<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Phil Scarratt <fil,AT,draxsen,DOT,com>
Subject: Re: concrete udp forwarding question
From: Daniel Andor <da209,AT,cam,DOT,ac,DOT,uk>
Date: Tue, 24 Jun 2003 16:38:32 +0100
Cc: cipe-l,AT,inka,DOT,de
In-reply-to: <3EF789DB.60305@draxsen.com>
References: <200306231916.11758.da209@cam.ac.uk> <3EF789DB.60305@draxsen.com>
Reply-to: Daniel Andor <Daniel.Andor,AT,physics,DOT,org>

On Tuesday 24 June 2003 12:14 am, Phil Scarratt wrote:
> Follow
>
> http://mia.ece.uic.edu/~papers/volans/cipe.html

(This doesn't address the issue of NAT.) :)

> You may need to use MachineC instead of the routerNAT to get access to
> MachineA with CIPE as you need to add firewall rules/port forwards to
> the routerNAT. All the routerNAT really needs to do is allow the port
> you select for CIPE to be forwarded from internal lan to internet.
> NAT'ing will take care of routing the returning or incoming CIPE packets
> from MachineA back to MachineB. If there is no available free port open
> on the routerNAT then MachineC is the way - exactly the same applies (ie
> just allow the port you select to be forwarded from internal to internet
> and NAT will take care of rest. The problem with this of course is that
> I presume the default gateway on MachineB is the routerNAT in which case
> you will have to tell MachineB that the specific route to MachineA is
> via MachineC.

Thanks for the analysis.  I'm no network expert, but I think my experiences 
over the past day confirm what you say.

I now have it working, so for the benefit of others, this setup seems to work:

machineA options:
ptpaddr         10.0.2.1
ipaddr          10.0.2.2
me              machineA.public.address:1111
peer            0.0.0.0:1111
#debug
key ...
maxerr -1

machineB options:
ptpaddr         10.0.2.2
ipaddr          10.0.2.1
me               machineB.internal.address:1111
peer            machineA.public.address:1111
key              ...
#debug
maxerr -1
ping 10

Notes: 

1) It looks like the NAT router takes care of reverse mapping UDP port 1111 
if 
an outgoing packet is sent. Therefore I don't need to use machineC.

1b) It didn't work if the two UDP ports (to A and to B) were not the same. 
This was the case even when I set up udpproxy on machineC, because machineA, 
after sending a single packet to machineC, kept insisting on sending packets 
to the routerNAT, even though I had told it to send packets to machineC in 
the options file.

2) It seems like I need the "ping" option to keep the NAT router forwarding 
the UDP packets it receives from machineA to machineB. (I have no idea what 
the time-out on the NAT router is, so I set 10 seconds as not too wasteful if 
resources.)

3) What purpose does the "me" parameter in machineB options  have? -- can I 
get rid of it somehow?

> Hope this makes sense.

Yes, thanks very much.
Daniel.

> Fil
>
> Daniel Andor wrote:
> > Hi All,
> >
> > I can't quite work out how to configure this setup, so I would be very
> > grateful for some help.
> >
> > I have a machineA with a static IP, and a machineB behind a NAT router:
> >
> > machineA <--- internet ---> routerNAT <--- internal LAN ---> machineB
> >
> > How should I configure this to create a cipe vpn between machineA and B?
> >
> > Notes:
> > I do not have access to routerNAT.
> > There's another machineC, distinct from the router, which has interfaces
> > on both the internet *and* the internal LAN.  I have access to this to be
> > able to run userland programs.
> >
> > Any help appreciated!
> > Thanks,
> > Daniel.


<< | Thread Index | >> ]    [ << | Date Index | >> ]