<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Les Mikesell" <les,AT,futuresource,DOT,com>
Subject: Re: Redhat9 CIPE
From: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
Date: Fri, 25 Jul 2003 11:20:03 +0900
Cc: <cipe-l,AT,inka,DOT,de>
References: <000c01c351f9$9217b680$c801a8c0@naoki3> <1059064503.11694.68.camel@moola.futuresource.com>

Dear Mikesell,

 Thank you for your advice.

 But, If a few WindowsPC is on one LAN without wins server,
these PC can see each other by NetBIOS name.

        PC1-----PC2-----PC3----PCn

 So, I expected if iptables accepts the transfering port 137:139
through CIPE, I can do it easily.

 And then, Though I changed my iptables for this transfering,
cipcb0 could not receive any UDP packets from eth1.
 After this, I tryed to use lmhosts in WindowsPC. This test could
not see NetBIOS name (LAN1 to LAN2) directly. But, after searching
of NetBIOS name by explorer, I could use NetBIOS name.
 Using lmhosts, cipcb0 received a lot of only TCP packets.(not UDP)
(ex:NBSS,SNB,DCERPC,WKSSVC)

 I read CIPE document again, Certainly there is "CIPE encrypted
IP datagrams in UDP datagrams......."
^^^^^^^^^^^^^

 Certainly, Samba is a good solution for us. But If I build Samba into
Firewall system, a new deamon run. I don't say what Samba security
is bad. Sorry my not enough sentense.
 I'd like to build this Firewall with a little system deamons as possible.

 In the dial-up case, IP address are distributed by DHCP server on
LAN1 for each WindowsPC.

192.168.0.0/24                                    192.168.10.0/24
LAN1----------GW1========GW2------------LAN2
             DHCP               |
                                    |=== dial-up----Mobile PC

 Even if DHCP server manages distributed IP address by MAC
address (almost same as fixed IP), Mobile PC cannot see which
PC turned ON at once.

 Ummm, I have to evaluate CIPE more detail.

 If you have more information, would you please let me know ?
There are not a lot of information about CIPE in Japan.

Best regards,

----- Original Message ----- 
From: "Les Mikesell" <les,AT,futuresource,DOT,com>
To: "Naoki" <i_naoki,AT,mbf,DOT,nifty,DOT,com>
Cc: <cipe-l,AT,inka,DOT,de>
Sent: Friday, July 25, 2003 1:35 AM
Subject: Re: Redhat9 CIPE

> On Thu, 2003-07-24 at 10:38, Naoki wrote:
>
> >  Are there any ways to see NetBIOS name without wins server ?
> >
>
> You need it if you want to be able to browse the network neighborhood
> across any kind of router.  This isn't related to cipe at all.
>
> >  I guess, if iptables accepts port 137:139 for CIPE, I can see it.
> >
> >  How is my guess ?
> >
>
> If you know the IP numbers or the netbios names are the same
> as DNS names you can connect to the shared resources without
> WINS involvement.
>
>
> > In this situation, I must build a Firewall system with VPN for business.
> > If I build Samba into this system, security will not be good.
>
> Why do you say that?  Compared to Windows, Samba security is excellent.
>
> > (And, if ClientPC is not on LAN(Ex.dial-up), there is not wins server.)
>
> Look at the client IP number.  I think you'll see that it is on
> the LAN and the server is forwarding broadcasts instead of
> routing.
>
>
> > Though I tryed to use lmhosts in WindowsPC on LAN2, I could not
> > see the another side NetBIOS name on LAN1 directly.
> >  After search this NetBIOS name, I could find it.
>
> It won't show up in the browse list, but like using the IP number
> or DNS name, it lets you connect if you know the resource name.
>
> > Anyway, I really worry now. Since CIPE is faster than IPsec and is
> > useful for NAT, I'd like to use CIPE very much.
>
> You are going to have exactly the same issue with any solution
> that works like a router and does not forward broadcasts.
>
> ---
>   Les Mikesell
>     les,AT,futuresource,DOT,com
>
>
>


<< | Thread Index | >> ]    [ << | Date Index | >> ]