0

I got the following network setup:

  • LAN: 10.10.2.0/24 -> IPSec -> 10.10.1.0/24 (VPN Server addr: 10.10.1.5/24)
  • VPN: 10.10.3.0/24

IPSec connection is transparent

Users between 10.10.1.0/24 and 10.10.2.0/24 are able to communicate, users from 10.10.1.0/24 are allowed to access users from VPN network.

I am trying to route users from 10.10.2.0/24 to 10.10.3.0/24(VPN)

I've added the following static route on the main router at 10.10.2.0/24

ip route add 10.10.3.0/24 via 10.10.1.5 dev eth0 (WAN Interface)

But it didn't worked. So my question is, what did I miss?

Here is the ping output from 2.0/24 host:

[root@host ~]# ping 10.10.3.50
PING 10.10.3.50 (10.10.3.50) 56(84) bytes of data.
From 10.10.2.1: icmp_seq=1 Redirect Host(New nexthop: 10.10.1.5)
From 10.10.2.1: icmp_seq=2 Redirect Host(New nexthop: 10.10.1.5)
^C
--- 10.10.3.50 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1479ms

Firewall on 1.5/24 is disabled.

falken
  • 69
  • 6
  • There are some issues with your subnets the vpn one is too long. And you can't shorten the network address like that it is the other way around 10.10.2/24 by example. – Gopoi Jan 12 '16 at 21:41
  • Sorry, that was a typo. Corrected. – falken Jan 12 '16 at 21:46

1 Answers1

1

It seems that the return path for the packets is not known. To be sure you would need to check intermediate routes, I'll get to that in the end.

When you ping 10.10.3.50 from the 10.10.2.0/24 host it is forwarded your default gateway (lets assume 10.10.2.1), then itself checks its own routing table and sees the route for 10.10.3.0/24 via 10.10.1.5. A ICMP redirect can normally be ignored since its purpose is only to shorten hops needed and router load. But it is sent because its seems that the next hop is on the same physical net as the request cames from.

But what you should check is wheter or not the 10.10.3.0/24 router as a route for the source subnet 10.10.2.0/24.

Gopoi
  • 547
  • 5
  • 21