<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: NAT through CIPE (not CIPE through NAT)
From: Blair Lowe <Blair.Lowe,AT,compeng,DOT,net>
Date: Wed, 27 Jun 2001 20:46:00 +0200
In-reply-to: <200106242303.f5ON3MU03524@soup.in.ql.org>

Long shot:

What routing do you use? I found that I needed dynamic routing (eg. 
gated, or routed) even for a simple masqueraded connection to get 
CIPE to work.

TTYL,
Blair.

At 19:03 -0400 2001/06/24, E. Jay Berkenbilt wrote:
>SUMMARY: IP forwarding across a CIPE VPN is working, but NAT across
>the same CIPE VPN is failing.  tcpdump shows packets only on one side
>of the interface.
>
>
>Note: this question pertains to running NAT over CIPE, not to running
>CIPE over NAT.  In other words, I have a working CIPE VPN between two
>specific machines.  Each machine is on a private network.  I'd like to
>talk between the two private networks, but one side doesn't have a
>route to the other.  I am successful in routing between the two
>networks using the CIPE boxes as gateways if I establish all the
>required routing, but not in doing NAT over the CIPE interface.
>
>Here are the details:
>
>site1-machine: eth0: 10.160.59.1/24
>
>site1-gateway: eth0: 10.160.59.17/24
>              cipcb0: 192.168.14.2/24
>              eth1: (dynamic public address)
>
>site2-gateway: eth0: 192.168.0.3/24
>              cipcb0: 192.168.14.1/24
>              eth1: (static public address)
>
>site2-machine: eth0: 192.168.0.1/24
>
>All machines are running RedHat Linux 7.1 with cipe 1.4.6 as
>distributed in RedHat 7.1 and with the default RedHat 7.1 2.4.2-based
>kernel.  I've checked 1.5.2 but not installed it as it doesn't seem
>that any changes are relevant to this problem.
>
>site1-machine has a route for 192.168.0.0/16 to site1-gateway.
>site1-gateway has a route to 192.168.0.0/16 through interface cipcb0.
>site2-machine has site2-gateway as its default gateway.
>
>site1-gateway has IP forwarding enabled and accepts forwarding from
>10.160.59.0/24 to any destination.
>
>site2-gateway has IP forwarding enabled and accepts forwarding from
>192.168.0.0/16 to any destination.
>
>site1's options file:
>
>ipaddr  192.168.14.2
>ptpaddr 192.168.14.1
>peer    (site2's public address):9999
>key     (key)
>dynip
>
>site2's options file
>
>ipaddr  192.168.14.1
>ptpaddr 192.168.14.2
>peer    127.0.0.1:9999
>me      (site 2's public address):9999
>key     (key)
>
>
>What works:
>
>site1-gateway and site2-gateway can ping each other.  site2-gateway
>sees the source address as 192.168.14.2.  site1-gateway can ping
>either 192.168.14.1 or 192.168.0.3.
>
>site1-gateway and site2-machine can both ping each other since
>site1-gateway knows that site2-machine is on the other side of the
>CIPE VPN and site2-machine routes all non-local packets through
>site2-gateway.  site2-machine can see 192.168.14.1 but not
>10.160.59.17, which is fine.
>
>
>In order to get site1-machine and site2-machine to see each other, I
>should be able to tell site1-gateway to NAT any packets being
>forwarded to 192.168.0.0/16 to source address 192.168.14.2.  This does
>not work.  I know, however, that I can forward packets through this
>VPN without NAT.  Here are the details:
>
>If I teach site2-gateway about 10.160.59.0/24 with
>
>route add -net 10.160.59.0/24 dev cipbc0
>iptables -t nat -I POSTROUTING -d 10.160.59.0/24 -j ACCEPT
>iptables -t filter -I FORWARD -d 10.160.59.0/24 -j ACCEPT
>
>then site1-machine and site2-machine can ping each other.
>Furthermore, if I run tcpdump -i cipcb0 on both site1-gateway and
>site2-gateway, I can see both the echo request and echo reply packets,
>and I can see 192.168.0.1 and 10.160.59.1 as the source/destination
>addresses.  This is exactly as expected.  Everything works perfectly.
>My two networks can talk to each other.
>
>However, I don't want site2 to know about 10.160.59.0/24.  I want
>site1-gateway to SNAT all its traffic to 192.168.14.2.  This should be
>easy.  Once the above situation works fine, I should simply need to
>run the following on site1-gateway:
>
>iptables -t nat -I POSTROUTING -d 192.168.0.0/16 -j SNAT --to-source 
>192.168.14.2
>and everything should just work.  (Note that site2-machine can ping
>192.168.14.2 fine.)  However, when I give this command, my tcpdump on
>site1-gateway shows the echo requests with the source of 192.168.14.2
>and the destination of 192.168.0.1 as expected, but site2-gateway's
>tcpdump shows nothing!
>
>In other words, CIPE does not appear to be forwarding the traffic at
>all.  tcpdump on site1 shows the packets being sent, but tcpdump on
>site2 does not show the packets being received.
>
>The thing that's baffling to me is that when I turn SNAT to the
>site1's CIPE ip address, the cipe interface on site2 no longer appears
>to be receiving packets even though the interface on site1 appears to
>sending them.  Running strace on the ciped-cb processes is
>unenlightening.  Any further tips on diagnosing this will be helpful.
>
>I have administrative control of all machines in question, and I am
>the only person using this VPN at the moment.  I have full freedom to
>bring things up and down as required, so I can try experiments that
>people may suggest.  One thing I have tried is to explicitly specify
>both the peer: and me: parameters as static addresses (using the
>address I happen to have now) on both sides.  This changes nothing --
>I get exactly the same results.  When I try to NAT through the cipe
>interface, tcpdump shows the packets on one side but not on the other.
>
>For what it's worth, I used to use ppp over stunnel with otherwise
>identical configurations.  NAT across that VPN worked fine.
>
>--
>E. Jay Berkenbilt <ejb,AT,ql,DOT,org>
>http://www.ql.org/q/
>
>
>--
>Message sent by the cipe-l,AT,inka,DOT,de mailing list.
>Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
>Other commands available with "help" in body to the same address.
>CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>





<< | Thread Index | >> ]    [ << | Date Index | >> ]