I’m trying to do the setup of a IPSEC / XL2TPD VPN for our office, and I’m having some problems accessing the remote local machines after connecting to the VPN.

I can connect, and I can browse Internet sites trough the VPN, but as said, I’m unable to connect or even ping the local ones.

My Network setup is something like this:

INTERNET > eth0 > ROUTER / VPN > eth2 > LAN

These are some traceroutes behind the VPN:

traceroute to google.com (, 64 hops max, 52 byte packets
 1 (  74.738 ms  71.476 ms  70.123 ms
 2 (  77.832 ms  77.578 ms  77.865 ms
 3 (  78.837 ms  85.409 ms  76.032 ms
 4 (  78.069 ms  80.054 ms  77.778 ms
 5 (  86.174 ms (  85.687 ms (  85.664 ms

traceroute to (, 64 hops max, 52 byte packets
 1  * * *
 2  *traceroute: sendto: No route to host
traceroute: wrote 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 52 chars, ret=-1
traceroute: sendto: Host is down
 3 traceroute: wrote 52 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote 52 chars, ret=-1

These are my iptables rules:

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow lan to router traffic
iptables -A INPUT -s -i eth2 -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT

# dns
iptables -A INPUT -s -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s -p udp --dport 53 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE

# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7

# block all other traffic
iptables -A INPUT -j DROP

And here are some firewall log lines:

Dec  6 11:11:57 router kernel: [8725820.003323] iptables denied: IN=ppp0 OUT= MAC= SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=62174 PROTO=UDP SPT=61910 DPT=53 LEN=40 
Dec  6 11:12:29 router kernel: [8725852.035826] iptables denied: IN=ppp0 OUT= MAC= SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=15344 PROTO=UDP SPT=56329 DPT=8612 LEN=24 
Dec  6 11:12:36 router kernel: [8725859.121606] iptables denied: IN=ppp0 OUT= MAC= SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11767 PROTO=UDP SPT=63962 DPT=8612 LEN=24 
Dec  6 11:12:44 router kernel: [8725866.203656] iptables denied: IN=ppp0 OUT= MAC= SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=11679 PROTO=UDP SPT=57101 DPT=8612 LEN=24 
Dec  6 11:12:51 router kernel: [8725873.285979] iptables denied: IN=ppp0 OUT= MAC= SRC= DST= LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=39165 PROTO=UDP SPT=62625 DPT=8612 LEN=24 

I’m pretty sure that the problem should be related with iptables, but after trying a lot of different confs, I was unable to find the right one.

Any help will be greetly appreciated ;). Kind regards, Simon.


This is my route table:

default         UG    100    0        0 eth0    *      U     0      0        0 eth0     *        U     0      0        0 eth2    *      UH    0      0        0 ppp0
Umm, a partial answer would seem to be : iptables -A OUTPUT -p tcp --dport dns -j ACCEPT

... similar statements to mirror '-A INPUT' in your description

Ok, I should have realized this at first: you are running NAT so...

iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT
iptables -A FORWARD -o eth1 -i ppp0 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 80 -d x.x.x.x -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 53 -d y.y.y.y -j ACCEPT
iptables -t filter -P FORWARD DROP

  • Nop, it does not seem to work, but thanks anyway. – Simon Dec 09 '12 at 09:33
  • Ummm, **PARTIAL** is the operative road. Try hping...? – ArrowInTree Dec 09 '12 at 13:58
  • Hi, I still can't ping the machines in the local network with that config, but the thing is that with my former setup, the vpn client is able to access the dns server in the router. – Simon Dec 09 '12 at 18:20
  • Sorry, I hit enter... restarting: I still can't ping the machines in the local network with that config, but the thing is that with my former setup, the vpn client is able to access the dns server in the router. So, for example, after connecting to the vpn: `ping remote_on_lan.example.org PING remote_on_lan.example.org ( 56 data bytes Request timeout for icmp_seq 0` If I remove the lines that grant access to the dns server, the ping won't resolve the local address: `ping remote_on_lan.example.org ping: cannot resolve remote_on_lan.example.org: Unknown host` Continue – Simon Dec 09 '12 at 18:29
  • So, with I have a vpn which can access Internet through it, could access the dns server behind it, but it's unable to ping or access local machines in the local network. For reference, I've tried your lines with some changes (eth2 instead of eth1, but I've tried eth0 too), and and as the ips (one network each time). And I couldn't make work it with the last line `iptables -P FORWARD -j DROP` cause it gave me a conflict: `iptables v1.4.12: -X requires a chain and a policy`. – Simon Dec 09 '12 at 18:34
  • There is apparently **TWO** FORWARD chains. One in Filter and One in mangle. What are their differences? http://serverfault.com/questions/456308/linux-policy-routing-packets-not-coming-back/456577#456577 – ArrowInTree Dec 09 '12 at 19:51
  • Umm back to the main quesion. 1) start _tcpdump -vvi vpn_ on the router. 2) I want you to invoke _dig_ or _nslookup_ and **SET** the server to (google ns) and re-do the nameserver resolution. – ArrowInTree Dec 09 '12 at 20:06
  • Umm, if your dns server is on your router, then your lan.example.org name resolution **SHOULD** fail without the iptable --dport 53 entries – ArrowInTree Dec 09 '12 at 20:14
  • Hi and thanks a lot for your help ArrowInTree. First, yes, the dns server is in the same machine as the firewall (local ip, and I think you are right and it's not working properly: `nslookup google.com ;; connection timed out; no servers could be reached` (but I can browse the web without problems). After, changing it to it resolves properly `nslookup google.es Server: Address: Non-authoritative answer: Name: google.es Address: Name: google.es Address: Name: google.es Address: ` – Simon Dec 09 '12 at 23:39
  • This is the output of tcpdump: https://dl.dropbox.com/u/166832/tcpdump.png; and this from dig https://dl.dropbox.com/u/166832/dig.png. Thanks in advance! – Simon Dec 09 '12 at 23:49
  • Hi, I achieved to resolve correctly the dns, putting into xl2tpd.conf as local ip, the ip of the router, but still, I'm unnable to ping the machines or access the sites hosted in our lan. I've tried to ping the remote machine from the vpn/router, without success too. It's like the remote machine is using the router but without actually being inside the network... – Simon Dec 11 '12 at 22:00
  • I have done some research into xl2tpd. This is based on Ipv6 IPSEC. It functions one-to-one. I am not sure ipsec will support a ping of a client on the same net. Openvpn is based on ssl and like ipsec is very much like PPP. They are all point-to-point. Inside the encryption, there is no lan only the server destination. OpenVPN might and it has wider support. Try this: https://forums.openvpn.net/topic10974.html – ArrowInTree Dec 12 '12 at 02:07

You are very likely having the exact same issue as this post

Your situation is as follow:

VPN client can reach VPN server and tunnel through VPN to the internet, but cannot reach server LAN nor any other VPN clients ip.

Tunneling to the internet work because you have iptables NAT rule. The rest you need to apply the following ON THE VPN SERVER:

Enable tcp/ip forwarding

Linux TCP/IP stack by default does not forward packets (either between interfaces or re-routing them between IP network). It has to be enabled

echo 1 > /proc/sys/net/ipv4/ip_forward

Without that, VPN server will accept VPN client packet locally, and route client packet according to NAT rule, but will not route traffic to local network.


Iptables block all traffic by default. You need rules to allow traffic to get through(forward).


PS: Each vpn connection is an individual(virtual) interface(nic), to allow packet to flow/route between them, you need FORWARD in iptables.


When vpn client need to talk to each together, the vpn server is acting as a routing point and need to be on the same netowrk.

local ip
ip range -

Modify the above according to your network setup. If your vpn server has a 192.168.1.x ip, use it for the "local ip".

Modified Iptables script

Be very careful if you don't have physical access to the vpn server.

(This script will need anti-spoofing on the wan interface, but lets focus on getting traffic from vpn to lan 1st.)

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# -- iptables -t nat -A POSTROUTING -s -j MASQUERADE
# Updated NAT rule
#   External interface  = eth0
#   External IP     =
#   Internal LAN        =
#   To support dynamic interface : "-j SNAT" replace "-j MASQUERADE" 
#   NO NAT if destination is LAN 
iptables -t nat -A POSTROUTING -o eth0 -s ! -d -j SNAT --to-source

# New(1) - lo
# -- iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# -- iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# New(2) Allow inter-192.168.1.x routing
iptables -A INPUT  -s   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -s   -m state --state NEW  -j ACCEPT
iptables -A FORWARD  -s   -m state --state NEW  -j ACCEPT

# -- allow lan to router traffic - Shadowed by New(2)
# -- This rule maybe your source of trouble too, it only accept 192.168.1.x from eth2
# -- iptables -A INPUT -s -i eth2 -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# vpn
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT

# dns - Shadowed by New(2)
# -- iptables -A INPUT -s -p tcp --dport 53 -j ACCEPT
# -- iptables -A INPUT -s -p udp --dport 53 -j ACCEPT

# logging
iptables -I INPUT 5 -m limit --limit 1/min -j LOG --log-prefix "iptables denied: " --log-level 7

# block all other traffic
iptables -A INPUT -j DROP
  • Hi, and thanks for your help, but it didn't work either. I think that the problem can be related to this comment: http://serverfault.com/questions/455649/how-to-access-remote-lan-machines-through-a-ipsec-xl2ptd-vpn-maybe-iptables-r/456932?iemail=1#comment500865_456458 – Simon Dec 11 '12 at 22:02
  • Can you post your ifconfig of your vpn server? Is your vpn server on the same ip network of vpn clients? What is "local ip" and "ip range" of your l2tp.conf? – John Siu Dec 11 '12 at 22:17
  • Updated l2tpd.conf in answer. Let me know if client can ping vpn server 192.168.1.x ip after the change. – John Siu Dec 11 '12 at 22:28
  • Hi and thanks for the help ;). This is my ifconfig: http://pastebin.com/ewMftDw3. And this is my xl2tpd.conf file http://pastebin.com/HB5mtzb7. I've tried to give the vpn clients their own subnetwork but in that case I can't browse internet through the vpn. – Simon Dec 11 '12 at 23:55
  • I updated with a modified iptables script. Please test ping from client to server by ip. – John Siu Dec 12 '12 at 02:56
  • Thanks for the update John. Pinging from client to the router/dns/vpn server ( works. Dig and dnslookup works ok from the client. Pinging (or tracerouting) other machines won't work ( for example). I'm still unable to load webpages hosted on the local machines. – Simon Dec 12 '12 at 08:59
  • (1) Ping from vpn client to, do you get any error msg from /var/log/syslog? (2) Ping from (router) to works? (3) From vpn server, "wget ", do you get the index file correctly? – John Siu Dec 12 '12 at 12:26
  • Please post your /etc/ppp/options.xl2tpd also. – John Siu Dec 12 '12 at 13:43
  • Check in your /etc/ppp/options.xl2tpd "proxyarp" is enabled (not comment out). – John Siu Dec 12 '12 at 13:51
  • (1) I've got no immediate errors on syslog, but there are lines like this: `Dec 12 22:10:44 ubuntu pppd[19224]: sent [LCP EchoReq id=0xc magic=0x56bae6fd]`. (2) Pinging from vpn to works, but (3) the wget fails. In fact, doing a nslookup to a local site, shows an external address instead the local one: `nslookup lan.site.com Server: Address: Non-authoritative answer: *** Can't find lan.site.com: No answer`. – Simon Dec 12 '12 at 21:16
  • The same nslookup from the client, works fine `nslookup lan.site.com Server: Address: Name: lan.site.com Address:`. I think we are close John. Thanks a lot for your help! – Simon Dec 12 '12 at 21:18
  • (1) Just want to know for sure, is ping from vpn client to working now? (2) From vpn client or vpn server, does "wget " works? If yes, we fixed iptables problem and the only remaining problem is dns, which is easy to fix. – John Siu Dec 12 '12 at 22:10
  • (1) Ping from the client to fails `ping PING ( 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1`. Ping from client to (router) works `ping PING ( 56 data bytes 64 bytes from icmp_seq=0 ttl=64 time=218.310 ms 64 bytes from icmp_seq=1 ttl=64 time=203.736 ms`.(2) wget from client fails too `wget --2012-12-12 23:27:48-- Connecting to failed: Host is down. Retrying.` – Simon Dec 12 '12 at 22:30
  • Have you check /etc/ppp/options.xl2tpd "proxyarp" yet? – John Siu Dec 12 '12 at 22:40
  • yes, it has been there all this time, this is the file: http://pastebin.com/aDPcdhaK; and this is the ipsec.conf file http://pastebin.com/p7tCejwE. – Simon Dec 12 '12 at 23:20
  • With NO vpn client connected, on the http server , do "nmap -v -sP". I want to make sure non of the ip in vpn range is being used in your lan. Also make sure your vpn ip range is not overlapping with your lan dhcp range. – John Siu Dec 13 '12 at 00:08
  • This is the result from nmap: http://pastebin.com/ZjZTfgk2. Our dhcp ip range is: 201 to 254, this is the udhcp.conf file `start end interface eth2 opt dns option subnet opt router option domain example.org option lease 864000` – Simon Dec 13 '12 at 09:03
  • I believe we have it this time. Please check NAT section in my iptables. – John Siu Dec 13 '12 at 14:09
  • Hi John, thanks a lot for your help, I've finally got it. I'm afraid to say that probably it wasn't totally related to the iptables, but to a lan overlap problem between the networks. I was testing from a network with the same subnet as the remote network, so when I tried to ping or resolve a remote site, the client actually never exit it's own local network. I've discovered this trying in one of my last desperate tries accessing to the vpn through my phone, and resolving correctly the sites in the office. – Simon Dec 13 '12 at 21:03
  • LOL, that is the one question I forget to ask. But you properly still want to use my iptables script instead of your original one, I am almost certain your original script will not work. I actually have to setup a testing vpn here to get the finally one out. – John Siu Dec 13 '12 at 21:04
  • Tomorrow I will move the office network to a distinct subnet, not 192.168... and I think that that will solve most of the problems for the common user. I want to thank you specially for all your help, because if we haven't been trying all these days, I probably would had quitted some time ago. So thanks a lot for your help John!!! – Simon Dec 13 '12 at 21:08
  • No problem, I will properly put all this in my blog to remind myself for all the things to check next time. – John Siu Dec 13 '12 at 21:14