<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: newbie in trouble with pkcipe on linux
From: "Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>
Date: Thu, 12 Sep 2002 14:51:41 +0200
In-reply-to: <Pine.GSO.4.44.0209121508460.3014-100000@cs.uku.fi>

It seems your two endpoints share the same address space, unless you're not
planning on routing through the private addresses and only using the tunnel
as a direct machine to machine channel;  personally I route traffic through
the tunnel to effectively masquerade the client network onto the server's,
specifically by routing traffic from the client subnet onto the tunnel and
masquerading once there, and again on the server endpoint, effectively
making all traffic coming over the tunnel appear to be from endpoint itself.
This appears to work fine for what I need out of it.

What I did to compare was to check the process list once the pkcipe tunnel
was 'established' to find out what options pkcipe had handed to ciped, and
to look at that options file and compare it to the standalone copy.  In my
case, I had it the other way around - my pkcipe tunnel worked, but my
straight one didn't.  The differences can sometimes be subtle, but I found
the dynip option to be important for the endpoint that didn't have a real
IP.  If you can't see any reason why one config file works and the other
doesn't, then post them both and we'll take a look.

--
Mark Smith - Avco Systems Ltd
email: mark.smith,AT,avcosystems,DOT,co,DOT,uk
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078

> -----Original Message-----
> From: owner-cipe-l,AT,inka,DOT,de [mailto:owner-cipe-l,AT,inka,DOT,de 
> Behalf Of
> Mikko Pasanen
> Sent: 12 September 2002 13:18
> To: Mark Smith
> Cc: 'Cipe list (E-mail)'
> Subject: RE: newbie in trouble with pkcipe on linux
>
>
>
>       Ok, this was very informative thanks, but still the
> problem stays
> so these are the config files, problem stays and if i use
> plain ciped-cb
> it works, but i really would like to get the pkcipe to work ...
>
> jupiter:
> -----BEGIN PUBLIC KEY-----
> -----END PUBLIC KEY-----
> ipaddr 10.0.0.12
> ptpaddr 10.0.0.11
> ping 10
> dynip
>
> deimos:
> -----BEGIN PUBLIC KEY-----
> -----END PUBLIC KEY-----
> ipaddr  10.0.0.11
> ptpaddr 10.0.0.12
> ping 10
> dynip
>
>       I initiate connection from jupiter (Which is behind
> masq firewall)
> to deimos, as pkcipe -E -c deimos:port and i get response as:
>
> connect to deimos
> starting /usr/local/sbin/ciped-cb for peer deimos
>
> this is the log from the deimos:
>
> Sep 12 15:21:07 deimos pkcipe[23596]: connect from jupiter
> Sep 12 15:21:07 deimos pkcipe[23596]: starting
> /usr/local/sbin/ciped-cb
> for peer jupiter
> Sep 12 15:21:07 deimos kernel: cipcb: read_lock(&tasklist_lock) at
> ../cipe/device.c:216
> Sep 12 15:21:07 deimos kernel: cipcb: read_unlock(&tasklist_lock) at
> ../cipe/device.c:220
> Sep 12 15:21:27 deimos ciped-cb[23598]: keepalive timeout
>
> and in the jupiter logs i find :
>
> Sep 12 15:26:11 jupiter ciped-cb[13682]: kxchg: recv:
> Connection refused
>
> (clocks are not in sync ;)
>
> On Thu, 12 Sep 2002, Mark Smith wrote:
>
> > The .info  file distributed with cipe details the pkcipe
> config file.  All
> > of the options go in one file.  Here's mine, as an example:
> >
> > --- snip ---
> > -----BEGIN PUBLIC KEY-----
> > <your public key from the other end's public key file>
> > -----END PUBLIC KEY-----
> > ipaddr 10.0.0.12
> > ptpaddr 192.168.0.1
> > ping 10
> > dynip
> > --- end ---
> >
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
>





<< | Thread Index | >> ]    [ << | Date Index | >> ]