<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>,"Phil Scarratt" <fil,AT,draxsen,DOT,com>
Subject: Re: Routing
From: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>
Date: Mon, 14 Jul 2003 15:25:04 +0200
Cc: <cipe-l,AT,inka,DOT,de>
References: <013c01c349e3$15a82210$fd91a8c0@mstep> <3F12809C.9020507@draxsen.com> <001501c349f5$9253da90$1091a8c0@mstep>

I got working NAT using WinRoute Pro. It seems very easy.. hope it will work
:). I setuped NAT on physical interface to change source IP of packets,
which source IP = tunel PTP IP, to physical adapter IP.

vladimir

----- Original Message ----- 
From: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>
To: "Phil Scarratt" <fil,AT,draxsen,DOT,com>
Cc: <cipe-l,AT,inka,DOT,de>
Sent: Monday, July 14, 2003 12:49 PM
Subject: Re: Routing

> thanks for reply,
>
> i think these are the solutions i talked about. I think the best is turn
on
> NAT on NOD1. Adding route to FW is not in my competition. Which
application
> is best for routing in Windows? (i'm trying now WinRoute Pro)
>
> vladimir
>
> ----- Original Message ----- 
> From: "Phil Scarratt" <fil,AT,draxsen,DOT,com>
> To: "Vladimir Hirner" <vladoh,AT,microstep-mis,DOT,com>
> Cc: <cipe-l,AT,inka,DOT,de>
> Sent: Monday, July 14, 2003 12:06 PM
> Subject: Re: Routing
>
>
> > From what i can tell, the problem lies with the fact that once the ICMP
> > echo req gets to the destination computer (lets call it PC_DEST),
> > PC_DEST does not know the specific route back to the source of the
> > request (lets say for eg NOD1). All PC_DEST knows about is the LAN -
> > 192.168.2.0 and it's GATEWAY - presumably NAT_FW_2 . This means that
> > PC_DEST will send the ICMP ECHO RESPONSE to the default gateway, ie
> > NAT_FW_2. As NAT_FW_2 is NOT the end of the cipe tunnel it does not know
> > where to find 192.168.145.0 either, it will try higher up the chain - ie
> > the internet.
> >
> > Solution:
> > Add a route on NAT_FW_2 that tells it where the gateway to 192.168.145.0
> > is - ie on NOD2. This MAY or MAY not work/be possible depending on your
> > setup.
> >
> > Alternatively....
> >
> > Add a route to all client machines in the local network that tells it
> > how to reach the remote cipe'd network. So using the example above,
> > PC_DEST would have a route that says something like:
> >
> > 192.168.145.0 mask 255.255.255.0 NOD2.IP.Addr interface PC_DEST.IP.Addr
> >
> > where
> >
> > NOD2.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)
> > PC_DEST.IP.Addr=LOCAL NETWORK interface ip address (192.168.2.x)
> >
> > Easy ways to do this? If you run a domain type network you can use the
> > logon script files to add the appropriate routes or possibly even AD
> > services (I'm only guessing here as I've never used active directory).
> >
> > Fil
> >
> > Vladimir Hirner wrote:
> > > Hi,
> > >
> > > i want to ask some questions about routing problems in CIPE
> configuration.
> > >
> > > My config:
> > >
> > > PC-win2k (NOD1)  - NAT FW 1 - internet - NAT FW 2 (running udp
> redirector) -
> > > PC-win2k (NOD2)
> > >
> > > 1: NOD1:
> > >
> > > Local IP: 0.0.0.0:1111
> > > Peer IP: NAT 2:1111
> > > Local PTP: 10.0.1.1
> > > Peer PTP: 10.0.1.2
> > >
> > > local network: 192.168.145.0
> > > routing:
> > > 192.168.2.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.1
> > > 10.0.1.2 through 10.0.1.1  using interface 10.0.1.1
> > > 10.0.1.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.1
> > >
> > > 2: NOD2:
> > >
> > > Local IP: 0.0.0.0:1111
> > > Peer IP: NAT 1:1111 (i think, it could be also 0.0.0.0 because real
peer
> ip
> > > is handshaked in CIPE connection)
> > > Local PTP: 10.0.1.2
> > > Peer PTP: 10.0.1.1
> > >
> > > local network: 192.168.2.0
> > > routing:
> > > 192.168.145.0 mask 255.255.255.0 10.0.1.1 using interface 10.0.1.2
> > > 10.0.1.1 through 10.0.1.2  using interface 10.0.1.2
> > > 10.0.1.0 mask 255.255.255.0 10.0.1.2 using interface 10.0.1.2
> > >
> > > When the connection is established from NOD1 to NOD2, i can ping both
> sides
> > > of tunel and also physical IP address of PCs running CIPE devices
(NOD1
> and
> > > NOD2), but i cannot ping any other PC in internal network on both
sides
> (so
> > > i cannot ping from NOD2 192.168.145.0 and form NOD1 i cannot ping
> > > 192.168.2.0)
> > >
> > > I think problem is this:
> > >
> > > I checked sended packets and the ICMP echo req. is sent through tunel
> from
> > > NOD2 to NOD1 and then its sent from NOD1 into local network. But its
> sent
> > > with IP of NOD2s tunel endpoint. I tried changing PTP addreses to
> > > 192.168.145.0 network (so 192.168.145.253 (NOD1) and 192.168.145.254
> > > (NOD2) - because NOD2 should have default route into tunel, so its
> enough to
> > > allow access from NOD2 to NOD1s network, not from NOD1 to NOD2s
network)
> and
> > > then ICMP packet sent from NOD2 is forwarded into 192.168.145.0
network
> with
> > > source address 192.168.145.254, but it also didn't get back.
> > >
> > > So i think this happend:
> > >
> > > 1. PTP network 10.0.1.0
> > > destination didn't know how to respond to packet sent from 10.0.1.0
> network,
> > > so the solution would be to add static route into destination to use
> > > physical IP address of NOD1 (or NOD2 on the other side) to pass the
> packet.
> > > Another solution would be to enable on NOD1 and NOD2 NAT (how i can
use
> nat
> > > on windows 2000? there is only connection sharing but dont know if it
> would
> > > make the right think).
> > >
> > > 2. PTP network 192.168.145.0
> > > packet sent from NOD2 into 192.168.145.0 network is sent with source
IP
> > > 192.168.145.254 but it could not get back because the destination
> doesn't
> > > know its ethernet physical address so it tries to send ARP req. with
> > > 192.168.145.254? but it seems CIPE device doesn't answers it, so
> destination
> > > could not send response packet.
> > >
> > > How should i configure CIPE to get access to whole internal network?
> > >
> > > thanks
> > >
> > >
> > > Vladimir
> > >
> > >
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> >
> >
> > -- 
> > Phil Scarratt
> > Draxsen Technologies
> > IT Contractor/Consultant
> > 0403 53 12 71
> >
> >
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> >
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
<URL:http://sites.inka.de/~bigred/devel/cipe.html>
>


<< | Thread Index | >> ]    [ << | Date Index | >> ]