<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "'Mr Allwyn Fernandes'" <af+cipel,AT,stobor,DOT,net>,<cipe-l,AT,inka,DOT,de>
Subject: RE: Routing between VPN subnets
From: "Mark" <msalists,AT,gmx,DOT,net>
Date: Wed, 8 Dec 2004 17:52:27 -0800
Importance: Normal
In-reply-to: <200412090540.59794.af+cipel@stobor.net>

Thank you for your help.

It's the second setup - router and tunnel are two separate nodes on both 
sides.

I assume it would work if I send both VPN and public IPs of the respective 
other side through the tunnel.
But I thought it would make more sense to route the public IPs through the 
internet and the only the VPN IPs through the tunnel.

That way I can choose which way to take by addressing either the public or 
the VPN IP.
This is useful for redundancy in case the tunnel collapses. I could use DNS, 
LDAP, DB and all kind of other servers with the VPN Ips
as first server and configure the public IP as secondary/backup in case the 
tunnel collapses.
Also, big chunks of data that do not need to be encrypted can be transported 
faster if I send them to the public IPs, as the data
does not get encrypted and decrypted - saves some processing power as well...

I'm not sure if there is a standard "best practice" configuration for this 
whole cipe/VPN thing...

I think I have to live with either NAT or tunnel-specific router 
configuration on each machine.

MARK

> -----Original Message-----
> From: owner-cipe-l,AT,inka,DOT,de [mailto:owner-cipe-l,AT,inka,DOT,de On 
> Behalf Of Mr Allwyn Fernandes
> Sent: Wednesday, December 08, 2004 10:41 AM
> To: cipe-l,AT,inka,DOT,de
> Subject: Re: Routing between VPN subnets
> 
> 
> Let me see if I've got your setup worked out right:
> 
> All machines dual-homed (two addresses), and all machines have real 
> internet-addressable IPs in their subnet (e.g. 96.1.1.x and 
> 99.2.2.x), as 
> well as private IPs in their subnet (192.168.1.x and 192.168.101.x).
> 
> 96.1.1.xxx         96.1.1.254
> 192.168.1.xxx      192.168.1.254
> Location A -------- Router A -----------
>                       ||               |
>                  CIPE tunnel     Big Bad Internet
>                       ||               |
> Location B -------- Router B -----------
> 99.2.2.xxx          99.2.2.254
> 192.168.101.xxx     192.168.101.254
> 
> and you've got routes
> Router A:
> 96.1.1.xxx -> local
> 192.168.1.xxx -> local
> 192.168.101.xxx -> via tunnel
> default -> via internet
> 
> Router B:
> 99.2.2.xxx -> local
> 192.168.101.xxx -> local
> 192.168.1.xxx -> via tunnel
> default -> via internet
> 
> Why not set up the routes 
> Router A:
> 96.1.1.xxx -> local
> 99.2.2.254  -> via internet
> 99.2.2.xxx  -> via tunnel
> default -> via internet
> 
> Router B:
> 99.2.2.xxx -> local
> 96.1.1.254 -> via internet
> 96.1.1.xxx -> via tunnel
> default -> via internet
> 
> and do away with the private IPs completely.
> 
> 
> 
> If your topology looks like this: (which is what I assumed at 
> first reading of 
> your email)
> 
> 96.1.1.xxx
> 192.168.1.xxx
> Location A -------
>                  |
> 96.1.1.100       |  96.1.1.254
> 192.168.1.100    |  192.168.1.254
> Tunnel A ---------- Router A -----------
>    ||                                  |
> CIPE tunnel                      Big Bad Internet
>    ||                                  |
> Tunnel B ---------- Router B -----------
> 99.2.2.100       |  99.2.2.254
> 192.168.101.100  |  192.168.101.254
>                  |
> Location B -------
> 99.2.2.xxx
> 192.168.101.xxx
> 
> Then both the tunnel machines need special routing, as well 
> as the routers. 
> However, you can still get around specially routing each 
> machine as follows: Router A: 96.1.1.xxx -> local 99.2.2.254  
> -> via internet 99.2.2.xxx  -> via 96.1.1.100 default -> via internet
> 
> Router B:
> 99.2.2.xxx -> local
> 96.1.1.254 -> via internet
> 96.1.1.xxx -> via 99.2.2.100
> default -> via internet
> 
> Tunnel A:
> 96.1.1.xxx -> local
> 99.2.2.254  -> via 96.1.1.254
> 99.2.2.xxx  -> via tunnel
> default -> via 96.1.1.254
> 
> Tunnel B:
> 99.2.2.xxx -> local
> 96.1.1.254 -> via 99.2.2.254
> 96.1.1.xxx -> via tunnel
> default -> via 99.2.2.254
> 
> If your config looks nothing like either of those, please 
> post it, and I'll 
> have a look at it for you. It seems like something that 
> should be addressable 
> without resorting to NAT. 
> 
> If there are any special constraints on why A and B would 
> ever want to 
> communicate via the internet rather than the tunnel, please 
> mention them, as 
> that will affect how the routing can run.
> 
> Cheers,
> 
> Allwyn.
> 
> 
> On Thursday 09 December 2004 04:37, Mark wrote:
> > Well, it works if I add the respective routing to each machine at 
> > location A and location B. I just wanted to avoid having to setup 
> > special routing on each computer, I just wanted to do a 
> routing in the 
> > router itself and that's it. But I guess that only works if 
> I NAT the 
> > real origin IP back to the corresponding VPN IP in the 
> router, which 
> > will be a pain as well - especially since there is already a whole 
> > bunch of other mapping going on in that router...
> >
> > So I guess I will just configure the routing everywhere for now...
> >
> > Thanks,
> >
> > MARK
> >
> > > -----Original Message-----
> > > From: Andreas Grabner [mailto:grabner,AT,grabner-it,DOT,at On Behalf Of 
> > > Andreas Grabner
> > > Sent: Tuesday, December 07, 2004 11:15 PM
> > > To: Mark
> > > Subject: Re: Routing between VPN subnets
> > >
> > >
> > > Hi,
> > >
> > >  have the same setup and it works, so make shure there is no 
> > > mistake.
> > >
> > > On Mon, Dec 06, 2004 at 09:44:54AM -0800, Mark wrote:
> > > > Both locations have static real official IPs. I then
> > >
> > > introduced local IPs
> > >
> > > > (192.168.1.0/24 for location A and 192.168.101/24 for
> > >
> > > location B). The
> > >
> > > > router in location A has the special routing that sends all
> > >
> > > the traffic with
> > >
> > > > a 192.168.101.0/24 destination through the tunnel access
> > >
> > > point. The other
> > >
> > > > side is set up identically. However, my problem is that
> > >
> > > traffic going from
> > >
> > > > the nodes in location A still has the official real IP as
> > >
> > > origin IP, not the
> > >
> > > > VPN IP. So on the way back, instead of taking the tunnel
> > >
> > > again, location B
> > >
> > > > sends the response to the official address rather than the
> > >
> > > VPN address of
> > >
> > > > location A, because the official location A Ips don't get
> > >
> > > routed through the
> > >
> > > > tunnel. This causes the response to be lost.
> > >
> > > i would do routing lije this:
> > >
> > > Location A:
> > > route add -net 192.168.101.0/24 gw "cipe_ppp_adress"  # where 
> > > cipe_ppp_adress should be also an local address.
> > >
> > > Location B:
> > > route add -net 192.168.1.0/24 gw "This-site-cipe_ppp_adress"
> > >
> > > cipes ppp address is shown with
> > > ifconfig cipcb0
> > >
> > > do your Cipe interface a transit network?
> > >
> > > hth
> > > Andreas Grabner
> >
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body 
> > Other commands available with "help" in body to the same 
> address. CIPE 
> > info and list archive: 
> > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 
> -- 
> Allwyn Fernandes
> Director
> Stobor Pty Ltd
> 
> Mobile: + 61 414 470 392
> 
> 
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in 
> body Other commands available with "help" in body to the same 
> address. CIPE info and list archive: 
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 


<< | Thread Index | >> ]    [ << | Date Index | >> ]