No traffic over VPN?

Question

No traffic over VPN?

Hi...
I have a 10.3.x server in a co-lo. Occasionally I need to access it while traveling from insecure wireless networks. I have set up the VPN server on the box to accept connections for both L2TP and PTPP.

I am able to connect to the VPN server using L2TP on my Mac (10.4.x) and the connection stays open and happy... but I am not convinced that traffic is actually flowing over the VPN.

I am also able to connect to the VPN server using PTPP on a Windows XP SP2 machine... but again I am not convinced that any traffic is using the link.

Here is why I am not convinced...

After connecting my Mac to the VPN using L2TP I fired up a packet sniffer (ethereal) and was able to see all of the packets that in my mind, should have been going over the VPN to the server... There was IMAP, POP, HTTP, and other traffic bound for the IP of my server... the one that I was connected to by VPN.

I have even checked the little box in the Internet Connect options that says "send all traffic over VPN" or whatever.

My hope was this...

At the very least, when the VPN is connected, all traffic between by laptop and the server would be automatically directed through the VPN and nicely tunneled.

Ideally, when the VPN is connected I would like all traffic from the laptop to to the server to go through the VPN tunnel.

How do I make it so that this is what happens??

PowerBook G4 Ti 1.0GHz, Mac OS X (10.4.4)

Posted on Mar 16, 2006 8:01 PM

Reply

Answer 1

Mar 17, 2006 1:23 AM in response to W. S. Wellington

You have to add a second interface to the VPN server machine you connect to.

Either an alias interface (using a second public IP or a private IP with NAT and the firewall enabled on the server) or a second real interface: firewire or ethernet (AirPort would also do but is maybe not practical) with "link up" (connected to a hub/switch or a loopback plug for ethernet).

This second interface IP is then what you use to communicate through and you use it to give your VPN client an IP from the same range/subnet.

In the VPN routing definition just add a DNS that is reachable through the VPN and what IP-range the VPN client gets an IP from. The rest left blank should provide you with a default route through the VPN when connected to it.

You'll also need ipforwarding running. If NAT and the firewall is running. neccessary for a Private IP VPN network, ipforwarding is turned on for you.

Reply

Answer 2

MacLemon

Level 2

455 points

Mar 19, 2006 2:05 PM in response to W. S. Wellington

You need to move the VPN network interface to the top of the list in Network Preferences. Then all traffic should be running through the VPN.
MacLemon

Reply

Answer 3

Mar 20, 2006 2:45 AM in response to MacLemon

If he only have one interface running it's already at the top...

If he has two configured you're right.

Reply

Answer 4

Mar 21, 2006 7:28 AM in response to MacLemon

This is done... Still having the same issues

Reply

Answer 5

Mar 21, 2006 9:40 AM in response to W. S. Wellington

What is done?

Do you have two "interfaces"?

Are you using the second one to connect to the server services and the first one to "put up the tunnel"?

Reply

Answer 6

MacLemon

Level 2

455 points

Mar 21, 2006 3:25 PM in response to Leif Carlsson

When you open the VPN configuration in "Internet Connect" and choose said config from the popup menu. In the Connect (NOT Internet Connect) menu item you'll find "Options...". There you can tick a checkbox saying "Send all traffic over VPN connection".

With this option set, the system should really move everything through the tunnel. You might want to enable verbose logging as well to see if there are any issues during the connection process. Maybe the server is explicitly installing a public route outside the tunnel?

MacLemon

Reply

Answer 7

Mar 22, 2006 2:51 AM in response to W. S. Wellington

You should let us know your config to reduce the amount of guessworks we have to perform when trying to help you.

Reply

Answer 8

Mar 22, 2006 9:57 AM in response to Leif Carlsson

Sorry... Let me clarify.

I have 2 interfaces set up on the server.

I have checked the box on my client in internet config that says send all traffic over the vpn

Right now... I can connect to the VPN and I can ping things by IP address... but I can't ping by name... so I think I have a DNS issue.

I have the same DNS addresses that the server uses in the DNS box on the VPN server config screen.

I have no netowrk routes defined... because when I define what I believe is the correct route to my server... I can't even connect anymore.

I hope this info helps.

Thanks.

Reply

Answer 9

Mar 22, 2006 1:47 PM in response to W. S. Wellington

That was not very thorough at all.

But you say you can ping stuff through the VPN? What stuff? Internet addresses or the server "LAN"/other interface network IPs?

If you use private IPs on the server "LAN" you need NAT and the firewall running too. Turning the firewall on will also start ipforwarding which you'll need if you want to route traffic through the VPN to the server (and then) to and from Internet.

Same thing if you use public IPs on the servers other interface: you need ipforwarding here too.

With no VPN network definitions the default route goes through the VPN (just like you want?). With this setting the VPN client "route" settings might not matter.

It's better to give us all settings (but masking/faking public IPs) "up front" that you have been trying for your setup.

Reply

Answer 10

Mar 22, 2006 3:39 PM in response to Leif Carlsson

OK... another attempt.

My current config is:

2 interfaces (en0 and en1)

Firewall is on, and IPSec ports are open

Both addresses are public IPs... meaning that I can access the server through either address from the internet.

VPN settings:

General
Enable L2TP over IPsec
Restrict access to group vpnusers (the account I am using is part of this group)
Shared Secret is set
Starting IP Address is 10.1.0.10
Ending IP Address is 10.1.0.14

PPTP is disabled

Logging
Verbose Logging Checked

Client Information
I have 2 DNS servers listed by IP address. These are the same servers that I find in the Network Pane of System Preferences on the server.

Search Domains ispdomain.net.

Netowrk Routing Defs. are empty.

NEW INFO:

I can connect to the VPN on en1 with no problem. However, if on the client, I have selected send all traffic over VPN (in internet config) I cannot ping any computers on the internet by name. I can ping my server but only by IP.

If send all traffic over VPN is not selected in internet config I can get to any address on the internet while connected tot he VPN... BUT... I don't believe the traffic is going over the VPN... I have put a network sniffer on the connection and I see nothing (I would think I would see the encrypted traffic going) Also if I go to whatismyipaddress.com it gives me the address of my local machine... not of the server.

This is my first time trying to set up a VPN... so I am not exactly sure what other information you might need. Let me know if you need more.

Bill

Reply

Answer 11

Mar 22, 2006 10:33 PM in response to W. S. Wellington

"Both addresses are public IPs... meaning that I can access the server through either address from the internet"

and

"Starting IP Address is 10.1.0.10
Ending IP Address is 10.1.0.14"

This doesn't "rhyme". The two public addresses aren't on the same subnet are they? Well, I suppose that must be setup correctly because you shouldn't be able to get at the other IP if they were not.

But the addresses given to VPN clients must be part of one of the interfaces network.

So either you have a small subnet (the server LAN on en1?) with at least one free IP not occupied by the server interface, given to you by the ISP, or you have to use private IPs on that interface.

What netmask is used on the server WAN and LAN?

Reply

Answer 12

MacLemon

Level 2

455 points

Mar 23, 2006 7:42 AM in response to Leif Carlsson

Those IPs are definitely private IPs and are for the client tunneling in. If your VPN server isn't behind a NAT router you need to enable NAT on the server as well. Otherwise it will not route anything to the outside network that comes from the tunnel.

That also explains your lack of DNS. If you hand over your ISPs DNS servers but don't route DNS queries to them, your client will not be able to resolve any names. That is why you can only ping IPs and not names, because you cannot resolve them.

Two solutions: Turn on NAT on the server or turn on DNS on the server itself and hand out the server's internal IP to the clients as DNS.

If you don't send all traffic through the VPN than ONLY traffic matching the subnet handed by the VPN server will be tunneled. All other traffic will be running through your normal default route.
MacLemon

Reply

Answer 13

Mar 23, 2006 10:20 PM in response to Leif Carlsson

I am a little unclear on your question...

I have 2 Network Interface Cards... Each connected to the same switch, on the same subnet, with individual IPs for each card. XX.XX.XX.150, and XX.XX.XX.151

The Subnet Mask for both addresses is 255.255.0.0

I set up the 10.1.0.XX addresses because I thought that I needed to have a pool of addresses to assign to the VPN client machines. Can these not be non-routable addresses and use NAT?

I just want to connect to the server securely... Connecting to the outside world from there is just icing on the cake.

Thanks Bill

Reply

Answer 14

Mar 23, 2006 10:48 PM in response to MacLemon

Lemon,
Following your suggestion... I can now see that traffic is being encrypted using the VPN... However only the traffic going to places other than my server is being passed through the VPN... Traffic bound to my server is not encoded... This is very very strange.

- I have turned on NAT
- I still have the DNS of the DNS servers that my server uses set in the VPN settings
- I am still using the group of 10.1.0.x non-routable addresses
- Send all traffic over VPN is set on the client

Any ideas??

Reply

Answer 15

Mar 23, 2006 11:22 PM in response to W. S. Wellington

As an example...

When I now perform a trace route on www.google.com, the first hit is my server.... Good yes??

However when I perform a trace route on my server the first hit is the router at the location that I am currently at.

Traffic to my server is not going over the VPN... while traffice bound for the internet is going over the VPN...

Bill

Reply