<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Vladimir Hirner <vladoh,AT,microstep-mis,DOT,com>
Subject: Re: Routing
From: Phil Scarratt <fil,AT,draxsen,DOT,com>
Date: Mon, 14 Jul 2003 20:06:20 +1000
Cc: cipe-l,AT,inka,DOT,de
Organization: Draxsen Technologies
References: <013c01c349e3$15a82210$fd91a8c0@mstep>

From what i can tell, the problem lies with the fact that once the ICMP echo req gets to the destination computer (lets call it PC_DEST), PC_DEST does not know the specific route back to the source of the request (lets say for eg NOD1). All PC_DEST knows about is the LAN - 192.168.2.0 and it's GATEWAY - presumably NAT_FW_2 . This means that PC_DEST will send the ICMP ECHO RESPONSE to the default gateway, ie NAT_FW_2. As NAT_FW_2 is NOT the end of the cipe tunnel it does not know where to find 192.168.145.0 either, it will try higher up the chain - ie the internet.

Solution:
Add a route on NAT_FW_2 that tells it where the gateway to 192.168.145.0 is - ie on NOD2. This MAY or MAY not work/be possible depending on your setup.


Alternatively....

Add a route to all client machines in the local network that tells it how to reach the remote cipe'd network. So using the example above, PC_DEST would have a route that says something like:

192.168.145.0 mask 255.255.255.0 NOD2.IP.Addr interface PC_DEST.IP.Addr

where

NOD2.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)
PC_DEST.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)

Easy ways to do this? If you run a domain type network you can use the logon script files to add the appropriate routes or possibly even AD services (I'm only guessing here as I've never used active directory).

Fil

Vladimir Hirner wrote:
Hi,

i want to ask some questions about routing problems in CIPE configuration.

My config:

PC-win2k (NOD1)  - NAT FW 1 - internet - NAT FW 2 (running udp redirector) -
PC-win2k (NOD2)

1: NOD1:

Local IP: 0.0.0.0:1111
Peer IP: NAT 2:1111
Local PTP: 10.0.1.1
Peer PTP: 10.0.1.2

local network: 192.168.145.0
routing:
192.168.2.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.1
10.0.1.2 through 10.0.1.1  using interface 10.0.1.1
10.0.1.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.1

2: NOD2:

Local IP: 0.0.0.0:1111
Peer IP: NAT 1:1111 (i think, it could be also 0.0.0.0 because real peer ip
is handshaked in CIPE connection)
Local PTP: 10.0.1.2
Peer PTP: 10.0.1.1

local network: 192.168.2.0
routing:
192.168.145.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.2
10.0.1.1 through 10.0.1.2  using interface 10.0.1.2
10.0.1.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.2

When the connection is established from NOD1 to NOD2, i can ping both sides
of tunel and also physical IP address of PCs running CIPE devices (NOD1 and
NOD2), but i cannot ping any other PC in internal network on both sides (so
i cannot ping from NOD2 192.168.145.0 and form NOD1 i cannot ping
192.168.2.0)

I think problem is this:

I checked sended packets and the ICMP echo req. is sent through tunel from
NOD2 to NOD1 and then its sent from NOD1 into local network. But its sent
with IP of NOD2s tunel endpoint. I tried changing PTP addreses to
192.168.145.0 network (so 192.168.145.253 (NOD1) and 192.168.145.254
(NOD2) - because NOD2 should have default route into tunel, so its enough to
allow access from NOD2 to NOD1s network, not from NOD1 to NOD2s network) and
then ICMP packet sent from NOD2 is forwarded into 192.168.145.0 network with
source address 192.168.145.254, but it also didn't get back.

So i think this happend:

1. PTP network 10.0.1.0
destination didn't know how to respond to packet sent from 10.0.1.0 network,
so the solution would be to add static route into destination to use
physical IP address of NOD1 (or NOD2 on the other side) to pass the packet.
Another solution would be to enable on NOD1 and NOD2 NAT (how i can use nat
on windows 2000? there is only connection sharing but dont know if it would
make the right think).

2. PTP network 192.168.145.0
packet sent from NOD2 into 192.168.145.0 network is sent with source IP
192.168.145.254 but it could not get back because the destination doesn't
know its ethernet physical address so it tries to send ARP req. with
192.168.145.254? but it seems CIPE device doesn't answers it, so destination
could not send response packet.

How should i configure CIPE to get access to whole internal network?

thanks


Vladimir



-- Message sent by the cipe-l,AT,inka,DOT,de mailing list. Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body Other commands available with "help" in body to the same address. CIPE info and list archive: <URL:http://sites.inka.de/~bigred/devel/cipe.html>

-- Phil Scarratt Draxsen Technologies IT Contractor/Consultant 0403 53 12 71


<< | Thread Index | >> ]    [ << | Date Index | >> ]