<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: CIPE ports (was Re: CIPE, windows 2000 configuration (SOLVED))
From: "Dick St.Peters" <stpeters,AT,NetHeaven,DOT,com>
Date: Thu, 29 Aug 2002 20:49:04 +0200
In-reply-to: <15726.19962.335081.466174@saint.heaven.net>

Yes, he is behind a NAT box.  I was just surprised that my explicitly-
configured port let his end change ports.  Does anyone know of cases
where NAT boxes alter the port when they don't have to?

Speaking of NAT, another of our tunnels goes through *two* NAT layers
at the user's end.  Both CIPE and OpenVPN handle this with ease as
long as a dribble of traffic keeps the NAT boxes' state alive.

--
Dick St.Peters, stpeters,AT,NetHeaven,DOT,com 

Docume writes:
> Maybe there is something into his adsl router that changes the port. It 
> depends how he has it configured (the adsl router), I think, I don't know 
> exactly. Is that client behind a NAT router?
> 
> On Thu, 29 Aug 2002, Dick St.Peters wrote:
> 
> > As long as the topic of ports came up, something I've been wondering
> > about ... one of my CIPE users is configured at my end to connect from
> > port 1999: 
> >         peer            0.0.0.0:1999
> > 
> > However, he frequently connects (successfully) from port 1024.  The
> > pattern seems to be that each time his ADSL IP is changed he first
> > connects from port 1999, then a few days later his port switches to
> > 1024.
> > 
> > This isn't a question but more like a perplexed observation ...
> > 
> > CIPE 1.5.2/Linux 2.2.19 at my end, I'm not sure what he's using,
> > except that it's Linux of some kind.
> > 
> > --
> > Dick St.Peters, stpeters,AT,NetHeaven,DOT,com 
> > 
> > Damion Wilson writes:
> > > At least one peer must have a fixed address. The host with the 
>"floating" 
> > > (0.0.0.0) address must send the first packet. It's peer will deduce the 
> > > return address from the packet itself.
> > > 
> > > Each side must listen on a fixed port. Are you confusing ports and 
>addresses ?
> > > 
> > > DKW
> > > 
> > > On Thursday 29 August 2002 12:06 pm, you wrote:
> > > > AAAAAAALEEEELUUUUUUYAAAAAAAAAA!!! X-]
> > > > Ok, I had stoped the DKW Heavy Industries VPN Adapter. Service into my
> > > > w2k.
> > > > I started it nad now the vpn circuit runs correctly :-))))))))
> > > >
> > > > I only wat to ask few questions.
> > > > I am going to use cipe with a road-warrior, a w2k box,
> > > > Does 0.0.0.0 match any ip address?
> > > > should I configured a fixed port into that w2k box always?
> > > >
> > > > Thanks for the help :)
> > > >
> > > > On Thu, 29 Aug 2002, Damion Wilson wrote:
> > > > > The encryption/decryption of CIPE happens in ciped-cb on Linux and 
>the
> > > > > service cipsrvr.exe on Windows. These must be running for anything 
>to
> > > > > happen.
> > > > >
> > > > > Both sides must have fixed ports configured. The remote port of one 
>must
> > > > > match the local port of the other.
> > > > >
> > > > > On Thursday 29 August 2002 09:05 am, you wrote:
> > > > > > > I don't think that Windows is convinced of your CLASS_C netmask 
>with
> > > > > > > a CLASS_A network address (10.0.0.x).
> > > > > >
> > > > > > the mask is correct, isn't it?
> > > > > > It is a class A, 10.0.0.0/8
> > > > > >
> > > > > > > Also, I presume that the CIPE-Win32 service is running as is
> > > > > > > /usr/sbin/ciped-cb -o /etc/cipe/options.
> > > > > >
> > > > > > I don't know
> > > > > >
> > > > > > > Are both peers setup to listen to port 3333 ?
> > > > > >
> > > > > > The windows 2000 don't has a fixed port configured.
> > > > > >
> > > > > > > DKW
> > > > > > >
> > > > > > > On Wednesday 28 August 2002 03:34 pm, you wrote:
> > > > > > > > Ah! ok I didn't know anything about that bug.
> > > > > > > >
> > > > > > > > Well, here is some useful information:
> > > > > > > > cipcb0    Link encap:IPIP Tunnel  HWaddr
> > > > > > > >           inet addr:10.10.10.1  P-t-P:10.10.10.101
> > > > > > > > Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP  MTU:1442 
> > > > > > > > Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX
> > > > > > > > packets:16 errors:0 dropped:0 overruns:0 carrier:0 
>collisions:0
> > > > > > > > txqueuelen:100
> > > > > > > >           RX bytes:0 (0.0 b)  TX bytes:1728 (1.6 Kb)
> > > > > > > >
> > > > > > > > # cat /etc/cipe/options.cipcb0
> > > > > > > > # IPs reales
> > > > > > > > me 172.16.0.10:3333
> > > > > > > > peer 172.16.0.1
> > > > > > > >
> > > > > > > > # Circuito VPN
> > > > > > > > ipaddr  10.10.10.1
> > > > > > > > ptpaddr 10.10.10.101
> > > > > > > >
> > > > > > > > # Llave
> > > > > > > > key = f0274bb895d44b1eb9a89nnf0f0df
> > > > > > > >
> > > > > > > > # cat /etc/sysconfig/network-scripts/ifcfg-cipcb0
> > > > > > > > DEVICE=cipcb0
> > > > > > > > ONBOOT=yes
> > > > > > > > USERCTL=no
> > > > > > > >
> > > > > > > > Ok now the steps I do in the windows 2000 pro box:
> > > > > > > > 1- edit tcp/ip options into the cipe device, and configured 
>an ip
> > > > > > > > address and mask (10.10.10.101/255.255.255.0). No gateway 
>neither
> > > > > > > > dns servers. 2- from control panel I edit the cipe settings 
>and
> > > > > > > > created a new peer, with the vpn info.
> > > > > > > > 3- I try to ping over the VPN circuit without response
> > > > > > > >
> > > > > > > > here is the route table of my w2k pro:
> > > > > > > >
> > > > > > > > 
>===================================================================
> > > > > > > >==== ==== Rutas activas:
> > > > > > > > Destino de red        Máscara de red   Puerta de acceso   
>Interfaz
> > > > > > > > Métrica 0.0.0.0          0.0.0.0      172.16.0.10      
>172.16.0.1
> > > > > > > > 1 10.0.0.0        255.0.0.0     10.10.10.101    10.10.10.101  
>    1
> > > > > > > > 10.10.10.101  255.255.255.255        127.0.0.1       
>127.0.0.1     
> > > > > > > > 1 10.255.255.255  255.255.255.255     10.10.10.101    
>10.10.10.101 
> > > > > > > >     1 127.0.0.0        255.0.0.0        127.0.0.1       
>127.0.0.1  
> > > > > > > >    1 172.16.0.0    255.255.255.0       172.16.0.1      
>172.16.0.1  
> > > > > > > >    1 172.16.0.1  255.255.255.255        127.0.0.1       
>127.0.0.1  
> > > > > > > >    1 172.16.255.255  255.255.255.255       172.16.0.1     
> > > > > > > > 172.16.0.1      1 224.0.0.0        224.0.0.0     10.10.10.101 
>  
> > > > > > > > 10.10.10.101      1 224.0.0.0        224.0.0.0       
>172.16.0.1    
> > > > > > > >  172.16.0.1      1 255.255.255.255  255.255.255.255      
> > > > > > > > 172.16.0.1      172.16.0.1 1 Puerta de enlace predeterminada: 
>     
> > > > > > > > 172.16.0.10
> > > > > > > > 
>===================================================================
> > > > > > > >==== ==== Rutas persistentes:
> > > > > > > >   ninguno
> > > > > > > >
> > > > > > > >
> > > > > > > > Is anything wrong?
> > > > > > > >
> > > > > > > > On Wed, 28 Aug 2002, Damion Wilson wrote:
> > > > > > > > > I can try.
> > > > > > > > >
> > > > > > > > > Make sure the CIPE service is running. Also, there's a bug 
>in the
> > > > > > > > > control panel dialog where it doesn't save field contents
> > > > > > > > > properly all the time, so check to make sure that the 
>static key
> > > > > > > > > and other settings are correct by reentering the control 
>panel
> > > > > > > > > applet after exiting.
> > > > > > > > >
> > > > > > > > > DKW
> > > > > > > > >
> > > > > > > > > On Wednesday 28 August 2002 02:17 pm, you wrote:
> > > > > > > > > > Hi Damion,
> > > > > > > > > >
> > > > > > > > > > Thanks for your answer. :-]
> > > > > > > > > > I did that, but CIPE doesn't run, I can't connect.
> > > > > > > > > > I configured and ip address and mask in the cipe network
> > > > > > > > > > adapter. Then I went to cipe settings and configured the 
>VPN.
> > > > > > > > > >
> > > > > > > > > > Are those steps corrects?
> > > > > > > > > > Can you give me hand with cipe?
> > > > > > > > > >
> > > > > > > > > > See you.
> > > > > > > > > >
> > > > > > > > > > On Wed, 28 Aug 2002, Damion Wilson wrote:
> > > > > > > > > > > Yes. The Cipe network adapter must be configured via 
>TCP/IP
> > > > > > > > > > > settings before it can have peers added to it via the 
>Cipe
> > > > > > > > > > > control panel applet.
> > > > > > > > > > >
> > > > > > > > > > > DKW
> > > > > > > > > > >
> > > > > > > > > > > On Wednesday 28 August 2002 12:22 pm, Docume wrote:
> > > > > > > > > > > > Hi again,
> > > > > > > > > > > >
> > > > > > > > > > > > I resolve the problem with cipe and my linux server, 
>I have
> > > > > > > > > > > > it running correctly. Now the problem is how to 
>configure
> > > > > > > > > > > > my windows 2000
> > > > > > > > > > > >
> > > > > > > > > > > > I note that there is a new open into my control panel
> > > > > > > > > > > > called CIPE Settings, I configured the connection 
>there,
> > > > > > > > > > > > but I can't connect yet to my linux and I don't know 
>the
> > > > > > > > > > > > reason.
> > > > > > > > > > > >
> > > > > > > > > > > > Should I need to configure the cipe interface, the 
>tcp/ip
> > > > > > > > > > > > settings?
> > > 
> > > 
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > 
> > 
> > 
> 
> 





<< | Thread Index | >> ]    [ << | Date Index | >> ]