[LARTC] IP tunneling

[LARTC] IP tunneling

[papyrus]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="iso-8859-1", Size: 2596 bytes --]

Hi,
I have a problem with GRE tunneling. I read  Advanced-Routing HOWTO
about this and I did all as is written in this documentation. Even the
same example is here which I need for my project.
I want create (by means of GRE tunneling or IP in IP tunneling) virtual
private network VPN - in first phase without IPsec in other phase with
IPsec.
I have two local networks distant apart with two routers. Both routers
have registered IP addresses (I have only two registered IP addresses and many
computers in local netwoks which I connected to Internet); first router connects
one local network to Internet and second router connects other local network 
to Internet. Computers in both networks have the access to Internet over
routers because I configured IP-Masquerade. Now I want solve the access of 
computer from my first local network to computers from my second local network.

So I have network
A:
      network 192.168.1.0
      netmask 255.255.255.0
      router  192.168.1.1 (eth1)
     
router is connected to Internet over eth0 - 145.35.162.44 netmask is /21

and network 
B:
      network 192.168.2.0
      netmask 255.255.255.0
      router  192.168.2.1 (eth1)
     
router is connected to Internet over eth0 - 145.35.160.94 netmask is /21            

I wrote this two scripts (I use RedHat 6.1 on both routers with kernel 2.2.12)

file rc.ipip on router A

#!/bin/sh
PATH=/sbin:/usr/sbin
echo installing modul...
modprobe ip_gre
echo setting tunl0...
ip tunnel add neta mode gre remote 145.35.160.94 local 145.35.162.44 ttl 255
echo adding network ariel2...
ip addr add 192.168.1.1 dev neta
ip route add 192.168.2.0/24 dev neta

in file rc.local
.
.
.
/etc/rc.d/rc.ipip

file rc.ipip on router B

#!/bin/sh
PATH=/sbin:/usr/sbin
echo installing modul...
modprobe ip_gre
echo setting tunl0...
ip tunnel add netb mode gre remote 145.35.162.44 local 145.35.160.94 ttl 255 
echo adding nework ariel...
ip addr add 192.168.2.1 dev netb
ip route add 192.168.1.0/24 dev netb

in file rc.local
.
.
.
/etc/rc.d/rc.ipip

...it's so easy...but
When I start these scripts the error come: 
RTNETLINK answers: Networking is out of work
Where did I make mistake?

---------------------------------------------
And second thing...
When I tried to take in work IP in IP tunneling I didn't know where to find
modul new_tunnel because this modul is'n in my distribution of RedHat. I haven't
problem with modul ipip.

I would be very happy if somebody could help me.
thanks,
     Vilem Musil

....sorry for my english

[-- Attachment #2: Type: text/html, Size: 5363 bytes --]

[LARTC] IP tunneling

[bert]

<PRE>On Sun, Oct 15, 2000 at 11:50:02PM +0200, papyrus wrote:

&gt;<i> ip addr add 192.168.2.1 dev netb
</I>&gt;<i> ip route add 192.168.1.0/24 dev netb
</I>&gt;<i> 
</I>&gt;<i> ...it's so easy...but
</I>&gt;<i> When I start these scripts the error come: 
</I>&gt;<i> RTNETLINK answers: Networking is out of work
</I>&gt;<i> Where did I make mistake?
</I>
I expect that the error comes from the last line, ip route add
192.168.1.0/24. Here it says 'Network is down'. Try this in between: 

# ip link set neta up

Regards,

bert hubert

-- 
PowerDNS                     Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet


</PRE>

[LARTC] IP Tunneling

[phonic]

Hello
I have /25 addressed on a box (virtual devices on eth0) and I want to
tunnel some of these addresses to my home network. One address to my
gateway (a.b.c.d, external IP) and one address to my internal network
(192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing.
What protocol and which technique is easiest and best to use?

One more thing. I don't want to set up a bridge on eth0 at the /25-box
(like the OpenVPN-howto wants me to do). The configuration on that box
have to be intact if it's possible, apart from the addresses I will
tunnel.

Regards
Jonathan

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Taylor, Grant]

phonic@antisocial.nu wrote:
> Hello
> I have /25 addressed on a box (virtual devices on eth0) and I want to
> tunnel some of these addresses to my home network. One address to my
> gateway (a.b.c.d, external IP) and one address to my internal network
> (192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing.
> What protocol and which technique is easiest and best to use?
> 
> One more thing. I don't want to set up a bridge on eth0 at the /25-box
> (like the OpenVPN-howto wants me to do). The configuration on that box
> have to be intact if it's possible, apart from the addresses I will
> tunnel.

Have you considered trying to get SSH to tunnel things for you?  I don't know if this will meet your needs or not.  If not you are looking at something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or IPSec tunnel.  Save for SSH, all of these options are rather involved and complex to set up.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[phonic]

> phonic@antisocial.nu wrote:
>> Hello
>> I have /25 addressed on a box (virtual devices on eth0) and I want to
>> tunnel some of these addresses to my home network. One address to my
>> gateway (a.b.c.d, external IP) and one address to my internal network
>> (192.168.0.0/24-style). I will use the tunnels for irc, smtp and
>> surfing.
>> What protocol and which technique is easiest and best to use?
>>
>> One more thing. I don't want to set up a bridge on eth0 at the /25-box
>> (like the OpenVPN-howto wants me to do). The configuration on that box
>> have to be intact if it's possible, apart from the addresses I will
>> tunnel.
>
> Have you considered trying to get SSH to tunnel things for you?  I don't
> know if this will meet your needs or not.  If not you are looking at
> something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or IPSec tunnel.
> Save for SSH, all of these options are rather involved and complex to set
> up.
>
>
>
> Grant. . . .
>

Hello
I have looked at SSH tunneling, but what I know I think that's not the
best solution for me. After some research, IPIP or GRE tunnel seems to fit
me best. But I don't find any good documentation, neither the LARTC howto
is brings up my problem.

I'd figured out that I will use iptunnel or similar to set up an
IPIP-tunnel, like:

iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h

and the same on the other side (just switching local and remote addresses)
to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
a.b.c.d (my public IP at home). But the connection betweeen me and the
remote host freezes, so I guess that's not enough. What more do I have to
do?

Regards
Jonathan

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Taylor, Grant]

> Hello
> I have looked at SSH tunneling, but what I know I think that's not the
> best solution for me. After some research, IPIP or GRE tunnel seems to fit
> me best. But I don't find any good documentation, neither the LARTC howto
> is brings up my problem.
> 
> I'd figured out that I will use iptunnel or similar to set up an
> IPIP-tunnel, like:
> 
> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
> 
> and the same on the other side (just switching local and remote addresses)
> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
> a.b.c.d (my public IP at home). But the connection betweeen me and the
> remote host freezes, so I guess that's not enough. What more do I have to
> do?

Is the ""freeze that you are talking about data through the tunnel or is it the initialization it's self?  If it is the former, check to make sure that your firewall is not blocking traffic that would be flowing through the tunnel.  Namely if your filter table FORWARD chain policy is set to DROP and you don't have an explicit allow for traffic flowing through the tunnel interface you will not be able to get things to work.  I'll have to play with GRE / IPIP tunnels to see if I can offer any advice.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Dan Martin]

If I'm going over stuff covered already on this list, please let me 
know!!  Sorry... this is my first post!!

If you've just used the iptunnel command, you'll also need to use 
ifconfig with the pointopoint type to set up an interface to route 
traffic through.  The IP address's on either end of the point to point 
interface should be the IP's you want to route traffic between once 
you've reached the subnets at each end of the tunnel.  If you want to 
route more traffic across the link you use "ip route add 10.0.0.0/24 
dev ipiptunnelname" or similar.

Also, you can view the traffic either encapsulated, by running tcpdump 
on your physical interface, or un-encapsulated by running it on your 
pointopoint interface.

Dan!

On 27 Apr 2005, at 09:22, Taylor, Grant wrote:

>> Hello
>> I have looked at SSH tunneling, but what I know I think that's not the
>> best solution for me. After some research, IPIP or GRE tunnel seems 
>> to fit
>> me best. But I don't find any good documentation, neither the LARTC 
>> howto
>> is brings up my problem.
>> I'd figured out that I will use iptunnel or similar to set up an
>> IPIP-tunnel, like:
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>> and the same on the other side (just switching local and remote 
>> addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that's not enough. What more do I 
>> have to
>> do?
>
> Is the ""freeze that you are talking about data through the tunnel or 
> is it the initialization it's self?  If it is the former, check to 
> make sure that your firewall is not blocking traffic that would be 
> flowing through the tunnel.  Namely if your filter table FORWARD chain 
> policy is set to DROP and you don't have an explicit allow for traffic 
> flowing through the tunnel interface you will not be able to get 
> things to work.  I'll have to play with GRE / IPIP tunnels to see if I 
> can offer any advice.
>
>
>
> Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[phonic]

>> Hello
>> I have looked at SSH tunneling, but what I know I think that's not the
>> best solution for me. After some research, IPIP or GRE tunnel seems to
>> fit
>> me best. But I don't find any good documentation, neither the LARTC
>> howto
>> is brings up my problem.
>>
>> I'd figured out that I will use iptunnel or similar to set up an
>> IPIP-tunnel, like:
>>
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>
>> and the same on the other side (just switching local and remote
>> addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that's not enough. What more do I have
>> to
>> do?
>
> Is the ""freeze that you are talking about data through the tunnel or is
> it the initialization it's self?  If it is the former, check to make sure
> that your firewall is not blocking traffic that would be flowing through
> the tunnel.  Namely if your filter table FORWARD chain policy is set to
> DROP and you don't have an explicit allow for traffic flowing through the
> tunnel interface you will not be able to get things to work.  I'll have to
> play with GRE / IPIP tunnels to see if I can offer any advice.
>
>
>
> Grant. . . .
>

Hello
The "freezing" happens when I add an address to the tunnel interface, like
'ifconfig tunl1 add a.b.c.d'. I think my problem is here, because when I
then run 'ifconfig tunl1:0' on the /25-box 'inet addr' is set to a.b.c.d,
and also P-t-P is set to 'a.b.c.d'. 'inet addr' should maybe be set to the
address I want to tunnel? On my home gateway 'inet addr' should be set to
the tunneled address and P-t-P to a.b.c.d? And I'm sure it's not firewall
related because I dropped all my rules before I started play. :-)

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] IP Tunneling

[phonic]

Hello
If I understand OpenVPN's "routed" mode correct, I can't use the tunnel to
browse the net, use irc or run an e-mail server. I set up a routed tunnel
a few days ago, and all I got was a tunnel between the two computers with
local addresses (10.0.0.0-style).

But I maybe have wrong?

> Hi Jonathan,
>
> I am wondering, why do you exclude OpenVPN from the list of appropriate
> solutions for your needs?
> As far as I know, you do not have to use it in the "bridging mode" it can
> work also as normal routing via tunnels.
> Furthermore you can also use it without security.
>
> For the tunnels you OpenVPN uses the tun/tap devices ....
> I think you can also use these without OpenVPN ... but here I am not sure,
> see man pages and google ....
>
> And this might also be a good link regarding this topic:
> http://vtun.sourceforge.net/
> They allow you to use also UDP as tunnel protocol, less overhead, and
> suitable for NAT traversal :O)
>
>
> Hopefully this helps you a little bit,
>
> Marc
>
>
>
>> -----Original Message-----
>> From: lartc-bounces@mailman.ds9a.nl
>> [mailto:lartc-bounces@mailman.ds9a.nl]On Behalf Of
>> phonic@antisocial.nu
>> Sent: Wednesday, April 27, 2005 9:38 AM
>> To: Taylor, Grant
>> Cc: lartc@mailman.ds9a.nl
>> Subject: Re: [LARTC] IP Tunneling
>>
>>
>> > phonic@antisocial.nu wrote:
>> >> Hello
>> >> I have /25 addressed on a box (virtual devices on eth0)
>> and I want to
>> >> tunnel some of these addresses to my home network. One
>> address to my
>> >> gateway (a.b.c.d, external IP) and one address to my
>> internal network
>> >> (192.168.0.0/24-style). I will use the tunnels for irc, smtp and
>> >> surfing.
>> >> What protocol and which technique is easiest and best to use?
>> >>
>> >> One more thing. I don't want to set up a bridge on eth0 at
>> the /25-box
>> >> (like the OpenVPN-howto wants me to do). The configuration
>> on that box
>> >> have to be intact if it's possible, apart from the addresses I will
>> >> tunnel.
>> >
>> > Have you considered trying to get SSH to tunnel things for
>> you?  I don't
>> > know if this will meet your needs or not.  If not you are looking at
>> > something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or
>> IPSec tunnel.
>> > Save for SSH, all of these options are rather involved and
>> complex to set
>> > up.
>> >
>> >
>> >
>> > Grant. . . .
>> >
>>
>> Hello
>> I have looked at SSH tunneling, but what I know I think that's not the
>> best solution for me. After some research, IPIP or GRE tunnel
>> seems to fit
>> me best. But I don't find any good documentation, neither the
>> LARTC howto
>> is brings up my problem.
>>
>> I'd figured out that I will use iptunnel or similar to set up an
>> IPIP-tunnel, like:
>>
>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>
>> and the same on the other side (just switching local and
>> remote addresses)
>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>> remote host freezes, so I guess that's not enough. What more
>> do I have to
>> do?
>>
>> Regards
>> Jonathan
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[phonic]

Hello
Okey, I tried to set up routing table this way :
On the test box (doesn't use the /25 yet): 'ip route add 217.211.70.0/24
dev tunl1'
On my home box: 'ip route add 192.121.234.208/28 dev tunl1'

But the connection still freezes... Maybe I misunderstood you?

> If I'm going over stuff covered already on this list, please let me
> know!!  Sorry... this is my first post!!
>
> If you've just used the iptunnel command, you'll also need to use
> ifconfig with the pointopoint type to set up an interface to route
> traffic through.  The IP address's on either end of the point to point
> interface should be the IP's you want to route traffic between once
> you've reached the subnets at each end of the tunnel.  If you want to
> route more traffic across the link you use "ip route add 10.0.0.0/24
> dev ipiptunnelname" or similar.
>
> Also, you can view the traffic either encapsulated, by running tcpdump
> on your physical interface, or un-encapsulated by running it on your
> pointopoint interface.
>
> Dan!
>
> On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>
>>> Hello
>>> I have looked at SSH tunneling, but what I know I think that's not the
>>> best solution for me. After some research, IPIP or GRE tunnel seems
>>> to fit
>>> me best. But I don't find any good documentation, neither the LARTC
>>> howto
>>> is brings up my problem.
>>> I'd figured out that I will use iptunnel or similar to set up an
>>> IPIP-tunnel, like:
>>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>> and the same on the other side (just switching local and remote
>>> addresses)
>>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>>> remote host freezes, so I guess that's not enough. What more do I
>>> have to
>>> do?
>>
>> Is the ""freeze that you are talking about data through the tunnel or
>> is it the initialization it's self?  If it is the former, check to
>> make sure that your firewall is not blocking traffic that would be
>> flowing through the tunnel.  Namely if your filter table FORWARD chain
>> policy is set to DROP and you don't have an explicit allow for traffic
>> flowing through the tunnel interface you will not be able to get
>> things to work.  I'll have to play with GRE / IPIP tunnels to see if I
>> can offer any advice.
>>
>>
>>
>> Grant. . . .
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Damjan]

> If I understand OpenVPN's "routed" mode correct, I can't use the tunnel to
> browse the net, use irc or run an e-mail server. 

You can! I don't understand what your problem is with OpenVPN, its the
easiest VPN solution I've ever seen.

> I set up a routed tunnel a few days ago, and all I got was a tunnel between the 
> two computers with local addresses (10.0.0.0-style).

Then you need to add routing accross the tunnel, just like you'd do if
it was a physical interface connected with cable.

-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[phonic]

Hello
Well, if I can use a routing tunnel to irc through, my problem is solved.
:-) Have to read more about OpenVPN...

You say that I have to add stuff in the routing table. I tried to add the
default gw for each box on it's tunnel-device, but the connection is still
freezed... Why?

>> If I understand OpenVPN's "routed" mode correct, I can't use the tunnel
>> to
>> browse the net, use irc or run an e-mail server.
>
> You can! I don't understand what your problem is with OpenVPN, its the
> easiest VPN solution I've ever seen.
>
>> I set up a routed tunnel a few days ago, and all I got was a tunnel
>> between the
>> two computers with local addresses (10.0.0.0-style).
>
> Then you need to add routing accross the tunnel, just like you'd do if
> it was a physical interface connected with cable.
>
> --
> damjan | дамјан
> This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Taylor, Grant]

phonic@antisocial.nu wrote:
> Hello
> If I understand OpenVPN's "routed" mode correct, I can't use the tunnel to
> browse the net, use irc or run an e-mail server. I set up a routed tunnel
> a few days ago, and all I got was a tunnel between the two computers with
> local addresses (10.0.0.0-style).

You should be able to route through any tunnel as your default assuming a couple of things:
  1) You have a route for the tunnel traffic to reach the other tunnel endpoint.
  2) You set your default route to be something on the other end of the tunnel.
  3) The other end of the tunnel will allow your traffic to pass through and out to the internet.  A lot of firewalls will not allow traffic out to the internet and back if it is from a subnet that is not directly attached to the system the firewall is running on.  Seeing as how this is a firewall config issue it is really not that much of one unless you can't get the other end reconfiged to suit your needs.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Damjan]

> Well, if I can use a routing tunnel to irc through, my problem is solved.
> :-) Have to read more about OpenVPN...
> 
> You say that I have to add stuff in the routing table. I tried to add the
> default gw for each box on it's tunnel-device, but the connection is still
> freezed... Why?

Well, you seem to not understand routing :). If you change the default
gateway trought the tunnel, then how will OpenVPN communicate with its
peer???

Anyway, check the --redirect-gateway option in openvpn.

-- 
damjan | дамјан
This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP Tunneling

[Taylor, Grant]

> Well, you seem to not understand routing :). If you change the default
> gateway trought the tunnel, then how will OpenVPN communicate with its
> peer???

This is when you set a route to the public IP of the host that the other end point of the tunnel via your upstream gateway.  This way your router has a route to get to the endpoint of the tunnel as well as a default route via the tunnel.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] IP Tunneling

[Dan Martin]

[-- Attachment #1: Type: text/plain, Size: 206 bytes --]

--===============0943317650==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C54C62.3A2C2AEA"

This is a multi-part message in MIME format.

[-- Attachment #2: Type: text/plain, Size: 5311 bytes --]

Hi 
 
It sounds like you've got the commands correct, maybe the IP's are wrong?  Is there NAT anywhere?
Here's an example of how I'd configure an ipip tunnel thats NAT'ed... may help?
 
the network:
 
Router A has many-to-one nat for the internal netowrk on its public interface
Router B has static NAT between 3.3.3.3 and 192.168.0.2
The tunnel is established from A to B initialy to add the NAT entry to RouterA's table. (although the tunnel its self is stateless)
 
HostA              RouterA (NAT/PAT)                            RouterB (NAT)                       HostB
[10.0.0.2]----[10.0.0.1/24   2.2.2.2] -----INET-----[3.3.3.3  192.168.0.1/24]------[192.168.0.2]
 
On HostA:
iptunnel add Tunnel1 mode ipip local 10.0.0.2 remote 3.3.3.3
ifconfig Tunnel1 10.0.0.2 pointopoint 192.168.0.2
ip route add 192.168.0.0/24 dev Tunnel1
 
On HostB:
iptunnel add Tunnel1 mode ipip local 192.168.0.2 remote 2.2.2.2
ifconfig Tunnel1 192.168.0.2 pointopoint 10.0.0.2
ip route add 10.0.0.0/24 dev Tunnel1
 
Here are some packet captures from each host showing the encapsulated ip packet (eth0 capture) and the un-encapsulated ip packet arriving at the tunnel interface (Tunnel1) so you can see what outgoing traffic would look like, no replies though cause I made the IP's up :-)
=====================================================
HostA:
[root@testvpn-1 ~]# tcpdump -ni eth0 host 3.3.3.3
18:48:42.473976 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 0 (ipip-proto-4)
18:48:43.473592 IP 10.0.0.2 > 3.3.3.3: IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 1 (ipip-proto-4)

[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:49:21.309733 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 0
18:49:22.310005 IP 10.0.0.2 > 192.168.0.2: icmp 64: echo request seq 1

=====================================================
HostB:
[root@test-1 ~]# tcpdump -ni eth0 host 2.2.2.2
18:34:28.748402 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 105 (ipip-proto-4)
18:34:29.748198 IP 192.168.0.2 > 2.2.2.2: IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 106 (ipip-proto-4)

[root@testvpn-1 ~]# tcpdump -ni Tunnel1
18:37:33.802281 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 290
18:37:34.802086 IP 192.168.0.2 > 10.0.0.2: icmp 64: echo request seq 291

Once through the two NAT routers each end's tunnel definitions match the packets and everything should work.  ....In theory :-)
 

 
________________________________

From: phonic@antisocial.nu [mailto:phonic@antisocial.nu]
Sent: Wed 27/04/2005 12:13
To: Dan Martin
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] IP Tunneling



Hello
Okey, I tried to set up routing table this way :
On the test box (doesn't use the /25 yet): 'ip route add 217.211.70.0/24
dev tunl1'
On my home box: 'ip route add 192.121.234.208/28 dev tunl1'

But the connection still freezes... Maybe I misunderstood you?

> If I'm going over stuff covered already on this list, please let me
> know!!  Sorry... this is my first post!!
>
> If you've just used the iptunnel command, you'll also need to use
> ifconfig with the pointopoint type to set up an interface to route
> traffic through.  The IP address's on either end of the point to point
> interface should be the IP's you want to route traffic between once
> you've reached the subnets at each end of the tunnel.  If you want to
> route more traffic across the link you use "ip route add 10.0.0.0/24
> dev ipiptunnelname" or similar.
>
> Also, you can view the traffic either encapsulated, by running tcpdump
> on your physical interface, or un-encapsulated by running it on your
> pointopoint interface.
>
> Dan!
>
> On 27 Apr 2005, at 09:22, Taylor, Grant wrote:
>
>>> Hello
>>> I have looked at SSH tunneling, but what I know I think that's not the
>>> best solution for me. After some research, IPIP or GRE tunnel seems
>>> to fit
>>> me best. But I don't find any good documentation, neither the LARTC
>>> howto
>>> is brings up my problem.
>>> I'd figured out that I will use iptunnel or similar to set up an
>>> IPIP-tunnel, like:
>>> iptunnel add dev tunl1 mode ipip local a.b.c.d remote e.f.g.h
>>> and the same on the other side (just switching local and remote
>>> addresses)
>>> to tunnel the public IP address e.f.g.h (on the /25-box) to tunl0 at
>>> a.b.c.d (my public IP at home). But the connection betweeen me and the
>>> remote host freezes, so I guess that's not enough. What more do I
>>> have to
>>> do?
>>
>> Is the ""freeze that you are talking about data through the tunnel or
>> is it the initialization it's self?  If it is the former, check to
>> make sure that your firewall is not blocking traffic that would be
>> flowing through the tunnel.  Namely if your filter table FORWARD chain
>> policy is set to DROP and you don't have an explicit allow for traffic
>> flowing through the tunnel interface you will not be able to get
>> things to work.  I'll have to play with GRE / IPIP tunnels to see if I
>> can offer any advice.
>>
>>
>>
>> Grant. . . .
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>





[-- Attachment #3: Type: text/html, Size: 8758 bytes --]