+-----------+ +----------+
| mymachine |---192.168.1.13--> | myrouter |---> The world
+-----------+ +----------+
|
| +-----------------+
+--vpnNNN.domain--> | Some VPN server |---> *.domain
+-----------------+

Some IP range (corresponding to *.domain) goes through the VPN,
but the default routing rule is to go straight to my router.
Plus some addresses in *.domain are special cased to go via the
router: these are machines visible from outside and I don't want
connections to these machines to die/hang when I start/stop the
vpn tunnel. One of those addresses is the VPN server itself.

I.e. the routing table looks like this:

% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
AAA.BBB.CCC.DDD 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
AAA.BBB.EEE.FFF 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
AAA.BBB.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
%

AAA.BBB.CCC.DDD is the VPN server and AAA.BBB.EEE.FFF is the IMAP server.

This usually works just dandy, except when AAA.BBB.EEE.FFF or
AAA.BBB.CCC.DDD tries to connect to my VPN-address (i.e. vpnNNN.domain):
- the packets coming from toto.domain reach me fine through the VPN.
- but my replies seem to be sent via the router.

So replace the redundant host gateway host routes (UGH) through eth1
on vpnNNN.domain with host routes (UH) to the same IP addresses through
the PPP interface instead. The configuration commands for those routes
belong in /etc/ppp/ip-up so that they are regenerated each time the
interface is recreated.

Just ignore that person waving host routes if this makes no sense at all
to you - he just doesn't really understand what's what.

--
Clifford Kite
/* For every credibility gap, there is a gullibility fill.
-- R. Clopton */
.

Relevant Pages

  • Re: HIPAA and firewalls
    ... >compliant manner using VPN. ... this is a bad and expensive method of purchasing a router. ... the VPN is setup in 5 steps. ... network IP block to both sides of the VPN tunnel. ...
    (comp.security.firewalls)
  • Re: WRT54GL with DD-WRT VPN firmware - wheres the beef?
    ... the easiest way to deal with a VPN is to *FIRST* understand how ... as the NAT LAN connected to the terminating VPN server, to the client. ... Destination router: ... Gateway IP = 192.168.3.1 ...
    (alt.internet.wireless)
  • Re: WRT54GL with DD-WRT VPN firmware - wheres the beef?
    ... after the connection is established. ... the easiest way to deal with a VPN is to *FIRST* understand how ... as the NAT LAN connected to the terminating VPN server, to the client. ... Destination router: ...
    (alt.internet.wireless)
  • Re: VPN, FTP, or remote desktop
    ... There should be no need to do that if the router ... As I noted before I run Remote Desktop through a Secure Shell (SSH) tunnel ... > We also checked with Buffalo that their WBR series do support PPTP VPN. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Windows XP Networking Question (with Linksys Home VPN Router)
    ... You bought one router. ... to share this router in a wireless network? ... you don't need to be thinking of VPN - you can be all on the same ... and the other's set up 'outgoing connections' to connect to it. ...
    (microsoft.public.isa.vpn)