<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: NAT... misunderstanding
From: "Joseph Jamieson" <jjamieson,AT,futurefoundations,DOT,com>
Date: Sun, 6 Oct 2002 13:12:42 +0200
Title: RE: NAT... misunderstanding








<span style='font-size:
10.0pt;font-family:Arial;color:navy'>Wouldn&#8217;t an SSH Tunnel completely
defeat the purpose of cipe? ?(Besides the ease of configuration and
stability, I think the general idea was to avoid a TCP over TCP Tunnel 
because these
are problematic)

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>?

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>You might as well just use a ppp/ssh
tunnel at that point, because you would be doing TCP over UDP over TCP, rather
than TCP over PPP over TCP.? I think ppp would actually be faster through ssh
then cipe/udp.?? (I didn&#8217;t even realize that SSH could forward
UDP though; I thought it was just TCP&#8230;)

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>?

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>I think the cipe docs on &#8220;4-4:?
This is impossible&#8221;? should be rewritten to &#8220;4-4:?
Without forwarding some UDP ports, this is impossible&#8221;

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>?

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>Cheers, 

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>?

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>Joe.

<span style='font-size:
10.0pt;font-family:Arial;color:navy'>?

<span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----
From: Daniel Gibbs
[mailto:d.gibbs,AT,online-bills,DOT,com 
Sent: Wednesday, October 02, 2002
6:09 AM
To: 'Kirill S. Tarashev'; Cipe-L
(E-mail)
Subject: RE: NAT...
misunderstanding

<span
style='font-size:12.0pt'>?



<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Yes, NATing only lets
related packets through (ie requested webpages), but will deny new incoming
connections unless you forward the packets.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>The problem with the
router is that it doent know how to handle the GRE packets while doing NATing





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>This is the same problem
with my router, when in bridging mode it will?allow any packets (inc GRE)
though but when it's in NAT mode it doesnt allow GRP/IKE packets through.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Cipe does use
Encluplated-UDP for it's data, which means all routers will beable to handle
it.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>but you will need to
forward (afiak) the incoming packets to the pc.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>One solution if you cant
get the packets forwared is to use a SSH Tunnel which will encript the data
it's self for one porgram or possbly run cipe over this (havnt tryed this yet
but should work).





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>dan





<span
style='font-size:12.0pt;font-family:Tahoma'>?





<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'>
<span style='font-size:10.0pt;
font-family:Arial;color:blue'>?<span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----
From: Kirill S. Tarashev
[mailto:rikoil,AT,iss,DOT,ru
Sent: 02 October 2002 10:52 AM
To: Daniel Gibbs
Subject: RE: NAT...
misunderstanding







<span
style='font-size:10.0pt;font-family:Arial;color:blue'>stop stop..





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>As I understand, I have
to forward incoming (to NAt router) packet ONLY when server (or somebody else)
initiates connection to my computer.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>When I don't need it,
it's nothink to change in Nat router. correct??





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Because the problem is
that Nat Router is?ISP's router, and they will not chang anything there to
make forwarding. :((





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>That was the problem, 
why
I can't use PPTP, because NAt cann't creat GRE tunnel VPN connection.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>But as I understand CIPE
use ordinary UDP and also can work from computer behind the NAT router without
any changes on that router.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Is it true or I've done
some mistakes in my argumentation?





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Kirill





<span
style='font-size:12.0pt'>?





<span
style='font-size:12.0pt'>?





<span
style='font-size:12.0pt'>?





<span
style='font-size:12.0pt'>?





<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'>-----Original
Message-----
From: Daniel Gibbs
[mailto:d.gibbs,AT,online-bills,DOT,com
Sent: Wednesday, October 02, 2002
12:53 PM
To: 'Kirill S. Tarashev'; Cipe-L
(E-mail)
Subject: RE: NAT...
misunderstanding



<span
style='font-size:10.0pt;font-family:Arial;color:blue'>OK..





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>NAT works? (basicly)
this way.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Incoming requests are
rejected unless the incoming stream is related or there is a map(forwarding)
from either the origination ip and/or port. 





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>However there can be
problems:





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>eg FTP - the NAT router
needs to know how to handle this.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>What I have on my set up
is





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Win2k/cipe -> Nat
Router --Inet -- Linux firewall/cipe





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>On my nat router I have
the required ports forwarded to the win2k box for cipe.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>I had fun when trying t 
o
set up cipe on the linix box because it uses 3 (or 4) real ip's.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>I wanted to use one of
the lesser used ones but forgot about the natting rules which put the box on a
diffrent ip than the one I was trying to use.





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Anyways, you may need to
forward ports from your nat box to your client box (as I have had to do).





<span
style='font-size:12.0pt'>?





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>dan





<span
style='font-size:12.0pt'>?





<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'>-----Original
Message-----
From: Kirill S. Tarashev
[mailto:rikoil,AT,iss,DOT,ru
Sent: 02 October 2002 09:50 AM
To: Daniel Gibbs
Subject: RE: NAT...
misunderstanding



<span
style='font-size:10.0pt;font-family:Arial;color:blue'>As I understand you, I
can use CIPE client behind NAT for out going access but not for incoming.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>or 





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>If I'm a client behind
NAT, I can initiate connection to server?and it will work, but server
cann't initiate connection to me itself.





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Is it correct?





<span
style='font-size:12.0pt'>?





<span
style='font-size:10.0pt;font-family:Arial;color:blue'>Kirill?





<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'>-----Original
Message-----
From: Daniel Gibbs
[mailto:d.gibbs,AT,online-bills,DOT,com
Sent: Wednesday, October 02, 2002
12:25 PM
To: 'Kirill S. Tarashev'
Subject: RE: NAT...
misunderstanding

<span
style='font-size:10.0pt'>Hi, it can work aslong as the NAT firewall knows what
to do with incoming packets. 
I'm using cipe on w2k behind a Nat
router, ok it doent work 100% but that's probbly my config. 

<span
style='font-size:10.0pt'>dan 

<span
style='font-size:10.0pt'>-----Original Message----- 
From: Kirill S. Tarashev [<a
href="mailto:rikoil,AT,iss,DOT,ru";>mailto:rikoil,AT,iss,DOT,ru 
Sent: 02 October 2002 06:55 AM

To: cipe-l,AT,inka,DOT,de 
Subject: NAT... misunderstanding


<span
style='font-size:12.0pt'>?

<span
style='font-size:10.0pt'>Sorry for stupid question, but probably I don't 
understand
some important 
things.. 

<span
style='font-size:10.0pt'>in the main page of <a
href="http://sites.inka.de/sites/bigred/devel/cipe.html"; 
target="_blank">http://sites.inka.de/sites/bigred/devel/cipe.html
I can 
fine text 
"......Special care has been
taken to make this work over dynamic addresses, 
NAT and SOCKS proxies"


<span
style='font-size:10.0pt'>but in the documentation - cipe-1.5.1.texinfo

something like that 
"Here is in detail how it is
possible to build CIPE links between 
different classes of carriers.
Those classes are, based on how they are 
able to reach the Internet:

............. 
4. Indirect connection through a
NAT (masquerading) router.(NAT, 
masquerading) 

<span
style='font-size:10.0pt'>This produces ten different combinations:

............. 
4-4 Not possible. Neither side gets
to know its effective carrier address at 
all 

<span
style='font-size:10.0pt'>question: Whether or not it can work with client
behind NAT firewall??? 
(Server with CIPE has Internet IP,
client works through the NAT firewall) 

<span
style='font-size:10.0pt'>Because, I didn't find any link in documentation to
this subject.... 

<span
style='font-size:10.0pt'>Thank you 

<span
style='font-size:12.0pt'>?

<span
style='font-size:10.0pt'>-- 
Message sent by the cipe-l,AT,inka,DOT,de
mailing list. 
Unsubscribe: mail
majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body 
Other commands available with
"help" in body to the same address. 
CIPE info and list archive: <URL:<a
href="http://sites.inka.de/~bigred/devel/cipe.html"; 
target="_blank">http://sites.inka.de/~bigred/devel/cipe.html>


















<< | Thread Index | >> ]    [ << | Date Index | >> ]