<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: rsalles,AT,rsnetservices,DOT,com,DOT,br
Subject: Re: CPU Usage CIPE-WIN32 Windows XP
From: bhein,AT,bmc-pos,DOT,com
Date: Wed, 17 Sep 2003 09:49:59 -0400
Cc: cipe-l,AT,inka,DOT,de

I'm just thinking aloud here, but I think we might be able to code the
Linux cipe server to be a little more perceptive when it comes to dynamic
clients. What I'm trying to say is, how about if the cipe server sees a
packet come in on the appropriate udp port, from a different IP Address
(with a valid KEY!!!) that the cipe server should immediately switch its
peer's internet IP address to the source address on the most recent packet
with a valid KEY.
In short, each time a valid packet is received, from ANY IP Address (on any
adapter for that matter) then use the source IP on that packet.

It seems like this would get around the issue of having to know the
client's internet IP Address.

Then my next thought is that this might be succeptible to the well known
"replay" attack. Which leads me to wonder if the source IP Address is
encrypted with the packet in such a way that would allow the receiver of
the packet to know if the source address has been spoofed. . . (?)

--Brad

|---------+------------------------------>
|         |           "Renato Salles"    |
|         |           <rsalles@rsnetservi|
|         |           ces.com.br>        |
|         |           Sent by:           |
|         |           owner-cipe-l,AT,inka,DOT,d|
|         |           e                  |
|         |                              |
|         |                              |
|         |           09/16/2003 04:32 PM|
|         |           Please respond to  |
|         |           rsalles            |
|         |                              |
|---------+------------------------------>
  
>------------------------------------------------------------------------------------------------------------------------------|
  |                                                                           
                                                   |
  |       To:       cipe-l,AT,inka,DOT,de                                     
                                                          |
  |       cc:                                                                 
                                                   |
  |       Subject:  Re: CPU Usage CIPE-WIN32 Windows XP                       
                                                   |
  
>------------------------------------------------------------------------------------------------------------------------------|

bhein,AT,bmc-pos,DOT,com disse:
>
> Renato,
> Excellent ideas. I plan to test them as time permits.
>
> Something that I'm wondering though, is if it is ok for me to use the
> 0.0.0.0 addresses in the config files. Below you recommend filling them
> in,
> however in my roadwarrior scenario, the roadwarriors will connect from
any
> random internet IP Address. I assumed that to tell the  system this, I
> should use the addrses 0.0.0.0 and activate dynip. Is this accurate?

I tell you what i use,a and this setup works like a charm.

In the case when i have roadwarriors running dynamic ip addreses and
connecting to a fixed ip address, i do:

Visit the www.no-ip.com website, fill the new computer parameters in the
no-ip client (ex.: peer2324.no-ip.com) and let the no-ip.com application
for M$Win starts at boot time (you can use dynip.com if you prefer). When
the client starts up, the new dynamic ip number is sended to the no-ip.com
 server and saved at their database.

You would have an entry for the fixed server like that:
...
me=0.0.0.0:1736
# The 0.0.0.0 works when you have just one CIPE interface running
# if it's not the case, use the fixed ip via ip-up
peer=peer2324.no-ip.com:1737
...

And for the roadwarrior, fill in:

me=0.0.0.01767
peer=xxx.xxx.xxx.xxx:1736
dynip=yes
maxerr=-1
...

HTH,

RSalles

>
>
>
>
> --Brad
> BMC Lansing
> 517-485-1732
> 800-877-1732
>
>
> |---------+------------------------------>
> |         |           "Renato Salles"    |
> |         |           <rsalles@rsnetservi|
> |         |           ces.com.br>        |
> |         |           Sent by:           |
> |         |           owner-cipe-l,AT,inka,DOT,d|
> |         |           e                  |
> |         |                              |
> |         |                              |
> |         |           09/16/2003 01:11 PM|
> |         |           Please respond to  |
> |         |           rsalles            |
> |         |                              |
> |---------+------------------------------>
>
>------------------------------------------------------------------------------------------------------------------------------|

>   |
>                                                       |
>   |       To:
>                                                       |
>   |
>                                                       |
>   |
>                                                       |
>   |        cipe-l,AT,inka,DOT,de
>                                                       |
>   |       cc:
>                                                       |
>   |       Subject:  Re: CPU Usage CIPE-WIN32 Windows XP
>                                                       |
>
>------------------------------------------------------------------------------------------------------------------------------|

>
>
>
>
> Hello, Brad,
>
> bhein,AT,bmc-pos,DOT,com disse:
>
> So, let's try to figure out what could be happen with those peers:
>
>
>
>>
>> The config files match.
>>
>> As listed below, peers two and three are running when the problem
>> occurs.
>> Peer one was another computer that isn't being used in my lab here at
>> the
>> office.
>>
>>
>> --Brad
>> <setup>
>>
> ###########PEER ONE SKIPED#############
>> ################
>> # PEER TWO
>> ################
>> ptpaddr         192.168.5.103
>> ipaddr          192.168.5.1
>> me              0.0.0.0:1736
>> peer            0.0.0.0:1737
> # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> # This is a cause of a loop between ports 1736 & 1737
> # When you define 0.0.0.0 as peer, you difine your own address too.
> # because 0.0.0.0 stays as "all addresses". Locally configured like
> # that is OK, but as peer parameter is a call for problem.
> # Use: FQDN:1737 or IP ADDRESS:1737
>> key             00000000010000000002000000000322
>> ping 10
>> device cipcb2
> # Why, how many cipcbx interfaces have you running at this moment?
> # Why not cipcb0 if it's the first/unique interface?
>> dynip 1
>> maxerr=-1
> ######********#######
> # Missing Parameters (i have here those configured and let's insert them
> # just for a "doesn't hurt" procedure: it can be removed later if it has
> # proved not necessary:
> # ONBOOT parameter as "yes" or "no", define as you want, but use
> # "ifconfig cipcbn up" to get the link running.
> # USERCTL=no (this is the more common case).
> # TYPE=CIPE ( it is RH tou're running isn't it?). As this is default, let
> # as is.
> # TUNNELDEV=ethx # In the case you have 2/more interfaces - optional.
> #
> ######********#######
>
>> ################
>> # PEER THREE
>> ################
>>> Windows 2000:
>> Local IP Address 0.0.0.0 port 1737
>
> # Where is the "Local PTP address" parameter?
> # This is the ip address of the VPN interface.
> # You better fill this before continue.
>
>> Peer IP Address my.outside.IP.addrses 1736
>> Peer PTP Address 192.168.5.1
>>> I'm using a 32-byte key, blowfish, and a 600 second timeout value.
> # I hope is exactly the same as above in the "ket" parameter for peer 2
>>
>> </setup>
>>
>
> ###########cut###########
>
> Try these corrections and let me know the results.
>
> Best Regards,
>
> RSalles
>
>
> --
> Renato Salles
> Ger.Geral
> RSNetServices
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: <URL:
> http://sites.inka.de/~bigred/devel/cipe.html>
>
>
>
>
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
>

--
Renato Salles
Ger.Geral
RSNetServices

--
Message sent by the cipe-l,AT,inka,DOT,de mailing list.
Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
Other commands available with "help" in body to the same address.
CIPE info and list archive: <URL:
http://sites.inka.de/~bigred/devel/cipe.html>


<< | Thread Index | >> ]    [ << | Date Index | >> ]