Phil Scarratt <fil,AT,draxsen,DOT,com>|
Re: concrete udp forwarding question|
Daniel Andor <da209,AT,cam,DOT,ac,DOT,uk>|
Tue, 24 Jun 2003 16:38:32 +0100|
Daniel Andor <Daniel.Andor,AT,physics,DOT,org>|
On Tuesday 24 June 2003 12:14 am, Phil Scarratt wrote:
(This doesn't address the issue of NAT.) :)
> You may need to use MachineC instead of the routerNAT to get access to
> MachineA with CIPE as you need to add firewall rules/port forwards to
> the routerNAT. All the routerNAT really needs to do is allow the port
> you select for CIPE to be forwarded from internal lan to internet.
> NAT'ing will take care of routing the returning or incoming CIPE packets
> from MachineA back to MachineB. If there is no available free port open
> on the routerNAT then MachineC is the way - exactly the same applies (ie
> just allow the port you select to be forwarded from internal to internet
> and NAT will take care of rest. The problem with this of course is that
> I presume the default gateway on MachineB is the routerNAT in which case
> you will have to tell MachineB that the specific route to MachineA is
> via MachineC.
Thanks for the analysis. I'm no network expert, but I think my experiences
over the past day confirm what you say.
I now have it working, so for the benefit of others, this setup seems to work:
1) It looks like the NAT router takes care of reverse mapping UDP port 1111
an outgoing packet is sent. Therefore I don't need to use machineC.
1b) It didn't work if the two UDP ports (to A and to B) were not the same.
This was the case even when I set up udpproxy on machineC, because machineA,
after sending a single packet to machineC, kept insisting on sending packets
to the routerNAT, even though I had told it to send packets to machineC in
the options file.
2) It seems like I need the "ping" option to keep the NAT router forwarding
the UDP packets it receives from machineA to machineB. (I have no idea what
the time-out on the NAT router is, so I set 10 seconds as not too wasteful if
3) What purpose does the "me" parameter in machineB options have? -- can I
get rid of it somehow?
> Hope this makes sense.
Yes, thanks very much.
> Daniel Andor wrote:
> > Hi All,
> > I can't quite work out how to configure this setup, so I would be very
> > grateful for some help.
> > I have a machineA with a static IP, and a machineB behind a NAT router:
> > machineA <--- internet ---> routerNAT <--- internal LAN ---> machineB
> > How should I configure this to create a cipe vpn between machineA and B?
> > Notes:
> > I do not have access to routerNAT.
> > There's another machineC, distinct from the router, which has interfaces
> > on both the internet *and* the internal LAN. I have access to this to be
> > able to run userland programs.
> > Any help appreciated!
> > Thanks,
> > Daniel.