RE: CIPE behind NAT firewalls?|
Fri, 22 Jun 2001 17:57:55 +0200|
1) NAT doesn't bother cipe --- all that is required is that packets can get
between the two systems.
2 & 3) add debug=1 to the options file and start ciped-cb manually (that is,
don't use RedHat's ifup script). The output will come to your screen;
perhaps you would like to run the command after starting the script command.
> -----Original Message-----
> From: Scott Sharkey [SMTP:ssharkey,AT,linux-no-limits,DOT,com
> Sent: Friday, June 22, 2001 8:15 AM
> To: cipe-l,AT,inka,DOT,de
> Subject: Re: CIPE behind NAT firewalls?
> A few days ago, I wrote the message below. I got one response, but
> no real answers to the questions:
> 1) how can I get CIPE to log more verbosely, and tell me
> what's failing? The only log messages I'm getting
> bringing up interface cipcb0: succeeded
> cipcb0: cipe_sendmsg
> cipcb0: setkey
> cipcb0: cipe_rcvmsg
> the last three lines repeat when I try to ping the
> opposite end of the point-to-point.
> This is cipe 1.4.5 by the way.
> ANY suggestions on how to debug this will be appreciated.
> > Hi All,
> > I'm trying to set up a CIPE VPN between two sites. Each site is
> > running a firewall already (3COM on one side, Linux on the other).
> > Each site is running NAT, and the internal net's where the two VPN
> > boxes reside each have a non-routable address (10.10.x.x and
> > 192.168.x.x). I have set the firewalls to pass UDP port 9000 (chosen
> > arbitrarily) to/from the corresponding partners.
> > It is not working, though I'm not getting any useful information
> > in the logs to help debug either. So, several questions:
> > 1) does the NAT translation "get in the way"
> > 2) how can I find out how it's failing?
> > 3) is there a way to get more debug info in the logs?
> > It's set up basically as follows:
> > Site A: Firewall Real IP is 128.x.x.3
> > VPN Real IP is 10.10.15.249
> > FW has a port forward rule from
> > 128.x.x.3:9000 -> 10.10.15.249:9000
> > VPN peer is 140.x.x.37
> > VPN PTPADDR is 192.168.254.1
> > VPN IPADDR is 192.168.254.2
> > Site B: Firewall Real IP is 140.x.x.37
> > VPN Real IP is 192.168.41.10
> > VPN PTPADDR is 192.168.254.2
> > VPN IPADDR is 192.168.254.1
> > Site B's firewall maps 140.x.x.37 -> 192.168.41.10
> > Any suggestions on what I may be doing wrong, or what settings need
> > to be checked, etc would be appreciated. I bring up CIPE on
> > both ends (these are RH 7.1 boxes, btw) and they "succeed".
> > I then try pinging 192.168.254.x (where x is 1 or 2). Pinging
> > the local end works, the far end fails.
> > I realize I'm gonna have some routing to figure out once this
> > part works. But for now, I just want these two boxes to work.
> > As far as I can determine using netcat, port 9000 between the two
> > sites *IS* passing packets correctly.
> > Thanks!
> > -Scott
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: