<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: <cipe-l,AT,inka,DOT,de>
Subject: RE: No way
From: "Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>
Date: Tue, 8 Jul 2003 16:29:50 +0100
Importance: Normal
In-reply-to: <Pine.LNX.4.44.0307081136200.7165-100000@libra.rsnetservices.com.br>

> Connected to SpeedTouchPro ADSL modem/router
[snip]
> The log shows "INPUT packet died source 'ouside address of the adsl modem
> of the client', port 7777, destination, the outside address from the
> firewall (10.0.0.1).

This may be the source of your problem - your ADSL router may very well not
be forwarding the traffic back as far as the RedHat machine.  In this
configuration, the router is performing NAT which is an automatic inbound
firewall layer - only established outbound connections are going to be able
to get through.

First thing you're going to need to verify is that traffic can get between
the two CIPE endpoints.  From the client, it's going to see the IP address
of the router, so it'll be sending packets there, and the router must send
them on to the correct place.  You haven't given any indication of the
connectivity between the ADSL routers, so I'm going to assume Internet,
using addresses 1.2.3.4 for the client adsl router, and 5.6.7.8 for the
server adsl router.

I'm not entirely sure you need a firewall in this configuration as well, but
assuming it's going to stay there, then the packet will travel thus:

client 192.168.3.2 -> cipe, encapsulated from 10.0.0.1
client 10.0.0.1 -> adsl router 1.2.3.4 addressed to 5.6.7.8 port 7777
client adsl router -> internet
internet -> server adsl router 5.6.7.8

At this point, the server adsl router needs to send it on to the firewall,
which appears to have an address of 10.0.0.1.  So the router has rewritten
the destination to be 10.0.0.1 and transmitted it.  Now the packet has to
pass through the firewall and get rewritten again to be destined for
192.168.0.1.  Finally, the machine running CIPE receives the packet now
addressed to 192.168.0.1 port 7777, and processes it.  The encapsulated
packet, now decrypted, probably has source address 192.168.3.2.

The return packet needs to get back to the machine running CIPE in order for
it to get to the tunnel and through it to the other end.  The packet has
destination 192.168.3.2, which CIPE encapsulates, addressed to 1.2.3.4 port
7777, and sends it to the firewall.  The firewall must pass it out untouched
to the server adsl router.  The server adsl router much pass it out to the
internet untouched so that it can arrive at the client adsl router.

Just as for the server, the client adsl router needs to know that traffic
sent to port 7777 actually gets forwarded on to the client, so the
destination is rewritten to 10.0.0.1 and sent on.  The client now receives
it on port 7777, decrypts it and processes it.  The encapsulated packet,
addressed to 192.168.3.2, is delivered and bidirectional traffic is
established.

There's more to it than this, but basically the packets need to pass
outbound through the adsl router over the internet, and when received by the
adsl router, they need to be forwarded.  The firewall also needs to work the
same way, when it receives a packet from the router, addressed either to the
firewall, in which case it needs to rewrite it, or addressed to the cipe
machine, in which case it needs forward it.  Reply traffic arriving at the
firewall destined for the internet, specifically the client adsl router,
needs to get there.

Once you've verified that you can get traffic between the two cipe
endpoints, we'll take it from there.

Mark, the writer of long replies.  Oops.

--
Mark Smith - Avco Systems Ltd
email: mark.smith,AT,avcosystems,DOT,co,DOT,uk
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078


<< | Thread Index | >> ]    [ << | Date Index | >> ]