On Dec 26, 2007, at 12:10 PM, Gerben Wierda wrote:
Looks good with PPTP:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.2.41 --> 192.168.2.66 netmask 0xffffff00
This sounds good if 192.168.2.66 is the VPN host and 192.168.2.41
is a IP address on the remote subnet.
Yes. In this case, remote subnet = local subnet.
That may or may not be the case but it's not what the above lines tell
us. It tells us that we have the IP address 192.168.2.41 and are
talking to a pppd server on 192.168.2.66.
In order to ascertain what the local subnet for other NIs are we'd
need more information.
And I might further add that you can make VPNs work even if the
subnets are the same on both local and remote machines.
I want to set it up in my local subnet forst between my laptop and
my server. I want all traffic to go via the VPN.
You can't set things up inside a local subnet properly. You need
two distinct networks that each is on.
Why? If my VPN server hands out 192.168.2.40-49 and my client is
using 192.168.2.87 it can establish a VPN connection to my server
(192.168.2.66), can't it?
Yes, but that doesn't mean traffic will flow through the VPN host.
Actually, this works fine using PPTP.
Because the route for the local subnet may still drive traffic over
the local network.
Specifically to the point let's look at at PPTP VPN I've set up and
have active:
- both local and remote subnets are 192.168.1.0/24
- 192.168.1.25 is th VPN host
- the default route sends traffic to 192.168.1.25 for traffic without
a specific route
- traffic to systems on my local subnet are still going to those
systems directly
Why are systems on my local subnet still routing to them directly and
not through the VPN host? Because the subnet mask of my local NI says
that traffic on my subnet *doesn't* need a gateway:
And this is as would be expected, otherwise how would you reach the
remote VPN host that is normally on a different subnet?
So this is what you have and should expect.
It's basic IP networking. *Very* basic.
As far as "all traffic going to the VPN", there really is no such
thing, it's not a real network, it's a virtual construct an
If the default route of my client says everything is going to my VPN
server, isn't all my IP traffic (except VPN itself) part of that?
No. Default routing says traffic that doesn't meet subnet masks for
which I have defined routes goes to a gateway. I can route traffic to
as many other networks as I care to and not interfere with the VPN
host. This is specifically true on multi-homed systems or systems with
IP Aliases on other networks.
The regions could be legion, and the troubleshooting complex; but
in any case you haven't provided enough information and this type
of issue is hardly conducive for troubleshooting over email on a
list. However we could suffice to say that if you're trying to do
this inside a single subnet then it's just woolly thinking from
the beginning and leave it as that as your problem.
Friendly. In the spirit of the season and all that.
Calling out wooly thinking when seen is not mean spirited but calling
a spade a spade.
Let's just say I am not a VPN expert nor a networking guru.
Nor am I, believe it or not. However it is my job to learn.
That is why I go to the list if teh documentation does not help me
out.
Lists are not documentation resources. and you very well understand
that.
If you have a problem with non-perfect people addressing the list
and your idea is that all should be guru's in the first place, what
is the reason a) of there being a list in the first place and b) you
answering questions on that list (unless you just enjoy telling
people that they are not perfect)?
It's expected that people that post questions have a modicum of
education about what they're trying to do so as not to waste vast
amounts of time teaching first principles and trying to build up from
there to nuclear physics all in an email. If you don't have that
modicum of understanding it's not unreasonable to have others expect
that you learn these basics before continuing.
Regards,
-dhan
------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services
