348 lines
6.2 KiB
HTML
348 lines
6.2 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bring up the Link</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="VPN PPP-SSH Mini-HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Configure the Client"
|
|
HREF="configclient.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Integrating the VPN into your system"
|
|
HREF="integration.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>VPN PPP-SSH Mini-HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="configclient.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="integration.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="BRINGUP"
|
|
>6. Bring up the Link</A
|
|
></H1
|
|
><P
|
|
>Everything should now be set up. Now it's time to take
|
|
a deep breath and try to bring up the link.</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>Become root on the client machine and execute the vpn-pppssh script.
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>client# /usr/local/bin/vpn-pppssh start</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>It will take a while to connect, but then it should come back with
|
|
something like the following</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>Using interface ppp1
|
|
Connect: ppp1 <--> /dev/pts/1
|
|
local IP address 192.168.3.1
|
|
remote IP address 192.168.3.2</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Did it work? First try pinging the client's VPN interface:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>client$ ping 192.168.3.2</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>If this worked, then you can reach the interface on the client OK.
|
|
Don't get excited yet -- that was the easy part. Now, try pinging
|
|
the server's VPN interface:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>client$ ping 192.168.3.1</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>If you get echoes back, then congratulations! Your PPP-SSH VPN
|
|
appears to be healthy.
|
|
Packets are successfully travelling the route in both directions.
|
|
You might want to log into your server and try initiating pings
|
|
from the server to the client, but at this stage of the game,
|
|
that's almost guaranteed to work.</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
>You bring the VPN down with "vpn-pppssh stop".</P
|
|
><P
|
|
>Now that the tunnel works, you might want to integrate it
|
|
into your system so it comes up automatically as described
|
|
in <A
|
|
HREF="integration.html"
|
|
>Section 7</A
|
|
>.
|
|
Also, if you want to forward packets from an entire subnet over the
|
|
link (rather than just the packets originating on the client and
|
|
server as we have set up now) see <A
|
|
HREF="forwarding.html"
|
|
>Section 8</A
|
|
>.</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN330"
|
|
>6.1. Troubleshooting</A
|
|
></H2
|
|
><P
|
|
>The script itself is fairly simple. The entire system, however,
|
|
involves a lot of small parts. If any one of them is misconfigured,
|
|
it can prevent your VPN from working without so much as
|
|
a message why. Here is a list of things to check if you run
|
|
into difficulties:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Double and triple check your network values. Try running
|
|
"vpn-pppssh config" to ensure the configuration
|
|
is correct and the shell hasn't ruined any of your values.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Go back over
|
|
each step and make sure that it all checks out.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Try temporarially turning
|
|
off any firewalls on the client, on the server, and on any machines in
|
|
between to see if any of them are getting in the way (not likely if
|
|
you can SSH between the two machines).</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Ensure that your routes are correct. You can list your routes
|
|
using "route -n". See the
|
|
<A
|
|
HREF="http://www.linuxdoc.org/LDP/nag2/index.html"
|
|
TARGET="_top"
|
|
>Linux Network Administrators Guide</A
|
|
>
|
|
and <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html"
|
|
TARGET="_top"
|
|
>http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html</A
|
|
> for more.</P
|
|
></LI
|
|
></UL
|
|
><DIV
|
|
CLASS="SECT3"
|
|
><H3
|
|
CLASS="SECT3"
|
|
><A
|
|
NAME="AEN344"
|
|
>6.1.1. sendto: Operation not permitted</A
|
|
></H3
|
|
><P
|
|
>When you try to ping the VPN interfaces, if you get a
|
|
"sendto: Operation not permitted" error, you are probably running
|
|
into a firewall on the local machine that is denying packets before they
|
|
even reach the VPN network interface. Your firewall must allow
|
|
SSH traffic over your regular network <EM
|
|
>and</EM
|
|
>
|
|
it must allow all traffic over your VPN interfacess.</P
|
|
><P
|
|
>The ipchains commands to smash a hole in your firewall for your
|
|
PPP interface will something like this:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>ipchains -I input 1 -i ppp1 -s 192.168.3.0/24 -j ACCEPT
|
|
ipchains -I output 1 -i ppp1 -d 192.168.3.0/24 -j ACCEPT</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>ppp1 must, of course, be the network interface of your PPP-SSH
|
|
VPN, and the IP addresses must match the address of the local
|
|
interface. Make sure that packets are allowed on both the
|
|
client and server.</P
|
|
><P
|
|
>See the <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"
|
|
TARGET="_top"
|
|
>Linux Firewall HOWTO</A
|
|
>, the <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html"
|
|
TARGET="_top"
|
|
>IPChains HOWTO</A
|
|
> for kernel 2.2, or
|
|
documentation on iptables for kernel 2.4.</P
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="configclient.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="integration.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Configure the Client</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Integrating the VPN into your system</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |