<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Problems with win32 routing. Win32-Linux tunnel.
From: Roman Medina <roman,AT,rs-labs,DOT,com>
Date: Fri, 14 Feb 2003 19:44:35 +0100
In-reply-to: <a4jn4vg2ponkpa3sjp017if9oaoibjhe14@4ax.com>

 Hi,

 First, I'd like to thank Damion for his fast and effective response.
Now I can ping hosts through the cipe link. I'm using the cipe link to
secure my communications going through an untrusted network. The
scheme is:

My laptop <6.1 --cipe link-- 6.2> Secure PoP <--NAT--> Internet

 Communications start usually from my laptop, with ip 192.168.6.1.
They are encapsulated through cipe tunnel to the secure point of
presence. Finally they're nat'ed toward the Internet.

 I've tried to establish a connection to an irc server. These are the
network packets as being seen by 6.2 peer on cipcb0:

19:08:21.462140 192.168.6.1.4640 > 206.128.196.130.6667: S
3413063074:3413063074(0) win 16384 <mss 1446,nop,nop,sackOK> (DF)
19:08:21.640823 206.128.196.130.6667 > 192.168.6.1.4640: S
1268262578:1268262578(0) ack 3413063075 win 5840 <mss
1460,nop,nop,sackOK> (DF)
19:08:21.959413 192.168.6.1.4640 > 206.128.196.130.6667: . 1:1(0) ack
1 win 17352 (DF)
19:08:21.980933 192.168.6.1.4640 > 206.128.196.130.6667: P 1:17(16)
ack 1 win 17352 (DF)
19:08:22.141657 206.128.196.130.6667 > 192.168.6.1.4640: P 1:74(73)
ack 1 win 5840 (DF)
19:08:22.158644 206.128.196.130.6667 > 192.168.6.1.4640: . 74:74(0)
ack 17 win 5840 (DF)
19:08:22.506497 192.168.6.1.4640 > 206.128.196.130.6667: P 17:115(98)
ack 74 win 17279 (DF)
19:08:22.684376 206.128.196.130.6667 > 192.168.6.1.4640: P 74:242(168)
ack 115 win 5840 (DF)
19:08:23.198532 192.168.6.1.4640 > 206.128.196.130.6667: . 115:115(0)
ack 242 win 17111 (DF)
19:08:23.376300 206.128.196.130.6667 > 192.168.6.1.4640: P
242:431(189) ack 115 win 5840 (DF)
19:08:23.749890 192.168.6.1.4640 > 206.128.196.130.6667: P 115:132(17)
ack 431 win 16922 (DF)
19:08:23.935391 206.128.196.130.6667 > 192.168.6.1.4640: P
431:1466(1035) ack 132 win 5840 (DF)
19:08:24.631733 192.168.6.1.4640 > 206.128.196.130.6667: P 132:151(19)
ack 1466 win 17352 (DF)
19:08:24.810956 206.128.196.130.6667 > 192.168.6.1.4640: P
2912:4172(1260) ack 151 win 5840 (DF)
19:08:25.534352 192.168.6.1.4640 > 206.128.196.130.6667: . 151:151(0)
ack 1466 win 17352 <nop,nop, sack 1 {2912:4172} > (DF)

 Connection becomes something like blocked here, i.e., it is
interrupted. Why? Look at this "nop,nop, sack 1 {2912:4172}" options
of the last packet. Could somebody interpret this?

 I've also noticed that all packets through CIPE link are marked with
DF (don't fragment) ip flag. Is it normal behaviour of cipe?

 Thanks to for your help.

 Saludos,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

On Thu, 13 Feb 2003 15:06:59 -0400, you wrote:

>The netmask for the IP address on the CIPE adapter must match the traffic. 
>192.168.7.x and 192.168.6.x would normally be CLASS_C with a netmask of 
>255.255.255.0. You can either set the netmask to be, say, CLASS_B 
>(255.255.0.0) or change one of the CIPE adapter addresses to match the class 
>of the other (e.g. 192.168.7.1 becomes 192.168.6.2)
>
>DKW
>
>On Thursday 13 February 2003 01:17 pm, Roman Medina wrote:
>>  Hi,
>>
>>  I'm trying to establish a cipe tunnel between a Win2k (dynamic IP)
>> and a Linux box (static IP). Latest versions of cipe used at both
>> peers. Well, as you should have guessed, it is not working. So I'm
>> here :-)
>>
>>  I think the problem is with the win32 peer. I got to solve some
>> problems with the VPN virtual device (it was not visible at ipconfig),
>> deactivating some other network drivers (like vmware and commview
>> ones).
>>
>>  Before posting all my config and give a possible headache to you, I'd
>> like to receive some more info about cipe routing on win32. Let's
>> summarize:
>>
>> - win2k: cipe device is: 192.168.6.1
>> - linux: cipe device is: 192.168.7.1
>>
>>  I'm trying to communicate one machine (192.168.0.1 - win2k side) with
>> another one (192.168.1.15 - linux side).
>>
>>  Routing tables (simplified a lot, only cipe info showed):
>> - linux:
>> Destination     Gateway         Genmask         Flags Metric Ref
>> Use Iface
>> 192.168.6.1     0.0.0.0         255.255.255.255 UH    0      0
>> 0 cipcb0
>> 192.168.0.0     192.168.6.1     255.255.255.0   UG    0      0
>> 0 cipcb0
>> Default gw is internet, not showed here. This tells that packets sent
>> to cipe's peer (win2k, i.e., 6.1) should go through linux cipcb0. This
>> route is right and is placed automatically by cipe when its service is
>> started. The 2nd route has been added by me and tells that packets
>> destined to 192.168.0.x [0.1 is included here] should be tunneled
>> through the 1st route.
>>
>> - win2k (I guess this is the problem):
>> ===========================================================================
>> ILista de interfaces
>> 0x1 ........................... MS TCP Loopback interface
>> 0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter
>> 0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter
>> 0x1000005 ...00 08 0d 39 e5 07 ...... Intel 8255x-based Integrated
>> Fast Ethernet
>>
>> 0x2000006 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
>> 0x2000007 ...08 00 58 00 00 01 ...... DKW Heavy Industries VPN
>> Adapter.
>> ===========================================================================
>> ===========================================================================
>> Rutas activas:
>> Destino de red        Máscara de red   Puerta de acceso   Interfaz
>> Métrica
>>       192.168.1.0    255.255.255.0      192.168.6.1     192.168.6.1
>> 1
>>       192.168.6.0    255.255.255.0      192.168.6.1     192.168.6.1
>> 1
>>       192.168.6.1  255.255.255.255        127.0.0.1       127.0.0.1
>> 1
>>     192.168.6.255  255.255.255.255      192.168.6.1     192.168.6.1
>> 1
>>
>>
>>  The 2nd, 3rd and 4th routes are being added by cipe VPN device. I see
>> differences. If this peer were also a Linux box, the cipe route should
>> be 192.168.7.1 through cipe. I'm not seeing this here but I don't know
>> how to get a similar effect using win2k on this peer.
>>
>>  Any idea? What am I doing bad? :-/ Thanks in advance for your help.
>>
>>  Saludos,
>>  --Roman





<< | Thread Index | >> ]    [ << | Date Index | >> ]