Re: Cipe and advanced routing

[Myles Uyema <myles,AT,puck,DOT,nether,DOT,net>]

I'm attempting to do something like this myself, using kernel 2.4.1 and
CIPE 1.5.1.  Caveats with what I'm doing and policy routing is that my
cipcb0 MTU is smaller than the regular 1500 ethernet frame, and it
appears that sometimes it isn't being taken into account as I have some
occasional hung tcp connections...

As a hack, I've been using the netfilter TCPMSS patches.

On your laptop, you would do the following
iptables -t mangle -A OUTPUT -p tcp -d $G --dport ssh -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -d $G --dport $CIPEPORT -j ACCEPT
iptables -t mangle -A OUTPUT -p tcp -d $G -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp --syn -d $G -j TCPMSS --set-mss 1400
echo 201 vpn.policy >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table vpn.policy
ip route add default via 192.168.253.1 dev cipcb0 table vpn.policy

On Computer G, you'd have those rules set going back to your LAPTOP.

If you find a fix for my hung tcp connections, please let me know...

On 15 Feb 2001, Petr Konecny wrote:

> Hi,
>
> I have a laptop that has a permanent address A in network N. There is no
> firewall between N and the Internet.
>
> I would like most traffic between the laptop and network A to go through
> CIPE tunnel. I have access to a computer G on network N, that can be
> used as a proxy/gateway/router.
>
> So far I have done this:
>
> there is a cipe tunnel between laptop and G, local address (ipaddr) of
> the tunnel on laptop is its address A in network N, remote (ptpaddr) is
> 192.168.253.1.
>
> G works as an ARP proxy for address A on interface connected to N, it
> does IP forwarding.
>
> Laptop uses 192.168.253.1 as a gateway for network N, except for
> computer G, which uses laptop's default gateway. Both computers use
> Linux 2.4.1-ac14 and cipe 1.4.5 with blowfish.
>
> This works fine, but of course there are some glitches:
> 1. the traffic that goes directly to G is not sent through the tunnel
> 2. it encrypts everything
>
> I do not want ssh connections to use CIPE and to encrypt the
> communication to G, i.e. the only packets going to G over the Internet
> should be UDP packets of CIPE and SSH connections.
>
> I tried to use policy routing to do it. I marked all SSH and CIPE
> generated UDP packets with fwmark in the OUTPUT chain of the table
> mangle, created routing rule that matched the mark and set gateway for
> these packets to laptop's default gateway.  Then I set route for network
> N to 192.168.253.1. All this to get: cipcb1: looped route
>
> Is there any way to get this to work ?
>
>                                         Thanks, Petr
> --
> Remark of Dr. Baldwin's concerning upstarts: We don't care to eat toadstools
> that think they are truffles.
>               -- Mark Twain, "Pudd'nhead Wilson's Calendar"
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
>