8 Replies Latest reply: May 22, 2006 5:52 AM by Leif Carlsson
gregober Level 1 Level 1 (25 points)
Hello,

My server has two network interface :

EN0 --> 195.114.56.12 on a /24 network
EN1 --> 10.0.1.15 on a /24 network

I have a Cisco acting as router firewall (3 interfaces : one for the WAN interface / one for my public IPs / one for my private net). So my network has 2 gateways one for the 10.0.1.0 network and one for the 195.114.56.0 net //

I have setup a simple L2TP connexion on the 195.114.56.12 and I can connect to the server without any problem... But !!

I can't reach my 10.0.1.0 net - when I am trying to ping any address in the 10.0.1.0/24 network It does not answer and specifies --> "No route to host"
The only IP that I can ping is the 10.0.1.1 (the gateway for the 10.0.1.0/24 network) the 195.114.56.12 and any IP on the 195.114.56.0/24 net.

I don't know what to do to make It work. I have tried to stop any firewall rules I have setup on the XServe (but that does not help).

It looks like I need a rule to allow packets coming from 195.114.56.12 to be passed to the local interface 10.0.1.15 if they are established from the L2TP connexion ??


Any help will be very apreciated thanks.

XServe, Mac OS X (10.4.6), Server
  • 1. Re: No route to host : L2TP connecting but not reaching local net
    gregober Level 1 Level 1 (25 points)
    In fact I can not even ping the 195.115.46.xxx machinnes that are on the same network as the server when connected ??
  • 2. Re: No route to host : L2TP connecting but not reaching local net
    Leif Carlsson Level 5 Level 5 (4,950 points)
    You could put your server on the 10.0.1.0 network only and let some UDP ports through to it instead. That is if it would suffice to have Mac L2TP VPN compatibility (or if you get GRE through your Cisco to the private IP LAN you could use PPTP instead/also).

    "So my network has 2 gateways one for the 10.0.1.0 network and one for the 195.114.56.0 net"

    Use only the public interface gw/router IP (Cisco "DMZ" interface, your public "LAN" gw) as the (default gw) router on the OS X server. Leave the private LAN interface router field empty.

    What IPs are the VPN users getting (from private LAN IP range?) from the VPN server and what router definitions are you using (if any)?
  • 3. Re: No route to host : L2TP connecting but not reaching local net
    gregober Level 1 Level 1 (25 points)
    You could put your server on the 10.0.1.0 network only and let some UDP ports through to it instead. That is if it would suffice to have Mac L2TP VPN compatibility (or if you get GRE through your Cisco to the private IP LAN you could use PPTP instead/also).[\i]

    How would I have to do that (I don't plan to deploy PPTP) ?

    Here is the configuration of my three interfaces:

    interface Ethernet0/0
    ip address 10.0.1.1 255.255.0.0
    ip access-group 100 in
    no ip directed-broadcast
    ip nat inside
    ip inspect Ethernet_0 in
    appletalk cable-range 1-1 1.216
    appletalk zone Pac
    appletalk zone Editors
    appletalk zone Direction
    appletalk zone Amaganset
    no mop enabled
    !
    interface Serial0/0
    bandwidth 1920
    ip address 195.114.127.2 255.255.255.0
    ip access-group 101 in
    no ip directed-broadcast
    ip nat outside
    ip inspect Serial_0 in
    encapsulation ppp
    no ip mroute-cache
    no fair-queue
    !
    interface Ethernet0/1
    ip address 195.114.56.9 255.255.255.0 secondary
    ip address 195.114.56.254 255.255.255.0
    ip access-group 100 in
    no ip directed-broadcast
    ip inspect Ethernet_0 in
    no ip route-cache
    no ip mroute-cache


    "So my network has 2 gateways one for the 10.0.1.0 network and one for the 195.114.56.0 net"

    Use only the public interface gw/router IP (Cisco "DMZ" interface, your public "LAN" gw) as the (default gw) router on the OS X server. Leave the private LAN interface router field empty.[\i]

    I am not shure this will work...
    If I don't use any IP for the default GW on the public interface of the server... how will It be able to find the proper route to the outside ?


    What IPs are the VPN users getting (from private LAN IP range?) from the VPN server and what router definitions are you using (if any)? [\i]

    10.0.1.210 --> 10.0.1.220

    Thanks for your support!
  • 4. Re: No route to host : L2TP connecting but not reaching local net
    Leif Carlsson Level 5 Level 5 (4,950 points)
    "interface Ethernet0/0
    ip address 10.0.1.1 255.255.0.0"

    How many LAN machines do you have? This is probably an unneccesarily large netmask (/16). I would consider changing it to something like 255.255.255.0 (/24).

    "appletalk cable-range 1-1 1.216"

    Any problems with AppleTalk?

    "If I don't use any IP for the default GW on the public interface of the server... how will It be able to find the proper route to the outside ?"

    I only meant leave the private OS X Server LAN interface router IP field empty not the public one.

    Are you using any other public services (Web, Mail or such) in the OS X server besides VPN? If not:

    "How would I have to do that (I don't plan to deploy PPTP) ? "

    If you can open UDP ports: 500, 1701 and 4500 from the router WAN "interface Serial0/0" or your public IP "interface Ethernet0/1" to the OS X server LAN IP, L2TP VPN from Mac OSX Panther or Tiger clients should work.
  • 5. Re: No route to host : L2TP connecting but not reaching local net
    gregober Level 1 Level 1 (25 points)
    I was thinking about using something like that on the conf of my router in order to bypass the interface 195.115.xx.xx and directly forward packets to the inside interface (10.0) :

    ip nat inside source static tcp 10.0.1.15 500 interface FastEthernet0 500
    ip nat inside source static tcp 10.0.1.15 1701 interface FastEthernet0 1701
    ip nat inside source static tcp 10.0.1.15 4500 interface FastEthernet0 4500

    Would I need to forward more ports in order to access the AFP servers on the 10.0.1.15 interface ? Normaly all the traffic should be routed through the VPN accessed through these ports ?

    I do need to have a second interface connected to the internet because I plan to deploy various services on this server including an FTP + HTTP server.

    ---

    This has nothing to do with the initial posting but, regarding Apple Talk have you got any remark regarding this "appletalk cable-range 1-1 1.216" ?

    Would you advise me not to use the Apple Talk routing policy on this router (I only have a small lan and initially used It to divide this network using the zone statement) ?

    As Apple talk protocol has evolved toward TCP/IP I don't know if this is so usefull nowdays ?

    ---

    Thank you very much again for your support.
  • 6. Re: No route to host : L2TP connecting but not reaching local net
    Leif Carlsson Level 5 Level 5 (4,950 points)
    "ip nat inside source static tcp 10.0.1.15 500 interface FastEthernet0 500"

    Those should be "udp" not "tcp".

    If you don't need the AT zones, turn AT routing/seeding off in the router.
    You might get problems with Spanning Tree (in switches) and AT zones otherwise.

    When the tunnel is up and you have no firewall on in the OS X Server all services should be accessible through the VPN tunnel (because it's behind NAT).

    If you run the OS X server with a public IP you can't get at the servers services on that same public IP when the VPN tunnel is up. You would need a second either public or private IP/network for that. With your (earlier?) config you could use the internal interface IP to get at the server.

    FTP and HTTP can also be forwarded through the router but the FTP config can be a bit harder.
  • 7. Re: No route to host : L2TP connecting but not reaching local net
    gregober Level 1 Level 1 (25 points)
    In fact most of the things were Ok.

    I only needed to add a route to the router of type :
    --> ip route 192.168.254.0 255.255.255.240 10.0.1.15

    192.168.254.0 255.255.255.240 beeing the networke range I use for VPN

    The problem initially came from the fact that I was trying to access my VPN from a remote network that had the same IP range as my LAN = "no route to host".

    Solution :
    --------

    --> Make sure your VPN server is distributing address not used (that's why I have pickup 192.168.254.0 255.255.255.240).
    --> modify / create a route to from the range of address distributed by the VPN server to the internal address of your server.
    --> ip route "your vpn network range" "the private interface of your server"
    --> Everything should be ok (except that I can not access the Internet while beeing connected to the VPN).

    Thx.
  • 8. Re: No route to host : L2TP connecting but not reaching local net
    Leif Carlsson Level 5 Level 5 (4,950 points)
    You never said what IPs your VPN clients got. You usually give the VPN clients an IP from the same LAN network range that the server use. I haven't tried it your way but: does your server have an interface with an alias IP in your VPN range - or not?

    For simultaneous Internet access checkout your local VPN client default gw address when the tunnel is up. If it says the default is through the VPN gw address you might try enabling ipforwarding on the VPN server (if it's not already "engaged").

    NAT config in 10.4.x Tiger server has a "ipforwarding only" setting alternative.

    Otherwise try setting up private and public VPN routing definitions on the server.

    But I have this problem myself all the time now when trying VPN so I often have to give this command in Terminal: sudo route change default <local gw ip>. This to achive a "split tunnel" with local access to Internet with the VPN tunnel up to the remote network (beware of DNS problems as the tunnel overrides your local DNS setting but you can put in a manual DNS setting in L2TP Network config settings if you like).