Re: Static routing problem, Fw: cipe tunnel doesn't start automatically|
Alan Stern <stern,AT,rowland,DOT,harvard,DOT,edu>|
Thu, 5 Dec 2002 16:59:19 +0100|
On Thu, 5 Dec 2002, Nico Flemming wrote:
> I want to place a static route over a cipe connection which is not
> always up:
> > Server A: 192.168.10.1
> > Gateway A: 22.214.171.124
> > |
> > | (internet)
> > |
> > Gateway B: 126.96.36.199
> > Server B: 192.168.11.1
> So Gateway A must have a static route to Server B over Gateway B. If
> the cipe-link is established this is no problem. But what should I do if the
> cipe connection is down?
It sounds like your whole approach is wrong. First of all, Gateway A does
not need to have any routes to Server B set up by hand; the route is
created automatically by cipe when the cipe connection goes up. If
anything, Gateway A should have a static route (with a high metric) that
tells it to _drop_ packets addressed to Server B, so that when the cipe
connection is down Gateway A doesn't try to send packets to Server B in
the clear over its regular Internet link. The fact that Server B's
address is in the private 192.168.x.x range might not prevent Gateway A
from trying to reach it in this way.
Second, you do need a static route in Server A, telling it that to reach
Server B, the next hop should be to Gateway A. If Gateway A is the
default router for Server A then you probably already have this route
> I can not place a route over a none existing device. So a user on Server A
> has no chance to establish the cipe connection when pinging Server B.
A user on Server A has no way to establish the cipe connection at all.
That can only be done on Gateway A.
> Is there a solution for this problem? The ip-up is not very useful for this
> because it will be startet after the link is established.
You should start the cipe connection when the Gateway computers boot. It
should remain up permanently; that way users on Server A won't have to
worry about establishing the connection.
> This commands fails on Gateway A if the cipe link is down:
> route add -net 192.168.11.0 netmask 255.255.255.0 gw 188.8.131.52
Your command is completely inappropriate. In fact, it amounts to telling
Gateway A that it can reach Server B without using the cipe link at all!
Repeating what I said earlier, you shouldn't need to add any routes on
> To force the cipe link to be up the whole day is no solution because the
> internet connection is not flat and should only be established on demand.
Not at all. The cipe connection can remain up even when the internet
connection is down. Under normal circumstances, if there is no traffic
going over the cipe link, then it won't send any packets over the internet
link. (You may have to turn off cipe's internal ping to make this work.)
All you will need to do is make sure that when someone does try to send
data over the cipe link, and cipe then tries to send an encrypted packet
over the internet link, that the Gateway's internet connection does come