Requestion for help with GRE tunnel

Requestion for help with GRE tunnel

[George Garvey]

   I'm trying to make a tunnel between 2 LANs, 192.168.1 and 192.168.2.
Eventually over the internet, right now between 2 computers. Both
2.4.19.
   Everything is hooked up to a gigE switch right now. I've set the
tunnel's IPs to LAN addresses for testing.
   When the iproute2 commands are done, ip route get to the LAN on the
other side of the tunnel shows the tunnel.
   I can ping the IP address of the tunnel.
   When I try to ping or traceroute to the other LAN, I get sendto:
Operation not permitted.
   What am I misunderstanding? I know this is probably stupid to
everyone but me, but I'd appreciate assistance.

   These are the commands I'm using, which aren't working.

192.168.1:
	This is the local LAN that already exists
/sbin/ip link set dev eth0 up mtu 1500
/sbin/ip address add 192.168.1.12/24 broadcast 192.168.1.255 dev eth0
	This is an SDSL
/sbin/ip link set dev eth1 up
/sbin/ip address add 66.134.162.140/29 broadcast 66.134.162.143 dev eth1
	This is an ADSL
/sbin/ip link set dev eth2 up
/sbin/ip address add 63.193.79.19/29 broadcast 63.193.79.23 dev eth2

/sbin/ip link set dev lo up
/sbin/ip address add 127.0.0.1/8 broadcast + dev lo
	The ADSL is too busy to use for NAT
/sbin/ip route add default via 63.193.79.17 dev eth2
	The tunnel
/sbin/ip tunnel add withsales mode gre remote 192.168.2.2 local 192.168.1.12 ttl 255 dev eth0
/sbin/ip link set withsales up
/sbin/ip address add 192.168.2.1/24 broadcast + dev withsales
	While testing, I've had the firewall off, just NAT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat
/sbin/iptables -L -n
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 63.193.79.19

192.168.2:
	This is the new LAN
/sbin/ip link set dev eth0 up mtu 1500
/sbin/ip address add 192.168.2.2/24 broadcast 192.168.2.255 dev eth0
	This will be an ADSL, currently hooked up to gigE switch
/sbin/ip link set dev eth1 up
/sbin/ip address add 67.113.82.198/29 broadcast 67.113.82.202 dev eth1

/sbin/ip link set dev lo up
/sbin/ip address add 127.0.0.1/8 broadcast + dev lo

/sbin/ip route add default via 67.113.82.198 dev eth1

/sbin/ip tunnel add withsales mode gre remote 192.168.1.12 local 192.168.2.2 ttl 255 dev eth0
/sbin/ip link set withsales up
/sbin/ip address add 192.168.1.10/24 broadcast + dev withsales

Re: Requestion for help with GRE tunnel

[Ramin Alidousti]

Do 192.168.1.12 and 192.168.2.2 connected through a router.
From your email below it looks like they go through a switch.
If that's the case, then it's your problem:

	You should be able to ping the encapsulating IP's of
	your tunnel from the other side to make sure that you
	have IP connectivity which is "the" requirement for
	setting up a tunnel. Can you?o

Ramin



On Tue, Jun 18, 2002 at 06:39:45AM -0700, George Garvey wrote:

>    I'm trying to make a tunnel between 2 LANs, 192.168.1 and 192.168.2.
> Eventually over the internet, right now between 2 computers. Both
> 2.4.19.
>    Everything is hooked up to a gigE switch right now. I've set the
> tunnel's IPs to LAN addresses for testing.
>    When the iproute2 commands are done, ip route get to the LAN on the
> other side of the tunnel shows the tunnel.
>    I can ping the IP address of the tunnel.
>    When I try to ping or traceroute to the other LAN, I get sendto:
> Operation not permitted.
>    What am I misunderstanding? I know this is probably stupid to
> everyone but me, but I'd appreciate assistance.
> 
>    These are the commands I'm using, which aren't working.
> 
> 192.168.1:
> 	This is the local LAN that already exists
> /sbin/ip link set dev eth0 up mtu 1500
> /sbin/ip address add 192.168.1.12/24 broadcast 192.168.1.255 dev eth0
> 	This is an SDSL
> /sbin/ip link set dev eth1 up
> /sbin/ip address add 66.134.162.140/29 broadcast 66.134.162.143 dev eth1
> 	This is an ADSL
> /sbin/ip link set dev eth2 up
> /sbin/ip address add 63.193.79.19/29 broadcast 63.193.79.23 dev eth2
> 
> /sbin/ip link set dev lo up
> /sbin/ip address add 127.0.0.1/8 broadcast + dev lo
> 	The ADSL is too busy to use for NAT
> /sbin/ip route add default via 63.193.79.17 dev eth2
> 	The tunnel
> /sbin/ip tunnel add withsales mode gre remote 192.168.2.2 local 192.168.1.12 ttl 255 dev eth0
> /sbin/ip link set withsales up
> /sbin/ip address add 192.168.2.1/24 broadcast + dev withsales
> 	While testing, I've had the firewall off, just NAT
> /sbin/iptables -P INPUT ACCEPT
> /sbin/iptables -F INPUT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F FORWARD
> /sbin/iptables -F -t nat
> /sbin/iptables -L -n
> /sbin/iptables -X
> /sbin/iptables -Z
> /sbin/iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
> /sbin/iptables -A FORWARD -j DROP
> /sbin/iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 63.193.79.19
> 
> 192.168.2:
> 	This is the new LAN
> /sbin/ip link set dev eth0 up mtu 1500
> /sbin/ip address add 192.168.2.2/24 broadcast 192.168.2.255 dev eth0
> 	This will be an ADSL, currently hooked up to gigE switch
> /sbin/ip link set dev eth1 up
> /sbin/ip address add 67.113.82.198/29 broadcast 67.113.82.202 dev eth1
> 
> /sbin/ip link set dev lo up
> /sbin/ip address add 127.0.0.1/8 broadcast + dev lo
> 
> /sbin/ip route add default via 67.113.82.198 dev eth1
> 
> /sbin/ip tunnel add withsales mode gre remote 192.168.1.12 local 192.168.2.2 ttl 255 dev eth0
> /sbin/ip link set withsales up
> /sbin/ip address add 192.168.1.10/24 broadcast + dev withsales

Re: Requestion for help with GRE tunnel

[George Garvey]

   Thanks for the fast response. I remembered that I have a spare IP on
an ADSL, so changed the setup as follows, based on your mention of a
requirement for a router. This setup still lets me experiment with both
computers in the same room, but is more similar to the final desired
setup:

eth0: 192.168.2.2 ---------- gigE switch ------ eth0: 192.168.1.12
------------------------			----------------------
| salesns.inxsales.lan |			| ns.inxservices.com |
------------------------			----------------------
eth1: 63.193.79.20 --------- 100 switch -------	eth2: 63.193.79.19
				|		eth1: 66.134.162.140
			    ADSL modem			|
			    	|		  SDSL modem/hub
				|			|
				------- internet --------

GRE tunnel (withvan):				GRE tunnel (withsales):
63.193.79.20 -> 63.193.79.19			63.193.79.19 -> 63.193.79.20
IP: 192.168.3.1					IP: 192.168.3.2
ip route add 192.168.1.0/24 dev withvan		ip route add 192.168.2.0/24
							dev withsales

I can ping 63.193.79.19 from 63.193.79.20.
I can ping 63.193.79.20 from 63.193.79.19.
I cannot ping 192.168.1.12 from salesns.

Here are the commands I'm using:

192.168.1.12:

/sbin/ip link set dev eth0 up mtu 1500
/sbin/ip address add 192.168.1.12/24 broadcast 192.168.1.255 dev eth0

/sbin/ip link set dev eth1 up
/sbin/ip address add 66.134.162.140/29 broadcast 66.134.162.143 dev eth1

/sbin/ip link set dev eth2 up
/sbin/ip address add 63.193.79.19/29 broadcast 63.193.79.23 dev eth2

/sbin/ip link set dev lo up
/sbin/ip address add 127.0.0.1/8 broadcast + dev lo

/sbin/ip route add default via 63.193.79.17 dev eth2

/sbin/ip tunnel add withsales mode gre remote 63.193.79.20 local 63.193.79.19 ttl 255 dev eth0
/sbin/ip link set withsales up
/sbin/ip address add 192.168.3.2/24 broadcast + dev withsales
/sbin/ip route add 192.168.2.0/24 dev withsales

192.168.2.2:

/sbin/ip link set dev eth0 up mtu 1500
/sbin/ip address add 192.168.2.2/24 broadcast 192.168.2.255 dev eth0

/sbin/ip link set dev eth1 up
/sbin/ip address add 63.193.79.20/29 broadcast 63.193.79.23 dev eth1

/sbin/ip link set dev lo up
/sbin/ip address add 127.0.0.1/8 broadcast + dev lo

/sbin/ip route add default via 63.193.79.20 dev eth1

/sbin/ip tunnel add withvan mode gre remote 63.193.79.19 local 63.193.79.20 ttl 255 dev eth0
/sbin/ip link set withvan up
/sbin/ip address add 192.168.3.1/24 broadcast + dev withvan
/sbin/ip route add 192.168.1.0/24 dev withvan

Re: Requestion for help with GRE tunnel

[Ramin Alidousti]

On Tue, Jun 18, 2002 at 08:59:53AM -0700, George Garvey wrote:

>    Thanks for the fast response. I remembered that I have a spare IP on
> an ADSL, so changed the setup as follows, based on your mention of a
> requirement for a router. This setup still lets me experiment with both
> computers in the same room, but is more similar to the final desired
> setup:
> 
> eth0: 192.168.2.2 ---------- gigE switch ------ eth0: 192.168.1.12
> ------------------------			----------------------
> | salesns.inxsales.lan |			| ns.inxservices.com |
> ------------------------			----------------------
> eth1: 63.193.79.20 --------- 100 switch -------	eth2: 63.193.79.19
> 				|		eth1: 66.134.162.140
> 			    ADSL modem			|
> 			    	|		  SDSL modem/hub
> 				|			|
> 				------- internet --------
> 
> GRE tunnel (withvan):				GRE tunnel (withsales):
> 63.193.79.20 -> 63.193.79.19			63.193.79.19 -> 63.193.79.20
> IP: 192.168.3.1					IP: 192.168.3.2
> ip route add 192.168.1.0/24 dev withvan		ip route add 192.168.2.0/24
> 							dev withsales
> 
> I can ping 63.193.79.19 from 63.193.79.20.
> I can ping 63.193.79.20 from 63.193.79.19.
> I cannot ping 192.168.1.12 from salesns.

This is obvious. 192.168.2.2/24 and 192.168.1.12/24 are not in the
same subnet but are connected through a switch. What should this
gigE switch do here? If these interfaces are there only for you to
test the tunnel, you made a very expensive choice; no switch necessary or
just use some dummy interface... But for now, leave it be.

> 
> Here are the commands I'm using:
> 
> 192.168.1.12:
> 
> /sbin/ip link set dev eth0 up mtu 1500
> /sbin/ip address add 192.168.1.12/24 broadcast 192.168.1.255 dev eth0
> 
> /sbin/ip link set dev eth1 up
> /sbin/ip address add 66.134.162.140/29 broadcast 66.134.162.143 dev eth1
> 
> /sbin/ip link set dev eth2 up
> /sbin/ip address add 63.193.79.19/29 broadcast 63.193.79.23 dev eth2
> 
> /sbin/ip link set dev lo up
> /sbin/ip address add 127.0.0.1/8 broadcast + dev lo
> 
> /sbin/ip route add default via 63.193.79.17 dev eth2
> 
> /sbin/ip tunnel add withsales mode gre remote 63.193.79.20 local 63.193.79.19 ttl 255 dev eth0

Why are you saying here "dev eth0"? This dev has nothing to do with
your tunnel here. Just remove "dev eth0".

> /sbin/ip link set withsales up
> /sbin/ip address add 192.168.3.2/24 broadcast + dev withsales
> /sbin/ip route add 192.168.2.0/24 dev withsales

Change this to:
/sbin/ip route add 192.168.2.0/24 via 192.168.3.1 dev withsales

> 
> 192.168.2.2:
> 
> /sbin/ip link set dev eth0 up mtu 1500
> /sbin/ip address add 192.168.2.2/24 broadcast 192.168.2.255 dev eth0
> 
> /sbin/ip link set dev eth1 up
> /sbin/ip address add 63.193.79.20/29 broadcast 63.193.79.23 dev eth1
> 
> /sbin/ip link set dev lo up
> /sbin/ip address add 127.0.0.1/8 broadcast + dev lo
> 
> /sbin/ip route add default via 63.193.79.20 dev eth1
> 
> /sbin/ip tunnel add withvan mode gre remote 63.193.79.19 local 63.193.79.20 ttl 255 dev eth0

Same thing here. Remove "dev eth0".

> /sbin/ip link set withvan up
> /sbin/ip address add 192.168.3.1/24 broadcast + dev withvan
> /sbin/ip route add 192.168.1.0/24 dev withvan

Change this to:
/sbin/ip route add 192.168.1.0/24 via 192.168.3.2 dev withvan

It should work.

Ramin

Re: Requestion for help with GRE tunnel

[George Garvey]

   Thanks very much. I hadn't noticed that I still had that tunnel on
dev eth0. It appears to be working now. (Appears because I have a lot of
work to do with the tunnel to be sure yet). But I can ping through the
tunnel to the private LAN IPs on either side now.
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ----------     Custom Programming                           (323) 255-7949
|   inX    | EDI Translation/Mapping/VAN Services
| Services |      EDI Consulting
 ----------       Network Design                       tmwg@inxservices.com
             Distributed Web Applications       http://www.inxservices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                   Improving Your Business Is Our Business!

Re: Requestion for help with GRE tunnel

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 2250 bytes --]

tir, 2002-06-18 kl. 15:39 skrev George Garvey:
> I'm trying to make a tunnel between 2 LANs, 192.168.1 and 192.168.2.
> Eventually over the internet, right now between 2 computers. Both
> 2.4.19.

> Everything is hooked up to a gigE switch right now. I've set the
> tunnel's IPs to LAN addresses for testing.

[Off list, because off topic]

To my mind everything's horribly complicated here. Begin with an easy
one. The point about this approach is, that you begin with something
simple that you know works and you can take one step at a time.

Connect 2 Linux routers/GRE gateways (2 NICs each, eth0 and eth1) with a
crossover cable on NIC eth0.

Make a lan each side of each route, left and right (enough with one
single machine and one crossover cable for each LAN). So that's 4
machines and 3 crossover cables.

Left hand LAN is 192.168.1., right hand LAN is 192.168.2.

Each eth0 (the NICs connecting the routers) on each router can/must have
a completely different IP number from the 2 LAN IP numbers. It doesn't
matter what, as long as the eth0s are on the same physical network.

There's no natting in any of this! You're dealing with *pure routers*.
Even when you get to the internet stage, it's still pure routing with no
natting, in principle. Nothing's got anything to do with IP tables!

Make your tunnel, set it up and ping the right hand machine on
192.168.2. from the left hand machine on 192.168.1.

When that works, optional step (since you'll have to have it on the
Internet later): stick another Linux router in the middle  and do the
same. Obviously all the IP numbers on the routers should be changed to
suit. So that's one extra machine, 2 extra NICs and 2 extra crossover
cables.

When that works, substitute your switch for the router in the middle, if
you really want it.

I've done this with FreeS/WAN x509 VPN tunnels - though never with GRE -
so I know it works :-)

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Requestion for help with GRE tunnel

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 430 bytes --]

tir, 2002-06-18 kl. 22:55 skrev Tony Earnshaw:

> [Off list, because off topic]

Sorry list, I pressed the wrong button ...

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]