What routing do you use? I found that I needed dynamic routing (eg.
gated, or routed) even for a simple masqueraded connection to get
CIPE to work.
At 19:03 -0400 2001/06/24, E. Jay Berkenbilt wrote:
>SUMMARY: IP forwarding across a CIPE VPN is working, but NAT across
>the same CIPE VPN is failing. tcpdump shows packets only on one side
>of the interface.
>Note: this question pertains to running NAT over CIPE, not to running
>CIPE over NAT. In other words, I have a working CIPE VPN between two
>specific machines. Each machine is on a private network. I'd like to
>talk between the two private networks, but one side doesn't have a
>route to the other. I am successful in routing between the two
>networks using the CIPE boxes as gateways if I establish all the
>required routing, but not in doing NAT over the CIPE interface.
>Here are the details:
>site1-machine: eth0: 10.160.59.1/24
>site1-gateway: eth0: 10.160.59.17/24
> cipcb0: 192.168.14.2/24
> eth1: (dynamic public address)
>site2-gateway: eth0: 192.168.0.3/24
> cipcb0: 192.168.14.1/24
> eth1: (static public address)
>site2-machine: eth0: 192.168.0.1/24
>All machines are running RedHat Linux 7.1 with cipe 1.4.6 as
>distributed in RedHat 7.1 and with the default RedHat 7.1 2.4.2-based
>kernel. I've checked 1.5.2 but not installed it as it doesn't seem
>that any changes are relevant to this problem.
>site1-machine has a route for 192.168.0.0/16 to site1-gateway.
>site1-gateway has a route to 192.168.0.0/16 through interface cipcb0.
>site2-machine has site2-gateway as its default gateway.
>site1-gateway has IP forwarding enabled and accepts forwarding from
>10.160.59.0/24 to any destination.
>site2-gateway has IP forwarding enabled and accepts forwarding from
>192.168.0.0/16 to any destination.
>site1's options file:
>peer (site2's public address):9999
>site2's options file
>me (site 2's public address):9999
>site1-gateway and site2-gateway can ping each other. site2-gateway
>sees the source address as 192.168.14.2. site1-gateway can ping
>either 192.168.14.1 or 192.168.0.3.
>site1-gateway and site2-machine can both ping each other since
>site1-gateway knows that site2-machine is on the other side of the
>CIPE VPN and site2-machine routes all non-local packets through
>site2-gateway. site2-machine can see 192.168.14.1 but not
>10.160.59.17, which is fine.
>In order to get site1-machine and site2-machine to see each other, I
>should be able to tell site1-gateway to NAT any packets being
>forwarded to 192.168.0.0/16 to source address 192.168.14.2. This does
>not work. I know, however, that I can forward packets through this
>VPN without NAT. Here are the details:
>If I teach site2-gateway about 10.160.59.0/24 with
>route add -net 10.160.59.0/24 dev cipbc0
>iptables -t nat -I POSTROUTING -d 10.160.59.0/24 -j ACCEPT
>iptables -t filter -I FORWARD -d 10.160.59.0/24 -j ACCEPT
>then site1-machine and site2-machine can ping each other.
>Furthermore, if I run tcpdump -i cipcb0 on both site1-gateway and
>site2-gateway, I can see both the echo request and echo reply packets,
>and I can see 192.168.0.1 and 10.160.59.1 as the source/destination
>addresses. This is exactly as expected. Everything works perfectly.
>My two networks can talk to each other.
>However, I don't want site2 to know about 10.160.59.0/24. I want
>site1-gateway to SNAT all its traffic to 192.168.14.2. This should be
>easy. Once the above situation works fine, I should simply need to
>run the following on site1-gateway:
>iptables -t nat -I POSTROUTING -d 192.168.0.0/16 -j SNAT --to-source
>and everything should just work. (Note that site2-machine can ping
>192.168.14.2 fine.) However, when I give this command, my tcpdump on
>site1-gateway shows the echo requests with the source of 192.168.14.2
>and the destination of 192.168.0.1 as expected, but site2-gateway's
>tcpdump shows nothing!
>In other words, CIPE does not appear to be forwarding the traffic at
>all. tcpdump on site1 shows the packets being sent, but tcpdump on
>site2 does not show the packets being received.
>The thing that's baffling to me is that when I turn SNAT to the
>site1's CIPE ip address, the cipe interface on site2 no longer appears
>to be receiving packets even though the interface on site1 appears to
>sending them. Running strace on the ciped-cb processes is
>unenlightening. Any further tips on diagnosing this will be helpful.
>I have administrative control of all machines in question, and I am
>the only person using this VPN at the moment. I have full freedom to
>bring things up and down as required, so I can try experiments that
>people may suggest. One thing I have tried is to explicitly specify
>both the peer: and me: parameters as static addresses (using the
>address I happen to have now) on both sides. This changes nothing --
>I get exactly the same results. When I try to NAT through the cipe
>interface, tcpdump shows the packets on one side but not on the other.
>For what it's worth, I used to use ppp over stunnel with otherwise
>identical configurations. NAT across that VPN worked fine.
>E. Jay Berkenbilt <ejb,AT,ql,DOT,org>
>Message sent by the cipe-l,AT,inka,DOT,de mailing list.
>Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
>Other commands available with "help" in body to the same address.
>CIPE info and list archive: