<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: CIPE behind NAT firewalls?
From: Scott Sharkey <ssharkey,AT,linux-no-limits,DOT,com>
Date: Fri, 22 Jun 2001 17:47:59 +0200
In-reply-to: <Pine.LNX.4.21.0106112137250.31820-100000@raid.kaico.com>

A few days ago, I wrote the message below.  I got one response, but
no real answers to the questions:

        1) how can I get CIPE to log more verbosely, and tell me
                what's failing?  The only log messages I'm getting
                are 
                        bringing up interface cipcb0: succeeded
                        cipcb0: cipe_sendmsg
                        cipcb0: setkey
                        cipcb0: cipe_rcvmsg
                        
                the last three lines repeat when I try to ping the
                opposite end of the point-to-point.
        
This is cipe 1.4.5 by the way.

ANY suggestions on how to debug this will be appreciated.

-Scott
> 
> Hi All,
> 
> I'm trying to set up a CIPE VPN between two sites.  Each site is
> running a firewall already (3COM on one side, Linux on the other).
> Each site is running NAT, and the internal net's where the two VPN
> boxes reside each have a non-routable address (10.10.x.x and
> 192.168.x.x).  I have set the firewalls to pass UDP port 9000 (chosen
> arbitrarily) to/from the corresponding partners.
> 
> It is not working, though I'm not getting any useful information
> in the logs to help debug either.  So, several questions:
> 
>         1) does the NAT translation "get in the way"
>         2) how can I find out how it's failing?
>         3) is there a way to get more debug info in the logs?
> 
> It's set up basically as follows:
> 
>         Site A: Firewall Real IP is 128.x.x.3
>                 VPN Real IP is 10.10.15.249
>                 FW has a port forward rule from
>                         128.x.x.3:9000 -> 10.10.15.249:9000
>                 VPN peer is 140.x.x.37
>                 VPN PTPADDR is 192.168.254.1
>                 VPN IPADDR is 192.168.254.2
> 
>         Site B: Firewall Real IP is 140.x.x.37
>                 VPN Real IP is 192.168.41.10
>                 VPN PTPADDR is 192.168.254.2
>                 VPN IPADDR is 192.168.254.1
> 
>         Site B's firewall maps 140.x.x.37 -> 192.168.41.10
> 
> Any suggestions on what I may be doing wrong, or what settings need
> to be checked, etc would be appreciated.  I bring up CIPE on
> both ends (these are RH 7.1 boxes, btw) and they "succeed".
> I then try pinging 192.168.254.x (where x is 1 or 2).  Pinging
> the local end works, the far end fails.
> 
> I realize I'm gonna have some routing to figure out once this
> part works. But for now, I just want these two boxes to work.
> 
> As far as I can determine using netcat, port 9000 between the two
> sites *IS* passing packets correctly.
> 
> Thanks!
> 
> -Scott





<< | Thread Index | >> ]    [ << | Date Index | >> ]