<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: NAT through CIPE (not CIPE through NAT)
From: "E. Jay Berkenbilt" <ejb,AT,ql,DOT,org>
Date: Mon, 25 Jun 2001 01:22:41 +0200

SUMMARY: IP forwarding across a CIPE VPN is working, but NAT across
the same CIPE VPN is failing.  tcpdump shows packets only on one side
of the interface.

Note: this question pertains to running NAT over CIPE, not to running
CIPE over NAT.  In other words, I have a working CIPE VPN between two
specific machines.  Each machine is on a private network.  I'd like to
talk between the two private networks, but one side doesn't have a
route to the other.  I am successful in routing between the two
networks using the CIPE boxes as gateways if I establish all the
required routing, but not in doing NAT over the CIPE interface.

Here are the details:

site1-machine: eth0:

site1-gateway: eth0:
               eth1: (dynamic public address)

site2-gateway: eth0:
               eth1: (static public address)

site2-machine: eth0:

All machines are running RedHat Linux 7.1 with cipe 1.4.6 as
distributed in RedHat 7.1 and with the default RedHat 7.1 2.4.2-based
kernel.  I've checked 1.5.2 but not installed it as it doesn't seem
that any changes are relevant to this problem.

site1-machine has a route for to site1-gateway.
site1-gateway has a route to through interface cipcb0.
site2-machine has site2-gateway as its default gateway.

site1-gateway has IP forwarding enabled and accepts forwarding from to any destination.

site2-gateway has IP forwarding enabled and accepts forwarding from to any destination.

site1's options file:

peer    (site2's public address):9999
key     (key)

site2's options file

me      (site 2's public address):9999
key     (key)

What works:

site1-gateway and site2-gateway can ping each other.  site2-gateway
sees the source address as  site1-gateway can ping
either or

site1-gateway and site2-machine can both ping each other since
site1-gateway knows that site2-machine is on the other side of the
CIPE VPN and site2-machine routes all non-local packets through
site2-gateway.  site2-machine can see but not, which is fine.

In order to get site1-machine and site2-machine to see each other, I
should be able to tell site1-gateway to NAT any packets being
forwarded to to source address  This does
not work.  I know, however, that I can forward packets through this
VPN without NAT.  Here are the details:

If I teach site2-gateway about with

route add -net dev cipbc0
iptables -t nat -I POSTROUTING -d -j ACCEPT
iptables -t filter -I FORWARD -d -j ACCEPT

then site1-machine and site2-machine can ping each other.
Furthermore, if I run tcpdump -i cipcb0 on both site1-gateway and
site2-gateway, I can see both the echo request and echo reply packets,
and I can see and as the source/destination
addresses.  This is exactly as expected.  Everything works perfectly.
My two networks can talk to each other.

However, I don't want site2 to know about  I want
site1-gateway to SNAT all its traffic to  This should be
easy.  Once the above situation works fine, I should simply need to
run the following on site1-gateway:

iptables -t nat -I POSTROUTING -d -j SNAT --to-source
and everything should just work.  (Note that site2-machine can ping fine.)  However, when I give this command, my tcpdump on
site1-gateway shows the echo requests with the source of
and the destination of as expected, but site2-gateway's
tcpdump shows nothing!

In other words, CIPE does not appear to be forwarding the traffic at
all.  tcpdump on site1 shows the packets being sent, but tcpdump on
site2 does not show the packets being received.

The thing that's baffling to me is that when I turn SNAT to the
site1's CIPE ip address, the cipe interface on site2 no longer appears
to be receiving packets even though the interface on site1 appears to
sending them.  Running strace on the ciped-cb processes is
unenlightening.  Any further tips on diagnosing this will be helpful.

I have administrative control of all machines in question, and I am
the only person using this VPN at the moment.  I have full freedom to
bring things up and down as required, so I can try experiments that
people may suggest.  One thing I have tried is to explicitly specify
both the peer: and me: parameters as static addresses (using the
address I happen to have now) on both sides.  This changes nothing --
I get exactly the same results.  When I try to NAT through the cipe
interface, tcpdump shows the packets on one side but not on the other.

For what it's worth, I used to use ppp over stunnel with otherwise
identical configurations.  NAT across that VPN worked fine.

E. Jay Berkenbilt <ejb,AT,ql,DOT,org>

<< | Thread Index | >> ]    [ << | Date Index | >> ]