<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Phil Scarratt" <fil,AT,draxsen,DOT,com>
Subject: Re: Routing
From: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>
Date: Mon, 14 Jul 2003 12:49:16 +0200
Cc: <cipe-l,AT,inka,DOT,de>
References: <013c01c349e3$15a82210$fd91a8c0@mstep> <3F12809C.9020507@draxsen.com>

thanks for reply,

i think these are the solutions i talked about. I think the best is turn on
NAT on NOD1. Adding route to FW is not in my competition. Which application
is best for routing in Windows? (i'm trying now WinRoute Pro)

vladimir

----- Original Message ----- 
From: "Phil Scarratt" <fil,AT,draxsen,DOT,com>
To: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>
Cc: <cipe-l,AT,inka,DOT,de>
Sent: Monday, July 14, 2003 12:06 PM
Subject: Re: Routing

> From what i can tell, the problem lies with the fact that once the ICMP
> echo req gets to the destination computer (lets call it PC_DEST),
> PC_DEST does not know the specific route back to the source of the
> request (lets say for eg NOD1). All PC_DEST knows about is the LAN -
> 192.168.2.0 and it's GATEWAY - presumably NAT_FW_2 . This means that
> PC_DEST will send the ICMP ECHO RESPONSE to the default gateway, ie
> NAT_FW_2. As NAT_FW_2 is NOT the end of the cipe tunnel it does not know
> where to find 192.168.145.0 either, it will try higher up the chain - ie
> the internet.
>
> Solution:
> Add a route on NAT_FW_2 that tells it where the gateway to 192.168.145.0
> is - ie on NOD2. This MAY or MAY not work/be possible depending on your
> setup.
>
> Alternatively....
>
> Add a route to all client machines in the local network that tells it
> how to reach the remote cipe'd network. So using the example above,
> PC_DEST would have a route that says something like:
>
> 192.168.145.0 mask 255.255.255.0 NOD2.IP.Addr interface PC_DEST.IP.Addr
>
> where
>
> NOD2.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)
> PC_DEST.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)
>
> Easy ways to do this? If you run a domain type network you can use the
> logon script files to add the appropriate routes or possibly even AD
> services (I'm only guessing here as I've never used active directory).
>
> Fil
>
> Vladimir Hirner wrote:
> > Hi,
> >
> > i want to ask some questions about routing problems in CIPE
configuration.
> >
> > My config:
> >
> > PC-win2k (NOD1)  - NAT FW 1 - internet - NAT FW 2 (running udp
redirector) -
> > PC-win2k (NOD2)
> >
> > 1: NOD1:
> >
> > Local IP: 0.0.0.0:1111
> > Peer IP: NAT 2:1111
> > Local PTP: 10.0.1.1
> > Peer PTP: 10.0.1.2
> >
> > local network: 192.168.145.0
> > routing:
> > 192.168.2.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.1
> > 10.0.1.2 through 10.0.1.1  using interface 10.0.1.1
> > 10.0.1.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.1
> >
> > 2: NOD2:
> >
> > Local IP: 0.0.0.0:1111
> > Peer IP: NAT 1:1111 (i think, it could be also 0.0.0.0 because real peer
ip
> > is handshaked in CIPE connection)
> > Local PTP: 10.0.1.2
> > Peer PTP: 10.0.1.1
> >
> > local network: 192.168.2.0
> > routing:
> > 192.168.145.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.2
> > 10.0.1.1 through 10.0.1.2  using interface 10.0.1.2
> > 10.0.1.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.2
> >
> > When the connection is established from NOD1 to NOD2, i can ping both
sides
> > of tunel and also physical IP address of PCs running CIPE devices (NOD1
and
> > NOD2), but i cannot ping any other PC in internal network on both sides
(so
> > i cannot ping from NOD2 192.168.145.0 and form NOD1 i cannot ping
> > 192.168.2.0)
> >
> > I think problem is this:
> >
> > I checked sended packets and the ICMP echo req. is sent through tunel
from
> > NOD2 to NOD1 and then its sent from NOD1 into local network. But its
sent
> > with IP of NOD2s tunel endpoint. I tried changing PTP addreses to
> > 192.168.145.0 network (so 192.168.145.253 (NOD1) and 192.168.145.254
> > (NOD2) - because NOD2 should have default route into tunel, so its
enough to
> > allow access from NOD2 to NOD1s network, not from NOD1 to NOD2s network)
and
> > then ICMP packet sent from NOD2 is forwarded into 192.168.145.0 network
with
> > source address 192.168.145.254, but it also didn't get back.
> >
> > So i think this happend:
> >
> > 1. PTP network 10.0.1.0
> > destination didn't know how to respond to packet sent from 10.0.1.0
network,
> > so the solution would be to add static route into destination to use
> > physical IP address of NOD1 (or NOD2 on the other side) to pass the
packet.
> > Another solution would be to enable on NOD1 and NOD2 NAT (how i can use
nat
> > on windows 2000? there is only connection sharing but dont know if it
would
> > make the right think).
> >
> > 2. PTP network 192.168.145.0
> > packet sent from NOD2 into 192.168.145.0 network is sent with source IP
> > 192.168.145.254 but it could not get back because the destination
doesn't
> > know its ethernet physical address so it tries to send ARP req. with
> > 192.168.145.254? but it seems CIPE device doesn't answers it, so
destination
> > could not send response packet.
> >
> > How should i configure CIPE to get access to whole internal network?
> >
> > thanks
> >
> >
> > Vladimir
> >
> >
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive:
<URL:http://sites.inka.de/~bigred/devel/cipe.html>
>
>
> -- 
> Phil Scarratt
> Draxsen Technologies
> IT Contractor/Consultant
> 0403 53 12 71
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
<URL:http://sites.inka.de/~bigred/devel/cipe.html>
>


<< | Thread Index | >> ]    [ << | Date Index | >> ]