<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: CIPE behind NAT firewalls?
From: SBNelson,AT,thermeon,DOT,com
Date: Fri, 22 Jun 2001 17:57:55 +0200

1) NAT doesn't bother cipe --- all that is required is that packets can get
between the two systems.
2 & 3) add debug=1 to the options file and start ciped-cb manually (that is,
don't use RedHat's ifup script).  The output will come to your screen;
perhaps you would like to run the command after starting the script command.

> -----Original Message-----
> From: Scott Sharkey [SMTP:ssharkey,AT,linux-no-limits,DOT,com
> Sent: Friday, June 22, 2001 8:15 AM
> To:   cipe-l,AT,inka,DOT,de
> Subject:      Re: CIPE behind NAT firewalls?
> 
> A few days ago, I wrote the message below.  I got one response, but
> no real answers to the questions:
> 
>       1) how can I get CIPE to log more verbosely, and tell me
>               what's failing?  The only log messages I'm getting
>               are 
>                       bringing up interface cipcb0: succeeded
>                       cipcb0: cipe_sendmsg
>                       cipcb0: setkey
>                       cipcb0: cipe_rcvmsg
>                       
>               the last three lines repeat when I try to ping the
>               opposite end of the point-to-point.
>       
> This is cipe 1.4.5 by the way.
> 
> ANY suggestions on how to debug this will be appreciated.
> 
> -Scott
> > 
> > Hi All,
> > 
> > I'm trying to set up a CIPE VPN between two sites.  Each site is
> > running a firewall already (3COM on one side, Linux on the other).
> > Each site is running NAT, and the internal net's where the two VPN
> > boxes reside each have a non-routable address (10.10.x.x and
> > 192.168.x.x).  I have set the firewalls to pass UDP port 9000 (chosen
> > arbitrarily) to/from the corresponding partners.
> > 
> > It is not working, though I'm not getting any useful information
> > in the logs to help debug either.  So, several questions:
> > 
> >         1) does the NAT translation "get in the way"
> >         2) how can I find out how it's failing?
> >         3) is there a way to get more debug info in the logs?
> > 
> > It's set up basically as follows:
> > 
> >         Site A: Firewall Real IP is 128.x.x.3
> >                 VPN Real IP is 10.10.15.249
> >                 FW has a port forward rule from
> >                         128.x.x.3:9000 -> 10.10.15.249:9000
> >                 VPN peer is 140.x.x.37
> >                 VPN PTPADDR is 192.168.254.1
> >                 VPN IPADDR is 192.168.254.2
> > 
> >         Site B: Firewall Real IP is 140.x.x.37
> >                 VPN Real IP is 192.168.41.10
> >                 VPN PTPADDR is 192.168.254.2
> >                 VPN IPADDR is 192.168.254.1
> > 
> >         Site B's firewall maps 140.x.x.37 -> 192.168.41.10
> > 
> > Any suggestions on what I may be doing wrong, or what settings need
> > to be checked, etc would be appreciated.  I bring up CIPE on
> > both ends (these are RH 7.1 boxes, btw) and they "succeed".
> > I then try pinging 192.168.254.x (where x is 1 or 2).  Pinging
> > the local end works, the far end fails.
> > 
> > I realize I'm gonna have some routing to figure out once this
> > part works. But for now, I just want these two boxes to work.
> > 
> > As far as I can determine using netcat, port 9000 between the two
> > sites *IS* passing packets correctly.
> > 
> > Thanks!
> > 
> > -Scott
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>





<< | Thread Index | >> ]    [ << | Date Index | >> ]