<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: CIPE behind NAT firewalls?
From: Scott Sharkey <ssharkey,AT,linux-no-limits,DOT,com>
Date: Mon, 18 Jun 2001 22:43:38 +0200
In-reply-to: <Pine.LNX.4.21.0106112137250.31820-100000@raid.kaico.com>

Hi All,

I'm trying to set up a CIPE VPN between two sites.  Each site is 
running a firewall already (3COM on one side, Linux on the other).
Each site is running NAT, and the internal net's where the two VPN
boxes reside each have a non-routable address (10.10.x.x and 
192.168.x.x).  I have set the firewalls to pass UDP port 9000 (chosen
arbitrarily) to/from the corresponding partners.  

It is not working, though I'm not getting any useful information
in the logs to help debug either.  So, several questions:

        1) does the NAT translation "get in the way"
        2) how can I find out how it's failing?
        3) is there a way to get more debug info in the logs?

It's set up basically as follows:

        Site A: Firewall Real IP is 128.x.x.3
                VPN Real IP is
                FW has a port forward rule from
                        128.x.x.3:9000 ->
                VPN peer is 140.x.x.37
                VPN PTPADDR is
                VPN IPADDR is

        Site B: Firewall Real IP is 140.x.x.37 
                VPN Real IP is
                VPN PTPADDR is
                VPN IPADDR is
        Site B's firewall maps 140.x.x.37 ->

Any suggestions on what I may be doing wrong, or what settings need
to be checked, etc would be appreciated.  I bring up CIPE on
both ends (these are RH 7.1 boxes, btw) and they "succeed".
I then try pinging 192.168.254.x (where x is 1 or 2).  Pinging
the local end works, the far end fails.

I realize I'm gonna have some routing to figure out once this 
part works. But for now, I just want these two boxes to work.

As far as I can determine using netcat, port 9000 between the two
sites *IS* passing packets correctly.



<< | Thread Index | >> ]    [ << | Date Index | >> ]