RE: IP Tunneling

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Re: IP Tunneling
Hi
 
It sounds like you've got the commands correct, maybe the IP's are wrong?  Is there NAT anywhere?
Here's an example of how I'd configure an ipip tunnel thats NAT'ed... may help?
 
the network:
 
Router A has many-to-one nat for the internal netowrk on its public interface
Router B has static NAT between 3.3.3.3 and 192.168.0.2
The tunnel is established from A to B initialy to add the NAT entry to RouterA's table. (although the tunnel its self is stateless)
 
HostA              RouterA (NAT/PAT)                            RouterB (NAT)                       HostB
[10.0.0.2]----[10.0.0.1/24   2.2.2.2] -----INET-----[3.3.3.3  192.168.0.1/24]------[192.168.0.2]
 
On HostA:
iptunnel add Tunnel1 mode ipip local 10.0.0.2 remote 3.3.3.3
ifconfig Tunnel1 10.0.0.2 pointopoint 192.168.0.2
ip route add 192.168.0.0/24 dev Tunnel1
 
On HostB:
iptunnel add Tunnel1 mode ipip local 192.168.0.2 remote 2.2.2.2
ifconfig Tunnel1 192.168.0.2 pointopoint 10.0.0.2
ip route add 10.0.0.0/24 dev Tunnel1
 
Here are some packet captures from each host showing the encapsulated ip packet (eth0 capture) and the un-encapsulated ip packet arriving at the tunnel interface (Tunnel1) so you can see what outgoing traffic would look like, no replies though cause I made the IP's up :-)
=====================================================
HostA:
[root@testvpn-1 ~]# tcpdump -ni eth0 host 3.3.3.3
18:48:42.473976 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 0 (ipip-proto-4)
18:48:43.473592 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 1 (ipip-proto-4)
[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:49:21.309733 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 0
18:49:22.310005 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 1
=====================================================
HostB:
[root@test-1 ~]# tcpdump -ni eth0 host 2.2.2.2
18:34:28.748402 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 105 (ipip-proto-4)
18:34:29.748198 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 106 (ipip-proto-4)
[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:37:33.802281 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 290
18:37:34.802086 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 291
Once through the two NAT routers each end's tunnel definitions match the packets and everything should work.  ....In theory :-)
 

 
From: phonic@xxxxxxxxxxxxx [mailto:phonic@xxxxxxxxxxxxx]
Sent: Wed 27/04/2005 12:13
To: Dan Martin
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re: IP Tunneling

Hello
Okey, I tried to set up routing table this way :
On the test box (doesn't use the /25 yet): 'ip route add 217.211.70.0/24
dev tunl1'
On my home box: 'ip route add 192.121.234.208/28 dev tunl1'

But the connection still freezes... Maybe I misunderstood you?

> If I'm going over stuff covered already on this list, please let me
> know!!  Sorry... this is my first post!!
>
> If you've just used the iptunnel command, you'll also need to use
> ifconfig with the pointopoint type to set up an interface to route
> traffic through.  The IP address's on either end of the point to point
> interface should be the IP's you want to route traffic between once
> you've reached the subnets at each end of the tunnel.  If you want to
> route more traffic across the link you use "ip route add 10.0.0.0/24
> dev ipiptunnelname" or similar.
>
> Also, you can view the traffic either encapsulated, by running tcpdump
> on your physical interface, or un-encapsulated by running it on your
> pointopoint interface.
>
> Dan!
>
> On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>
>>> Hello
>>> I have looked at SSH tunneling, but what I know I think that's not the
>>> best solution for me. After some research, IPIP or GRE tunnel seems
>>> to fit
>>> me best. But I don't find any good documentation, neither the LARTC
>>> howto
>>> is brings up my problem.
>>> I'd figured out that I will use iptunnel or similar to set up an
>>> IPIP-tunnel, like:
>>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>> and the same on the other side (just switching local and remote
>>> addresses)
>>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>>> remote host freezes, so I guess that's not enough. What more do I
>>> have to
>>> do?
>>
>> Is the ""freeze that you are talking about data through the tunnel or
>> is it the initialization it's self?  If it is the former, check to
>> make sure that your firewall is not blocking traffic that would be
>> flowing through the tunnel.  Namely if your filter table FORWARD chain
>> policy is set to DROP and you don't have an explicit allow for traffic
>> flowing through the tunnel interface you will not be able to get
>> things to work.  I'll have to play with GRE / IPIP tunnels to see if I
>> can offer any advice.
>>
>>
>>
>> Grant. . . .
>> _______________________________________________
>> LARTC mailing list
>> LARTC@xxxxxxxxxxxxxxx
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux