<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Andrew Grimberg <tykeal,AT,bardicgrove,DOT,org>
Subject: Re: XP to RH 7.3 firewall
From: Phil Scarratt <fil,AT,draxsen,DOT,com>
Date: Tue, 17 Jun 2003 08:48:30 +1000
Cc: CIPE List <cipe-l,AT,inka,DOT,de>
Organization: Draxsen Technologies
References: <1055776798.4295.17.camel@localhost.localdomain>

Try setting the both ends of the tunnel to the same subnet. ie:

 --[cut]--
 # Please read /usr/share/doc/initscripts-*/sysconfig.txt
 # for the documentation of these parameters.
 USERCTL=no
 DEVICE=cipcb0
 IPADDR=10.1.3.2     ####### NOTE THE CHANGE
 TYPE=CIPE
 ONBOOT=yes
 PTPADDR=10.1.3.1
 PEER=10.1.2.161:6000
 PEERDNS=no
 ME=10.1.2.1:6001
 --[cut]--

The XP workstation (with 2.0-pre15) is setup thusly

 [info]
 CIPE VNIC
 IP: 10.1.3.1/24 (windows doesn't like /32)
 no GW

 CIPE config
 Local IP: 10.1.2.161, port 6000
 Peer IP: 10.1.2.1, port 6001
 Local PTP IP (autoset to 10.1.3.1)
 Peer PTP IP: 10.1.3.2     ####### NOTE THE CHANGE
 [/info]

Fil

Andrew Grimberg wrote:
Greetings folks,

I did a search on the list archives but I may have used the wrong params
so if this has already been answered I'm sorry and could you just point
me to the relevent thread then?  Thanks :)

Anyway, here's my problem.

I've got a RH7.3 firewall setup with two private networks behind it.  A
wireless LAN and a wired LAN.  Here's a pic:

I'net -- FW / NAT -- WAP LAN  (10.1.2.x)
                  +- wired LAN (10.1.1.x)

The WAP network is barred access to the wired LAN except through the
same ports as are forwarded from outside to servers on the inside. Believe me, if I could get away with it the servers would be in an
isolated network as well ;)


Here's the problem.  One of my users has XP on their laptop and really
needs to get access to stuff on the wired LAN and wireless is their only
option in some locations.  I've got the FW configured to accept their
traffic without any mangling or anything (I've setup other Linux based
laptops to work with this and have it fully tested there).  However,
while the link comes up on both sides, I can't get a even a single ping
to go through the CIPE tunnel.

Basically it works like this:

FW interfaces at 10.1.1.1 and 10.1.2.1 (wired and wireless
respectively).  CIPE tunnels are assigned an ip in 10.1.3.x space.

The particular client configuration that I'm looking at is configured
thusly

--[cut]--
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
USERCTL=no
DEVICE=cipcb0
IPADDR=10.1.1.1
TYPE=CIPE
ONBOOT=yes
PTPADDR=10.1.3.1
PEER=10.1.2.161:6000
PEERDNS=no
ME=10.1.2.1:6001
--[cut]--

The XP workstation (with 2.0-pre15) is setup thusly

[info]
CIPE VNIC
IP: 10.1.3.1/24 (windows doesn't like /32)
no GW

CIPE config
Local IP: 10.1.2.161, port 6000
Peer IP: 10.1.2.1, port 6001
Local PTP IP (autoset to 10.1.3.1)
Peer PTP IP: 10.1.1.1
[/info]

I can see the interfaces come up, under linux I see the if up and
everything and /var/log/messages doesn't show any problems

On the windows side, the only evidence that I have that it came up
correctly is that a netstat shows the machine up on udp port 6000.

Pinging from the FW to 10.1.3.1 produces messages in /var/log/messages
about keys being set and such but I never get a return ping.

Checked routing under XP and never saw 10.1.1.1 as a defined route.

Added it as follows:  route add 10.1.1.1 mask 255.255.255.255 10.1.3.1
The system still would not ping in either direction.

Any clues?

Thanks in advance :)
-Andy-

--
Message sent by the cipe-l,AT,inka,DOT,de mailing list.
Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
Other commands available with "help" in body to the same address.
CIPE info and list archive: <URL:http://sites.inka.de/~bigred/devel/cipe.html>

-- Phil Scarratt Draxsen Technologies IT Contractor/Consultant 0403 53 12 71


<< | Thread Index | >> ]    [ << | Date Index | >> ]