<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "Stramigioli, S" <S.Stramigioli,AT,el,DOT,utwente,DOT,nl>
Subject: RE: Basics
From: Mark Cooke <mpc,AT,star,DOT,sr,DOT,bham,DOT,ac,DOT,uk>
Date: Wed, 24 Dec 2003 15:27:47 +0000
Cc: cipe-l,AT,inka,DOT,de
In-reply-to: <882B6F42BCB1D311BE9700104B40036672C9D2@ntrt2.el.utwente.nl>
References: <882B6F42BCB1D311BE9700104B40036672C9D2@ntrt2.el.utwente.nl>

Okay.

You shouldn't need gateway addresses for pinging to work.

Can you see any UDP traffic on port 9999 at all ?

Unix: run 'tcpdump -i eth0 port 9999' on each machine, and try pinging.

Unix: cipcb module is installed ?  Look in /var/log/messages for hints.

Windows: <google for a net monitor, or install tiny firewall or similar>
and see if you can at least see the udp packets going back and forth.

Windows: The cipe (DWK heavy industries) service is started on both
machines as well as the cipe network interface being enabled ?

Windows: Do you have ICF turned on and is that blocking port 9999 ?

I'll leave the routing question until you are able to at least ping
directly between the endpoints.  The IP's you're using should be fine,
but personally for each VPN link, I'd pick endpoints on a -small-
section of the RFC1918 ranges.

Eg,

For the first link, use:

   10.0.1.0 netmask 255.255.255.252 is the network address
A: 10.0.1.1 netmask 255.255.255.252
B: 10.0.1.2 netmask 255.255.255.252
   10.0.1.3 netmask 255.255.255.252 is the broadcast address

(Note: on a point to point, neither the .0 or .3 are used, but I'm
guessing your use of 10.0.1.0 -might- be a source of trouble, even
though it isn't the network address for 10.0.0.0/255.255.0.0)

For the second link, use:

   10.0.1.4 netmask 255.255.255.252 is the network address
A: 10.0.1.5 netmask 255.255.255.252
C: 10.0.1.6 netmask 255.255.255.252
   10.0.1.7 netmask 255.255.255.252 is the broadcast address

etc.

Once you are at the point of being able to ping A from B, A from C, then
add routes 'route add C MASK 255.255.255.255 A' on B, and 'route add B
MASK 255.255.255.255 A' on C, and you should be able to ping from B to C
as well, and the packets will go over the VPNS via A.

Basically - consider the VPN endpoints a totally separate address space
that you use when you want encrypted VPN'd communication.

Mark

On Wed, 2003-12-24 at 14:38, Stramigioli, S wrote:
> Dear Mark,
> 
> I very much appreciate your quick help. I am still struggling in getting at
> least a link of 2 machine to work without success so far.
> 
> First of all I would like to be sure that the tunneling is working. I have
> the following:
> 
> 
> ** Machine A
> LAN adapter (dynamic and working) address LAN-A
> CIPE adapter IP=10.0.1.0, mask 255.255.0.0, GW= ????
> CIPE PEAR SETTINGS
>       Local IP=LAN-A, PORT=9999
>       Peer IP=LAN-B, PORT=9999
>       Local PTP=10.0.1.1
>       Peer PTP Address 10.0.2.1
>       Status Enable? checkbox checked
>       Cipher=NONE
>       The rest Empty  
> 
> ** Machine B
> LAN adapter (dynamic and working) address LAN-B
> CIPE adapter IP=10.0.2.1, mask 255.255.0.0, GW= ????
> CIPE PEAR SETTINGS
>       Local IP=LAN-B, PORT=9999
>       Peer IP=LAN-A, PORT=9999
>       Local PTP=10.0.2.1
>       Peer PTP Address 10.0.1.1
>       Status Enable? checkbox checked
>       Cipher=NONE
>       The rest Empty
> 
> If I then try to ping 10.0.2.1 from A it does not work even if I added some
> extra routing. On the IP routing level is the CIPE adapter seen as a "real
> adapter" How should I consider the routing ? 
> Suppose I want that a set of addresses <*RANGE*>  goes to the internet
> through B. How should the routing goes ? I suppose should be as follows:
> 
> route add <*RANGE*> MASK ... 10.0.1.0
> 
> and on B
> 
> route add LAN-A 255.255.255.255 10.0.2.1
> 
> Is this right?
> 
> Thanks and a great holiday to you all!
> 
> 
> - Stefano
>  
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>  
> Prof. Stefano Stramigioli, (M.Sc., Ph.D.)
> Associate Professor
>  
> Control Engineering Laboratory
> Department of Electrical Engineering
> Faculty of EEMCS
> Drebbel Institute on Mechatronics
> 
> Normal Postal Address: 
> P.O. Box 217
> NL-7500 AE Enschede
> The Netherlands
>  
> Courrier Address:
> de Veltmaat 10
> 7522NM Enschede
> The Netherlands
> 
> Tel. +31 (53) 4892794/4892606 
> Fax. +31 (53) 4894830/4892223 
>  
> Email S.Stramigioli,AT,ieee,DOT,org
> WWW: http://www.ce.utwente.nl/smi
> 
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
> 
> > -----Original Message-----
> > From: Mark Cooke [mailto:mpc,AT,star,DOT,sr,DOT,bham,DOT,ac,DOT,uk 
> > Sent: woensdag 24 december 2003 14:08
> > To: Stramigioli, S
> > Cc: cipe-l,AT,inka,DOT,de; Helpdesk,AT,snt,DOT,utwente,DOT,nl
> > Subject: Re: Basics
> > 
> > Tips:
> > 
> > 1. Use RFC 1918 addresses for your VPN endpoints.
> >    Ie, 192.168/16
> >        172.16/12
> >        10/8
> > 
> >    If there are other private network areas in use, pick a
> >    different set of addresses but still from the ranges above.
> > 
> > 2. In your setup you have VPNs:
> > 
> >    a.   From A to UNI
> >    b.   From B to A
> >    c.   From C to A
> > 
> > 3. Routes:
> > 
> >    a.   At uni VPN endpoint:
> > 
> >         Routes to the B side of A-B's vpn endpoint and C side of
> >         A-C's VPN endpoint via A-side of Uni-A's endpoint
> > 
> >    b.   At A:
> > 
> >         No additional routes needed.
> > 
> >         Possibly a route to the entire uni subnet via uni endpoint
> >         and if so, you also need a specific route to the UNI VPN
> >         endpoint out of A's ethernet or else you'll have a routing
> >         loop and your CIPE packets will try to 'retunnel'
> > 
> >    c.   At B/C:
> > 
> >         Routes to uni endpoint via A-side of B-A's endpoint
> >     Possibly routes to entire uni subnet via A-side of
> >         B-A's endpoint
> > 
> >         Similar for the C VPN.
> > 
> > Note these routing rules can rapidly get quite complex, and 
> > they are a pain to maintain.  In a larger environment, you 
> > might try running a routing daemon.
> > 
> > Seasons greetings to all,
> > 
> > Mark
> > 
> > On Wed, 2003-12-24 at 12:27, Stramigioli, S wrote:
> > > Dear CIPE experts,
> > > 
> > > I am new to the list and trying to understand CIPE and get 
> > it to work. 
> > > Does anybody have a basic logical description on how get it 
> > to work ? 
> > > The help I found was not sufficient to understand it well.
> > > 
> > > I have the following situation:
> > > 
> > > 1) 3 machines A,B,C connected to the internet with ADSL.
> > > 2) My university allows me to connect only with 1 VPN 
> > connection, but 
> > > I actually need A,B,C to be all connected.
> > > 3) Goal: I make a VPN connection to the university with A 
> > and tunnel 
> > > all packages for the university from/to B,C through A using 
> > other CIPE VPNs.
> > > 
> > > To use CIPE I thought to do the following:
> > > 
> > > 1) I installed the CIPE-VPN adapter on all A,B,C. NOTE: 
> > they all have 
> > > the same MAC !! Is this ok for arp ?!?!?
> > > 2) I start ciosrvr on A
> > > 3) I make PEER to PEER connections A-B and A-C
> > > 4) I route on B,C all packages for the university to the 
> > CIPE-Adapters 
> > > of B and C respectively
> > > 
> > > If this make sense, how am I going to do this in the folowing ?
> > > 
> > > 1) Once I have chosen an IP and MASK on A, No GW spec are 
> > necessary right ?
> > > Any tip for an IP ?
> > > 2) On B,C I suppose I have to define peer to peer connections using 
> > > the CIPE VPN Peer Setting. How should I do this ?
> > > 3) If B is a laptop and I am in another subnet abroad, how whould I 
> > > choose the IP numbers and configuration to let it work anyway ?
> > > 
> > > Thanks a lot for your help !
> > > 
> > > 
> > > - Stefano
> > >  
> > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> > >  
> > > Prof. Stefano Stramigioli, (M.Sc., Ph.D.) Associate Professor
> > >  
> > > Control Engineering Laboratory
> > > Department of Electrical Engineering
> > > Faculty of EEMCS
> > > Drebbel Institute on Mechatronics
> > > 
> > > Normal Postal Address: 
> > > P.O. Box 217
> > > NL-7500 AE Enschede
> > > The Netherlands
> > >  
> > > Courrier Address:
> > > de Veltmaat 10
> > > 7522NM Enschede
> > > The Netherlands
> > > 
> > > Tel. +31 (53) 4892794/4892606
> > > Fax. +31 (53) 4894830/4892223
> > >  
> > > Email S.Stramigioli,AT,ieee,DOT,org
> > > WWW: http://www.ce.utwente.nl/smi
> > > 
> > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> > > 
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in 
> > > body 
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive: 
> > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > --
> > Mark Cooke <mpc,AT,star,DOT,sr,DOT,bham,DOT,ac,DOT,uk>
> > 
> > 
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive: 
> > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > 
-- 
Mark Cooke <mpc,AT,star,DOT,sr,DOT,bham,DOT,ac,DOT,uk>


<< | Thread Index | >> ]    [ << | Date Index | >> ]