<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: <cipe-l,AT,inka,DOT,de>
Subject: Re: Routing between VPN subnets
From: Mr Allwyn Fernandes <af+cipel,AT,stobor,DOT,net>
Date: Thu, 9 Dec 2004 05:40:59 +1100
In-reply-to: <054b01c4dd4c$9f191290$b5d501cc@dragonfly>
Organization: Stobor Pty Ltd
References: <054b01c4dd4c$9f191290$b5d501cc@dragonfly>

Let me see if I've got your setup worked out right:

All machines dual-homed (two addresses), and all machines have real 
internet-addressable IPs in their subnet (e.g. 96.1.1.x and 99.2.2.x), as 
well as private IPs in their subnet (192.168.1.x and 192.168.101.x).

96.1.1.xxx         96.1.1.254
192.168.1.xxx      192.168.1.254
Location A -------- Router A -----------
                      ||               |
                 CIPE tunnel     Big Bad Internet
                      ||               |
Location B -------- Router B -----------
99.2.2.xxx          99.2.2.254
192.168.101.xxx     192.168.101.254

and you've got routes
Router A:
96.1.1.xxx -> local
192.168.1.xxx -> local
192.168.101.xxx -> via tunnel
default -> via internet

Router B:
99.2.2.xxx -> local
192.168.101.xxx -> local
192.168.1.xxx -> via tunnel
default -> via internet

Why not set up the routes 
Router A:
96.1.1.xxx -> local
99.2.2.254  -> via internet
99.2.2.xxx  -> via tunnel
default -> via internet

Router B:
99.2.2.xxx -> local
96.1.1.254 -> via internet
96.1.1.xxx -> via tunnel
default -> via internet

and do away with the private IPs completely.

If your topology looks like this: (which is what I assumed at first reading 
of 
your email)

96.1.1.xxx
192.168.1.xxx
Location A -------
                 |
96.1.1.100       |  96.1.1.254
192.168.1.100    |  192.168.1.254
Tunnel A ---------- Router A -----------
   ||                                  |
CIPE tunnel                      Big Bad Internet
   ||                                  |
Tunnel B ---------- Router B -----------
99.2.2.100       |  99.2.2.254
192.168.101.100  |  192.168.101.254
                 |
Location B -------
99.2.2.xxx
192.168.101.xxx

Then both the tunnel machines need special routing, as well as the routers. 
However, you can still get around specially routing each machine as follows:
Router A:
96.1.1.xxx -> local
99.2.2.254  -> via internet
99.2.2.xxx  -> via 96.1.1.100
default -> via internet

Router B:
99.2.2.xxx -> local
96.1.1.254 -> via internet
96.1.1.xxx -> via 99.2.2.100
default -> via internet

Tunnel A:
96.1.1.xxx -> local
99.2.2.254  -> via 96.1.1.254
99.2.2.xxx  -> via tunnel
default -> via 96.1.1.254

Tunnel B:
99.2.2.xxx -> local
96.1.1.254 -> via 99.2.2.254
96.1.1.xxx -> via tunnel
default -> via 99.2.2.254

If your config looks nothing like either of those, please post it, and I'll 
have a look at it for you. It seems like something that should be addressable 
without resorting to NAT. 

If there are any special constraints on why A and B would ever want to 
communicate via the internet rather than the tunnel, please mention them, as 
that will affect how the routing can run.

Cheers,

Allwyn.

On Thursday 09 December 2004 04:37, Mark wrote:
> Well, it works if I add the respective routing to each machine at location
> A and location B.
> I just wanted to avoid having to setup special routing on each computer, I
> just wanted to do a routing in the router itself and that's it.
> But I guess that only works if I NAT the real origin IP back to the
> corresponding VPN IP in the router, which will be a pain as well -
> especially since there is already a whole bunch of other mapping going on
> in that router...
>
> So I guess I will just configure the routing everywhere for now...
>
> Thanks,
>
> MARK
>
> > -----Original Message-----
> > From: Andreas Grabner [mailto:grabner,AT,grabner-it,DOT,at On
> > Behalf Of Andreas Grabner
> > Sent: Tuesday, December 07, 2004 11:15 PM
> > To: Mark
> > Subject: Re: Routing between VPN subnets
> >
> >
> > Hi,
> >
> >  have the same setup and it works, so make shure there is no mistake.
> >
> > On Mon, Dec 06, 2004 at 09:44:54AM -0800, Mark wrote:
> > > Both locations have static real official IPs. I then
> >
> > introduced local IPs
> >
> > > (192.168.1.0/24 for location A and 192.168.101/24 for
> >
> > location B). The
> >
> > > router in location A has the special routing that sends all
> >
> > the traffic with
> >
> > > a 192.168.101.0/24 destination through the tunnel access
> >
> > point. The other
> >
> > > side is set up identically. However, my problem is that
> >
> > traffic going from
> >
> > > the nodes in location A still has the official real IP as
> >
> > origin IP, not the
> >
> > > VPN IP. So on the way back, instead of taking the tunnel
> >
> > again, location B
> >
> > > sends the response to the official address rather than the
> >
> > VPN address of
> >
> > > location A, because the official location A Ips don't get
> >
> > routed through the
> >
> > > tunnel. This causes the response to be lost.
> >
> > i would do routing lije this:
> >
> > Location A:
> > route add -net 192.168.101.0/24 gw "cipe_ppp_adress"  # where
> > cipe_ppp_adress should be also an local address.
> >
> > Location B:
> > route add -net 192.168.1.0/24 gw "This-site-cipe_ppp_adress"
> >
> > cipes ppp address is shown with
> > ifconfig cipcb0
> >
> > do your Cipe interface a transit network?
> >
> > hth
> > Andreas Grabner
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>

-- 
Allwyn Fernandes
Director
Stobor Pty Ltd

Mobile: + 61 414 470 392


<< | Thread Index | >> ]    [ << | Date Index | >> ]