<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Static routing problem, Fw: cipe tunnel doesn't start automatically
From: "Nico Flemming" <nf,AT,ventas,DOT,de>
Date: Fri, 6 Dec 2002 10:00:07 +0100
In-reply-to: <Pine.LNX.4.33L2.0212051006130.701-100000@ida.rowland.org>

Hi,

> > I want to place a static route over a cipe connection which is not
> > always up:
> >
> > > Server A: 192.168.10.1
> > > Gateway A:  1.100.15.1
> > > |
> > > | (internet)
> > > |
> > > Gateway B: 1.100.15.2
> > > Server B: 192.168.11.1
> >
> > So Gateway A must have a static route to Server B over Gateway B. If
> > the cipe-link is established this is no problem. But what should I do if
the
> > cipe connection is down?
>
> It sounds like your whole approach is wrong.  First of all, Gateway A does
> not need to have any routes to Server B set up by hand; the route is
> created automatically by cipe when the cipe connection goes up.  If

Ok, that sounds logically :)

> anything, Gateway A should have a static route (with a high metric) that
> tells it to _drop_ packets addressed to Server B, so that when the cipe
> connection is down Gateway A doesn't try to send packets to Server B in
> the clear over its regular Internet link.  The fact that Server B's
> address is in the private 192.168.x.x range might not prevent Gateway A
> from trying to reach it in this way.
> Second, you do need a static route in Server A, telling it that to reach
> Server B, the next hop should be to Gateway A.  If Gateway A is the
> default router for Server A then you probably already have this route
> installed.

Ok, thats the situation:

Server A: 192.168.10.1
  |
    eth0: 192.168.10.254
Gateway A
    cipcb0: 1.100.15.1
      |
      | Internet
    cipcb0: 1.100.15.2
Gateway B
    eth0: 192.168.11.254
|
Server B: 192.168.11.1

Server A has its default route over Gateway A:
0.0.0.0         192.168.10.254  0.0.0.0         UG    0      0        0 eth0

And Server B has its default route over Gateway B:

0.0.0.0         192.168.11.254  0.0.0.0         UG    0      0        0 eth0

In the /etc/cipe/ip-up from Gateway A is:
/sbin/route add -net 102.168.11.0  netmask 255.255.255.0 gw 1.100.15.2

In the /etc/cipe/ip-up from Gateway B:
/sbin/route add -net 102.168.10.0  netmask 255.255.255.0 gw 1.100.15.1

So. Thats the situation.
In fact the CIPE tunnel is loaded when the server boots. But if the internet
connection is dropped and someone from 192.168.11.1 pings 192.168.10.1
then all packets were dropped and the cipe connection wont be established
again.

But: If someone pings 1.100.15.1 from 192.168.11.1 then the cipe connection
will be immediately established.

What is wrong?

Regards,
Nico Flemming

>
> > I can not place a route over a none existing device. So a user on Server
A
> > has no chance to establish the cipe connection when pinging Server B.
>
> A user on Server A has no way to establish the cipe connection at all.
> That can only be done on Gateway A.
>
> > Is there a solution for this problem? The ip-up is not very useful for
this
> > matter,
> > because it will be startet after the link is established.
>
> You should start the cipe connection when the Gateway computers boot.  It
> should remain up permanently; that way users on Server A won't have to
> worry about establishing the connection.
>
> > This commands fails on Gateway A if the cipe link is down:
> > route add -net 192.168.11.0 netmask 255.255.255.0 gw 1.100.15.2
>
> Your command is completely inappropriate.  In fact, it amounts to telling
> Gateway A that it can reach Server B without using the cipe link at all!
> Repeating what I said earlier, you shouldn't need to add any routes on
> Gateway A.
>
> > To force the cipe link to be up the whole day is no solution because the
> > internet connection is not flat and should only be established on
demand.
>
> Not at all.  The cipe connection can remain up even when the internet
> connection is down.  Under normal circumstances, if there is no traffic
> going over the cipe link, then it won't send any packets over the internet
> link.  (You may have to turn off cipe's internal ping to make this work.)
>
> All you will need to do is make sure that when someone does try to send
> data over the cipe link, and cipe then tries to send an encrypted packet
> over the internet link, that the Gateway's internet connection does come
> up automatically.
>
> Alan Stern
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
<URL:http://sites.inka.de/~bigred/devel/cipe.html>
>
>





<< | Thread Index | >> ]    [ << | Date Index | >> ]