Lan to lan vpn cannot ping

[edhoari]

Hi All,

I just started using zeroshell for a couple of weeks. I found it simple to use.
I am planning to use it as vpn router to my office. Here is my configuration so far

Home — ZS1

---

Internet

---

ZS2 — Office

Home : 192.168.2.0/24
VPN00 : 192.168.10.254
Static route : 192.168.1.0 netmask 255.255.255.0 gw 192.168.10.1

Office : 192.168.1.0/24
VPN00 : 192.168.10.1
Static route : 192.168.2.0 netmask 255.255.255.0 gw 192.168.10.254

I can get VPN up and ping between ZS. But I cannot ping the machines behind ZS.

Could anyone give me a hint where did I go wrong?

Thanks

[redfive]

Your config seems correct, then…some firewall rule (on zeroshell or else windows machine) ?? From host on 192.168.2.0 to host on 192.168.1.0 (or vice-versa), what tracert says ?

[edhoari]

Hi Redfive,

I already turned off firewall on both sides and there is no windows machine. Just some linux box with no active firewall.

Here is the tracepath result from Home side

root@zeroshell root> tracepath 192.168.1.1
1: 192.168.10.254 (192.168.10.254) 0.438ms pmtu 1500
1: 192.168.10.1 (192.168.10.1) 20.384ms
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply

I’m using Zeroshell-2.0 RC2 on both ZS.

[redfive]

As far I can understand , with no firewall rules , captive portal disabled and zeroshell as default gateway on both sites, there isn’t any reason that denies the ping between the private networks 192.168.1.0/24 and 192.168.2.0/24….can you try a ping and then post the output of iptables -L -v and route -n from both Zeroshell ?

[edhoari]

Home side
—

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 ETH00
192.168.1.0 192.168.10.1 255.255.255.0 UG 0 0 0 VPN00
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH00
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN00
192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN99

Chain INPUT (policy ACCEPT 3959 packets, 375K bytes)
pkts bytes target prot opt in out source destination
29711 2630K SYS_GUI all — any any anywhere anywhere
29711 2630K SYS_INPUT all — any any anywhere anywhere
11 1008 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
1466 266K SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
1033 78354 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2747 packets, 784K bytes)
pkts bytes target prot opt in out source destination
24507 3211K SYS_OUTPUT all — any any anywhere anywhere

Chain NetBalancer (0 references)
pkts bytes target prot opt in out source destination

Chain SYS_GUI (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp — any any 192.168.2.117 anywhere tcp dpt:12081

Chain SYS_HTTPS (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
1477 267K ACCEPT all — any any anywhere anywhere

Chain SYS_INPUT (1 references)
pkts bytes target prot opt in out source destination
18354 1317K ACCEPT all — lo any anywhere anywhere
257 124K ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
48 45955 ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
56 4256 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
10996 1138K RETURN all — any any anywhere anywhere

Chain SYS_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
18354 1317K ACCEPT all — any lo anywhere anywhere
262 19357 ACCEPT udp — any any anywhere anywhere udp dpt:domain
60 3830 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
60 4560 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
5771 1866K RETURN all — any any anywhere anywhere

Chain SYS_SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
1033 78354 ACCEPT all — any any anywhere anywhere

Office Side
—-

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ETH00
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH00
192.168.2.0 192.168.10.254 255.255.255.0 UG 2 0 0 VPN00
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN00
192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN99

Chain INPUT (policy ACCEPT 2212 packets, 265K bytes)
pkts bytes target prot opt in out source destination
6217 804K SYS_GUI all — any any anywhere anywhere
6217 804K SYS_INPUT all — any any anywhere anywhere
0 0 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
668 90353 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
509 40132 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT 34 packets, 36840 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2175 packets, 349K bytes)
pkts bytes target prot opt in out source destination
5336 1098K SYS_OUTPUT all — any any anywhere anywhere

Chain NetBalancer (0 references)
pkts bytes target prot opt in out source destination

Chain SYS_GUI (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp — any any 192.168.1.81 anywhere tcp dpt:12081

Chain SYS_HTTPS (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
668 90353 ACCEPT all — any any anywhere anywhere

Chain SYS_INPUT (1 references)
pkts bytes target prot opt in out source destination
1939 202K ACCEPT all — lo any anywhere anywhere
228 119K ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
24 22888 ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
48 3648 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
3978 457K RETURN all — any any anywhere anywhere

Chain SYS_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
1939 202K ACCEPT all — any lo anywhere anywhere
236 17111 ACCEPT udp — any any anywhere anywhere udp dpt:domain
26 1604 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
48 3648 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
3087 874K RETURN all — any any anywhere anywhere

Chain SYS_SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo any anywhere anywhere
509 40132 ACCEPT all — any any anywhere anywhere

[redfive]

The two ZS box are the default-gateway for the network 192.168.1.0/24 and 192.168.2.0/24 , or they are simply hosts of these networks ?? Who are 192.168.1.1 and 192.168.2.1 ??

[edhoari]

192.168.1.1 is the default internet gw for the office site. I use NAT and give ZS a public ip.

192.168.2.1 is the default internet gw for the home site. The ZS is another host in this subnet.

Both ZS are vbox guest.

[redfive]

Maybe is more clear , now…as sure you know , when a host has to send a packet to a network different that its own , it will send the packet to its default-gateway, so eg. when a host on the 192.168.1.0/24 network needs to send a packet to another host on 192.168.2.0/24 network , this packet will be sent to 192.168.1.1 , but if the default-gateway ,in its routing table has not a route to reach that destination , it will send this packet on its default-route ( ppp , dsl….).
I think that if you can manage your 192.168.1.1 and 192.168.2.1 routers , by adding a static route , on 192.168.1.1 something like:
ip route 192.168.2.0 255.255.255.0 via 192.168.1.(host address of local ZS)
and on 192.168.2.1 something like:
ip route 192.168.1.0 255.255.255.0 via 192.168.2.(host address of local ZS)
you could solve your issues.
As second solution , add on every host that needs to reach the remote private network a static route as above….
should works……

[edhoari]

It works!!

Thank’s redfive. You save my day 🙂

[Verdie]

I agree.

http://www.checkerplagiarism.net/

[Author]

Posts