search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

Local and remote use 192.168.1.0/24 subnets issue #136

Closed huseyinkomac closed 4 years ago

huseyinkomac commented 4 years ago

Hello, I am using Pop! OS 19.10 trying to connect to my company's L2TP IPsec VPN. I can easily connect to this network in windows 10 but having an issue on linux side.

I have libreswan 3.29, network-manager-l2tp-gnome 1.12.16 installed. I checked "Enforce UDP encapsulation" and "Disable PFS" options in IPsec options since I couldn't connect to the VPN without checking these. I also entered "3des-sha1-modp1024" and "3des-sha1" to the Phase algorithms. I can connect to the VPN with these configs but I can't connect to the local machines from the target network. When I try to connect with ssh it says "No route to host" and from the web browser it says Unable to connect to target.

Have you encounter with this issue before and do you know how to solve it?

Don't know which logs to add, if you can help me about which logs to add I can add them.

dkosovic commented 4 years ago

Might be related to issue #132 , but definitely a routing issue if the VPN connection is up, but complains about no route to host.

The following shows the routing table for a working L2TP/IPsec connection to a VPN server with Gateway IP address 87.117.247.187.

Before VPN connection:

$ ip route list
default via 192.168.0.1 dev eno1 proto dhcp metric 100 
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.74 metric 100

After VPN connection:

$ ip route list
default dev ppp0 proto static scope link metric 50 
default via 192.168.0.1 dev eno1 proto dhcp metric 100 
1.0.0.1 dev ppp0 proto kernel scope link src 10.20.0.10 metric 50 
87.117.247.187 via 192.168.0.1 dev eno1 proto static metric 100 
169.254.0.0/16 dev ppp0 scope link metric 1000 
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.74 metric 100 
192.168.0.1 dev eno1 proto static scope link metric 100

For the ppp0 route 1.0.0.1 dev ppp0 proto kernel scope link src 10.20.0.10 metric 50, if in your case it is using the Gateway IP address (e.g. 87.117.247.187 instead of 1.0.0.1), then it is this problem and you could use the workaround described in that issue.

dkosovic commented 4 years ago

In Win10 you could run route print -4 to print the IPv4 routing table while the VPN is up, similarly run route -4 on Linux. Then do a comparison and manually add or remove routes on Linux.

huseyinkomac commented 4 years ago

I couldn't figure out the error still.

This is route print -4 output in windows.

 Network Destination        Netmask          Gateway       Interface  Metric

      0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.33   4280
      0.0.0.0          0.0.0.0         On-link     192.168.1.145     46
    127.0.0.0        255.0.0.0         On-link         127.0.0.1   4556
    127.0.0.1  255.255.255.255         On-link         127.0.0.1   4556
 127.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
  192.168.1.0    255.255.255.0         On-link      192.168.1.33   4536
 192.168.1.33  255.255.255.255         On-link      192.168.1.33   4536
192.168.1.145  255.255.255.255         On-link     192.168.1.145    301
192.168.1.255  255.255.255.255         On-link      192.168.1.33   4536
XXX.XXX.XX.XX  255.255.255.255      192.168.1.1     192.168.1.33   4281
    224.0.0.0        240.0.0.0         On-link         127.0.0.1   4556
    224.0.0.0        240.0.0.0         On-link      192.168.1.33   4536
    224.0.0.0        240.0.0.0         On-link     192.168.1.145     46
 255.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
 255.255.255.255  255.255.255.255         On-link      192.168.1.33   4536
 255.255.255.255  255.255.255.255         On-link     192.168.1.145    301

And this is route -4 output in linux.

 Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         0.0.0.0         0.0.0.0         U     50     0        0 ppp0
default         _gateway        0.0.0.0         UG    600    0        0 wlp3s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp3s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 ppp0
_gateway        0.0.0.0         255.255.255.255 UH    600    0        0 wlp3s0
XXX.XXX.XX.XX.s _gateway        255.255.255.255 UGH   600    0        0 wlp3s0

Ip that I'm trying to connect is "XXX.XXX.XX.XX".

Also output of ip route list in linux

default dev ppp0 proto static scope link metric 50 
default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
169.254.0.0/16 dev wlp3s0 scope link metric 1000 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.33 metric 600 
192.168.1.1 dev ppp0 proto kernel scope link src 192.168.1.148 metric 50 
192.168.1.1 dev wlp3s0 proto static scope link metric 600 
XXX.XXX.XX.XX via 192.168.1.1 dev wlp3s0 proto static metric 600

Sorry, I have very little knowledge about this.

dkosovic commented 4 years ago

Removing the multicast, broadcast and locahhost routes from the Windows routes and reformatting to make it closer to the route -4 linux output ends up with:

  Destination   Gateway   Netmask            Interface  Metric
      default   On-link   0.0.0.0            ppp0       46
      default  _gateway   0.0.0.0            wlp3s0     4280
192.168.1.33    On-link   255.255.255.255    wlp3s0     4536
192.168.1.0     On-link   255.255.255.0      wlp3s0     4536
192.168.1.145   On-link   255.255.255.255    ppp0       301
XXX.XXX.XX.XX  _gateway   255.255.255.255    wlp3s0     4281

where _gateway in both the above is 192.168.1.1.

On linux I think the following route is the problem:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
_gateway        On-link         255.255.255.255 UH    50     0        0 ppp0

as i don't see routes with _gateway as the destination on the ppp0 inteface with the VPN connections I've connected to, the destination i see is not _gateway.

Could you try deleting that route? I think the following should do it (note: _gateway is 192.168.1.1) :

sudo route del 192.168.1.1 ppp0

When you say "I can't connect to the local machines from the target network", are you trying to connect to machines on the remote network, or you are trying to connect from machines on the remote network back to your local network?

huseyinkomac commented 4 years ago

That didn't solve the problem as well. I am trying to connect to machines on the remote network.

New ip route list output is this.

default dev ppp1 proto static scope link metric 50 
default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
169.254.0.0/16 dev ppp1 scope link metric 1000 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.36 metric 600 
192.168.1.1 dev wlp3s0 proto static scope link metric 600 
XXX.XXX.XX.XX via 192.168.1.1 dev wlp3s0 proto static metric 600

And route -4 output

 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         0.0.0.0         0.0.0.0         U     50     0        0 ppp1
default         _gateway        0.0.0.0         UG    600    0        0 wlp3s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 ppp1
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
_gateway        0.0.0.0         255.255.255.255 UH    600    0        0 wlp3s0
XXX.XXX.XX.XX.s _gateway        255.255.255.255 UGH   600    0        0 wlp3s0
huseyinkomac commented 4 years ago

Okay after I executed the command sudo route add 192.168.1.197 ppp1 I finally successfully connected to this computer that is connected to the remote network, and I tried to connect to my computer from the computer that has "192.168.1.197" as a local ip from remote network and it worked. But I can still only connect to this ip, it's definitely a routing problem as you said.

Can you help me with this? What would be the correct routing solution to connect all the ips in the remote network? Thanks in advance!

dkosovic commented 4 years ago

I'm a little confused, so both the local and remote networks use 192.168.1.0/24 private IP addresses? Can you configure your local router to offer a different private IP address range in order to simplify routing?

huseyinkomac commented 4 years ago

Yes! That solved the problem. Changed my local router's local ip range from 192.168.1.0 to 192.168.2.0. And didn't even have to do anything else, it connects to every ip from remote network now. Man, I can't tell you how grateful I am right now, I can finally work on linux. Don't know how windows was dealing with this though.

Thanks a lot!! Really appreciate it.

dkosovic commented 4 years ago

Glad to hear it is now working for you.

One other tip I might mention, in the IPv4 settings for the VPN connection, you could enable the "Use this connection only for resources on its network" checkbox which will only route traffic over the VPN connection if it is to a host in the remote network. It may or may not be useful.