[LARTC] Gre Tunneling Problem

[LARTC] Gre Tunneling Problem

[glynn]

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

Hello everyone, I have a problem regarding gre tunneling, I have two linux box both of them has a private network and the linux A is connected to the internet via wireless radio and the other linux B is connected to the internet via lease line. Here is the setup of my two linux box

Linux A
eth0 = 203.189.x.1 (internet)
eth1 = 192.168.1.1 (going to hub private network)

Linux B
eth0 = 205.198.x.1 (internet)
eth1 = 192.168.2.1 (going to hub private network)

here is my configuration in Linux A and B. I also load the modules needed (insmod ip_gre)

Linux A
ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
ip link set netb up
ip addr add 192.168.1.1 dev netb
ip route add 192.168.2.0/24 dev netb

Linux B
ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
ip link set neta up
ip addr add 192.168.2.1 dev neta
ip route add 192.168.1.0/24 dev neta

I could ping both sides the eth0 and also the eth1 with is for the private network, here is my problem i couldnt ping the other private ip addresses which my eth1 is connected to the hub, anyone can help me, whats my error. pls reply asap. thanks


Glynn Condez

[-- Attachment #2: Type: text/html, Size: 2708 bytes --]

Re: [LARTC] Gre Tunneling Problem

[glynn]

Hello Christoph, actually I havent done with netfilter rules and i dont have
any restrictions applied for the linux, its a normal configuration, I also
enable the forwarding under the /proc/sys/net/ipv4/ip_forward with the value
of 1. can you figure out whats the problem? thanks

Glynn

----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "glynn" <glynn@itextron.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Monday, January 07, 2002 7:41 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Sun, 6 Jan 2002 17:39:46 +0800
> "glynn" <glynn@itextron.com> wrote:
>
> > Hello everyone, I have a problem regarding gre tunneling, I have two
> > linux box both of them has a private network and the linux A is
> > connected to the internet via wireless radio and the other linux B is
> > connected to the internet via lease line. Here is the setup of my two
> > linux box
> >
> > Linux A
> > eth0 = 203.189.x.1 (internet)
> > eth1 = 192.168.1.1 (going to hub private network)
> >
> > Linux B
> > eth0 = 205.198.x.1 (internet)
> > eth1 = 192.168.2.1 (going to hub private network)
> >
> > here is my configuration in Linux A and B. I also load the modules
> > needed (insmod ip_gre)
> >
> > Linux A
> > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> > ip link set netb up
> > ip addr add 192.168.1.1 dev netb
> > ip route add 192.168.2.0/24 dev netb
> >
> > Linux B
> > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> > ip link set neta up
> > ip addr add 192.168.2.1 dev neta
> > ip route add 192.168.1.0/24 dev neta
> >
> > I could ping both sides the eth0 and also the eth1 with is for the
> > private network, here is my problem i couldnt ping the other private ip
> > addresses which my eth1 is connected to the hub, anyone can help me,
> > whats my error. pls reply asap. thanks
>
> Do you have any netfilter rules not letting pass proto 47? You'll also
> have to allow forwarding.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Hi joe, i will try your suggestion and ill inform you guys if its working or
not, I really badly needed to work guys :( hope you understand. thanks
again,

Glynn

--- Original Message -----
From: "Joe Patterson" <jpatterson@asgardgroup.com>
To: "glynn" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 9:01 AM
Subject: RE: [LARTC] Gre Tunneling Problem


> I would suggest using a different network for the gre tunnel, like:
>
> Linux A
> ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> ip link set netb up
> ip addr add 192.168.3.1/30 dev netb
> ip route add 192.168.2.0/24 dev netb via 192.168.3.2
>
> Linux B
> ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> ip link set neta up
> ip addr add 192.168.3.2/30 dev neta
> ip route add 192.168.1.0/24 dev neta via 192.168.3.1
>
> Otherwise, it's just wierd.  Not that that's bad, it just sometimes
doesn't
> work...
>
> -Joe
>
>
> > -----Original Message-----
> > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> > Behalf Of glynn
> > Sent: Sunday, January 06, 2002 7:59 PM
> > To: Christoph Simon
> > Cc: lartc@mailman.ds9a.nl
> > Subject: Re: [LARTC] Gre Tunneling Problem
> >
> >
> > Hello Christoph, actually I havent done with netfilter rules and
> > i dont have
> > any restrictions applied for the linux, its a normal configuration, I
also
> > enable the forwarding under the /proc/sys/net/ipv4/ip_forward
> > with the value
> > of 1. can you figure out whats the problem? thanks
> >
> > Glynn
> >
> > ----- Original Message -----
> > From: "Christoph Simon" <ciccio@kiosknet.com.br>
> > To: "glynn" <glynn@itextron.com>
> > Cc: <lartc@mailman.ds9a.nl>
> > Sent: Monday, January 07, 2002 7:41 PM
> > Subject: Re: [LARTC] Gre Tunneling Problem
> >
> >
> > > On Sun, 6 Jan 2002 17:39:46 +0800
> > > "glynn" <glynn@itextron.com> wrote:
> > >
> > > > Hello everyone, I have a problem regarding gre tunneling, I have two
> > > > linux box both of them has a private network and the linux A is
> > > > connected to the internet via wireless radio and the other linux B
is
> > > > connected to the internet via lease line. Here is the setup of my
two
> > > > linux box
> > > >
> > > > Linux A
> > > > eth0 = 203.189.x.1 (internet)
> > > > eth1 = 192.168.1.1 (going to hub private network)
> > > >
> > > > Linux B
> > > > eth0 = 205.198.x.1 (internet)
> > > > eth1 = 192.168.2.1 (going to hub private network)
> > > >
> > > > here is my configuration in Linux A and B. I also load the modules
> > > > needed (insmod ip_gre)
> > > >
> > > > Linux A
> > > > ip tunnel add netb mode gre remote 205.198.x.1 local
> > 203.189.x.1 ttl 255
> > > > ip link set netb up
> > > > ip addr add 192.168.1.1 dev netb
> > > > ip route add 192.168.2.0/24 dev netb
> > > >
> > > > Linux B
> > > > ip tunnel add neta mode gre remote 203.189.x.1 local
> > 205.198.x.1 ttl 255
> > > > ip link set neta up
> > > > ip addr add 192.168.2.1 dev neta
> > > > ip route add 192.168.1.0/24 dev neta
> > > >
> > > > I could ping both sides the eth0 and also the eth1 with is for the
> > > > private network, here is my problem i couldnt ping the other
> > private ip
> > > > addresses which my eth1 is connected to the hub, anyone can help me,
> > > > whats my error. pls reply asap. thanks
> > >
> > > Do you have any netfilter rules not letting pass proto 47? You'll also
> > > have to allow forwarding.
> > >
> > > --
> > > Christoph Simon
> > > ciccio@kiosknet.com.br
> > > ---
> > > ^X^C
> > > q
> > > quit
> > > :q
> > > ^C
> > > end
> > > x
> > > exit
> > > ZZ
> > > ^D
> > > ?
> > > help
> > > .
> > >
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Hi Joe, I tried it and it wont work, same result, I could ping both but it
wont result the internal ip addresses, it seems that it only resolves the in
the interfaces but it wont allow to forward. can you figure out again pls.
Thanks.

Glynn


----- Original Message -----
From: "Joe Patterson" <jpatterson@asgardgroup.com>
To: "glynn" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 9:01 AM
Subject: RE: [LARTC] Gre Tunneling Problem


> I would suggest using a different network for the gre tunnel, like:
>
> Linux A
> ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> ip link set netb up
> ip addr add 192.168.3.1/30 dev netb
> ip route add 192.168.2.0/24 dev netb via 192.168.3.2
>
> Linux B
> ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> ip link set neta up
> ip addr add 192.168.3.2/30 dev neta
> ip route add 192.168.1.0/24 dev neta via 192.168.3.1
>
> Otherwise, it's just wierd.  Not that that's bad, it just sometimes
doesn't
> work...
>
> -Joe
>
>
> > -----Original Message-----
> > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> > Behalf Of glynn
> > Sent: Sunday, January 06, 2002 7:59 PM
> > To: Christoph Simon
> > Cc: lartc@mailman.ds9a.nl
> > Subject: Re: [LARTC] Gre Tunneling Problem
> >
> >
> > Hello Christoph, actually I havent done with netfilter rules and
> > i dont have
> > any restrictions applied for the linux, its a normal configuration, I
also
> > enable the forwarding under the /proc/sys/net/ipv4/ip_forward
> > with the value
> > of 1. can you figure out whats the problem? thanks
> >
> > Glynn
> >
> > ----- Original Message -----
> > From: "Christoph Simon" <ciccio@kiosknet.com.br>
> > To: "glynn" <glynn@itextron.com>
> > Cc: <lartc@mailman.ds9a.nl>
> > Sent: Monday, January 07, 2002 7:41 PM
> > Subject: Re: [LARTC] Gre Tunneling Problem
> >
> >
> > > On Sun, 6 Jan 2002 17:39:46 +0800
> > > "glynn" <glynn@itextron.com> wrote:
> > >
> > > > Hello everyone, I have a problem regarding gre tunneling, I have two
> > > > linux box both of them has a private network and the linux A is
> > > > connected to the internet via wireless radio and the other linux B
is
> > > > connected to the internet via lease line. Here is the setup of my
two
> > > > linux box
> > > >
> > > > Linux A
> > > > eth0 = 203.189.x.1 (internet)
> > > > eth1 = 192.168.1.1 (going to hub private network)
> > > >
> > > > Linux B
> > > > eth0 = 205.198.x.1 (internet)
> > > > eth1 = 192.168.2.1 (going to hub private network)
> > > >
> > > > here is my configuration in Linux A and B. I also load the modules
> > > > needed (insmod ip_gre)
> > > >
> > > > Linux A
> > > > ip tunnel add netb mode gre remote 205.198.x.1 local
> > 203.189.x.1 ttl 255
> > > > ip link set netb up
> > > > ip addr add 192.168.1.1 dev netb
> > > > ip route add 192.168.2.0/24 dev netb
> > > >
> > > > Linux B
> > > > ip tunnel add neta mode gre remote 203.189.x.1 local
> > 205.198.x.1 ttl 255
> > > > ip link set neta up
> > > > ip addr add 192.168.2.1 dev neta
> > > > ip route add 192.168.1.0/24 dev neta
> > > >
> > > > I could ping both sides the eth0 and also the eth1 with is for the
> > > > private network, here is my problem i couldnt ping the other
> > private ip
> > > > addresses which my eth1 is connected to the hub, anyone can help me,
> > > > whats my error. pls reply asap. thanks
> > >
> > > Do you have any netfilter rules not letting pass proto 47? You'll also
> > > have to allow forwarding.
> > >
> > > --
> > > Christoph Simon
> > > ciccio@kiosknet.com.br
> > > ---
> > > ^X^C
> > > q
> > > quit
> > > :q
> > > ^C
> > > end
> > > x
> > > exit
> > > ZZ
> > > ^D
> > > ?
> > > help
> > > .
> > >
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

It wont work Joe, I tried everything, I almost search the howto in the web
thru gre tunneling and almost the same. btw in configuring gre tunneling in
Redhat 6.0, pls help
Thanks

Glynn

----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "Joe Patterson" <jpatterson@asgardgroup.com>
Cc: <glynn@itextron.com>; <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 9:18 AM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Mon, 7 Jan 2002 20:01:00 -0500
> "Joe Patterson" <jpatterson@asgardgroup.com> wrote:
>
> > I would suggest using a different network for the gre tunnel, like:
> >
> > Linux A
> > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> > ip link set netb up
> > ip addr add 192.168.3.1/30 dev netb
> > ip route add 192.168.2.0/24 dev netb via 192.168.3.2
> >
> > Linux B
> > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> > ip link set neta up
> > ip addr add 192.168.3.2/30 dev neta
> > ip route add 192.168.1.0/24 dev neta via 192.168.3.1
> >
> > Otherwise, it's just wierd.  Not that that's bad, it just sometimes
> > doesn't work...
>
> Don't know if this helps, but it's working here just as Glynn postet
> and just as it's written in the Howto. I guess the problem must be at
> another spot.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

now im trying to install a new slackware 7, maybe it work :(


----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "Joe Patterson" <jpatterson@asgardgroup.com>
Cc: <glynn@itextron.com>; <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 9:18 AM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Mon, 7 Jan 2002 20:01:00 -0500
> "Joe Patterson" <jpatterson@asgardgroup.com> wrote:
>
> > I would suggest using a different network for the gre tunnel, like:
> >
> > Linux A
> > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> > ip link set netb up
> > ip addr add 192.168.3.1/30 dev netb
> > ip route add 192.168.2.0/24 dev netb via 192.168.3.2
> >
> > Linux B
> > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> > ip link set neta up
> > ip addr add 192.168.3.2/30 dev neta
> > ip route add 192.168.1.0/24 dev neta via 192.168.3.1
> >
> > Otherwise, it's just wierd.  Not that that's bad, it just sometimes
> > doesn't work...
>
> Don't know if this helps, but it's working here just as Glynn postet
> and just as it's written in the Howto. I guess the problem must be at
> another spot.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

when you configure that tunneling did you reconfigure your kernel? what
should i enable in my kernel? by the way when i log-on to the linux A, I
could ping the linux B eth0(internet) and eth1(let say "192.168.1.1") but
when i ping the "192.168.1.2" which is a windows workstation connected to
hub it wont pass thru. how do i sniff the interface where the packets go,
can you help me about that pls. Thanks

Glynn

----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "glynn" <glynn@itextron.com>
Cc: <jpatterson@asgardgroup.com>; <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 5:14 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Mon, 7 Jan 2002 14:35:08 +0800
> "glynn" <glynn@itextron.com> wrote:
>
> > now im trying to install a new slackware 7, maybe it work :(
>
> I'm running debian here. But I do think, you should try to trace the
> problem. Send a ping and sniff on each interface, step by step, where
> the packets go and what they look like. Trying different distributions
> seems little reasonable for me, but mabe you want to recompile the
> kernel just to make sure, everything's OK, no strange patches, etc.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Well thats good to hear that my tunnel is slightly working now, well its
almost evening, i need to fetch my wife at her office, now i could sleep a
little bit this evening, ill work for it tomorrow. thanks for the help
chris. ill get in touch with you for the result tom or if i have some
questions. thanks

glynn


----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "glynn" <glynn@itextron.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 5:48 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Mon, 7 Jan 2002 17:40:47 +0800
> "glynn" <glynn@itextron.com> wrote:
>
> > when you configure that tunneling did you reconfigure your kernel? what
> > should i enable in my kernel? by the way when i log-on to the linux A, I
> > could ping the linux B eth0(internet) and eth1(let say "192.168.1.1")
> > but when i ping the "192.168.1.2" which is a windows workstation
> > connected to hub it wont pass thru. how do i sniff the interface where
> > the packets go, can you help me about that pls. Thanks
>
> So you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it
> means that the tunnel definitively is working.
>
> Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows
> box, it seems to fail. First I would try to ping from 192.168.1.1 to
> 192.168.1.2, just to make sure, everything is working fine locally. If
> this works too, I would make tcpdump listen at the external interface
> of 192.168.2.1. Does the packet actually go out? If not, the routing
> or filter problem must be there. If it works, I'd listen on the
> external interface of 192.168.1.1; obviously these must arrive because
> the tunnel is working and the packet left at the other side. Now you
> can listen to the internal interface, seeing if the packet is actually
> being forwarded. If this fails, your problem is routing, filtering or
> forwarding on 192.168.1.1. Don't know how to sniff on a Windows, but
> as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there
> shouldn't be a need.
>
> If you have access and there is no other traffic, a much simpler
> method would be just to watch the leds on the modems, network cards,
> hubs, etc. This will help finding out where your problem is. As you
> can ping the first computer after the tunnel, I feel sure, the tunnel
> is working fine, the problem must be in another place, probably a
> stupid little detail.
>
> Note that the suggestion of introducing a different network address
> for the tunnel interfaces themselves will slightly complicate
> routing. But if you pay attention, this shouldn't be a problem.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Christoph Simon]

On Sun, 6 Jan 2002 17:39:46 +0800
"glynn" <glynn@itextron.com> wrote:

> Hello everyone, I have a problem regarding gre tunneling, I have two
> linux box both of them has a private network and the linux A is
> connected to the internet via wireless radio and the other linux B is
> connected to the internet via lease line. Here is the setup of my two
> linux box
> 
> Linux A
> eth0 = 203.189.x.1 (internet)
> eth1 = 192.168.1.1 (going to hub private network)
> 
> Linux B
> eth0 = 205.198.x.1 (internet)
> eth1 = 192.168.2.1 (going to hub private network)
> 
> here is my configuration in Linux A and B. I also load the modules
> needed (insmod ip_gre)
> 
> Linux A
> ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> ip link set netb up
> ip addr add 192.168.1.1 dev netb
> ip route add 192.168.2.0/24 dev netb
> 
> Linux B
> ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> ip link set neta up
> ip addr add 192.168.2.1 dev neta
> ip route add 192.168.1.0/24 dev neta
> 
> I could ping both sides the eth0 and also the eth1 with is for the
> private network, here is my problem i couldnt ping the other private ip
> addresses which my eth1 is connected to the hub, anyone can help me,
> whats my error. pls reply asap. thanks

Do you have any netfilter rules not letting pass proto 47? You'll also
have to allow forwarding.

-- 
Christoph Simon
ciccio@kiosknet.com.br
---
^X^C
q
quit
:q
^C
end
x
exit
ZZ
^D
?
help
.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Christoph Simon]

On Mon, 7 Jan 2002 08:58:46 +0800
"glynn" <glynn@itextron.com> wrote:

> Hello Christoph, actually I havent done with netfilter rules and i dont
> have any restrictions applied for the linux, its a normal configuration,
> I also enable the forwarding under the /proc/sys/net/ipv4/ip_forward
> with the value of 1. can you figure out whats the problem? thanks

I don't know what's wrong. It's working here. I can ping the external
and internal addresses of the peer, and, through the tunnel, any host
connected to that. Try to follow the packets using tcpdump or similar.

-- 
Christoph Simon
ciccio@kiosknet.com.br
---
^X^C
q
quit
:q
^C
end
x
exit
ZZ
^D
?
help
.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Joe Patterson]

I would suggest using a different network for the gre tunnel, like:

Linux A
ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
ip link set netb up
ip addr add 192.168.3.1/30 dev netb
ip route add 192.168.2.0/24 dev netb via 192.168.3.2

Linux B
ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
ip link set neta up
ip addr add 192.168.3.2/30 dev neta
ip route add 192.168.1.0/24 dev neta via 192.168.3.1

Otherwise, it's just wierd.  Not that that's bad, it just sometimes doesn't
work...

-Joe


> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> Behalf Of glynn
> Sent: Sunday, January 06, 2002 7:59 PM
> To: Christoph Simon
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> Hello Christoph, actually I havent done with netfilter rules and
> i dont have
> any restrictions applied for the linux, its a normal configuration, I also
> enable the forwarding under the /proc/sys/net/ipv4/ip_forward
> with the value
> of 1. can you figure out whats the problem? thanks
>
> Glynn
>
> ----- Original Message -----
> From: "Christoph Simon" <ciccio@kiosknet.com.br>
> To: "glynn" <glynn@itextron.com>
> Cc: <lartc@mailman.ds9a.nl>
> Sent: Monday, January 07, 2002 7:41 PM
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> > On Sun, 6 Jan 2002 17:39:46 +0800
> > "glynn" <glynn@itextron.com> wrote:
> >
> > > Hello everyone, I have a problem regarding gre tunneling, I have two
> > > linux box both of them has a private network and the linux A is
> > > connected to the internet via wireless radio and the other linux B is
> > > connected to the internet via lease line. Here is the setup of my two
> > > linux box
> > >
> > > Linux A
> > > eth0 = 203.189.x.1 (internet)
> > > eth1 = 192.168.1.1 (going to hub private network)
> > >
> > > Linux B
> > > eth0 = 205.198.x.1 (internet)
> > > eth1 = 192.168.2.1 (going to hub private network)
> > >
> > > here is my configuration in Linux A and B. I also load the modules
> > > needed (insmod ip_gre)
> > >
> > > Linux A
> > > ip tunnel add netb mode gre remote 205.198.x.1 local
> 203.189.x.1 ttl 255
> > > ip link set netb up
> > > ip addr add 192.168.1.1 dev netb
> > > ip route add 192.168.2.0/24 dev netb
> > >
> > > Linux B
> > > ip tunnel add neta mode gre remote 203.189.x.1 local
> 205.198.x.1 ttl 255
> > > ip link set neta up
> > > ip addr add 192.168.2.1 dev neta
> > > ip route add 192.168.1.0/24 dev neta
> > >
> > > I could ping both sides the eth0 and also the eth1 with is for the
> > > private network, here is my problem i couldnt ping the other
> private ip
> > > addresses which my eth1 is connected to the hub, anyone can help me,
> > > whats my error. pls reply asap. thanks
> >
> > Do you have any netfilter rules not letting pass proto 47? You'll also
> > have to allow forwarding.
> >
> > --
> > Christoph Simon
> > ciccio@kiosknet.com.br
> > ---
> > ^X^C
> > q
> > quit
> > :q
> > ^C
> > end
> > x
> > exit
> > ZZ
> > ^D
> > ?
> > help
> > .
> >
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Does PPTP VPN and gre tunneling the same?

Thanks
Glynn

----- Original Message -----
From: "Greg Scott" <GregScott@InfraSupportEtc.com>
To: "'glynn'" <glynn@itextron.com>; "Christoph Simon"
<ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 8:40 PM
Subject: RE: [LARTC] Gre Tunneling Problem


> > btw in configuring gre tunneling in
> > Redhat 6.0, pls help
>
> Could this be your problem?  I thought the PPTP VPN stuff needs the 2.4
> kernel.  The testing I mentioned earlier was with Red Hat 7.1 on both ends
> of the tunnel, which is a 2.4.n kernel.
>
> - Greg
>
>
>
> -----Original Message-----
> From: glynn [mailto:glynn@itextron.com]
> Sent: Monday, January 07, 2002 12:29 AM
> To: Christoph Simon; Joe Patterson
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> It wont work Joe, I tried everything, I almost search the howto in the web
> thru gre tunneling and almost the same. btw in configuring gre tunneling
in
> Redhat 6.0, pls help
> Thanks
>
> Glynn
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

hello good morning, i would like to ask, do i need to configure nat/masq in
both linux boxes? I could ping both eth1 which is the private ip of the
interfaces but private network wont work.


----- Original Message -----
From: "Christoph Simon" <ciccio@kiosknet.com.br>
To: "glynn" <glynn@itextron.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 5:48 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> On Mon, 7 Jan 2002 17:40:47 +0800
> "glynn" <glynn@itextron.com> wrote:
>
> > when you configure that tunneling did you reconfigure your kernel? what
> > should i enable in my kernel? by the way when i log-on to the linux A, I
> > could ping the linux B eth0(internet) and eth1(let say "192.168.1.1")
> > but when i ping the "192.168.1.2" which is a windows workstation
> > connected to hub it wont pass thru. how do i sniff the interface where
> > the packets go, can you help me about that pls. Thanks
>
> So you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it
> means that the tunnel definitively is working.
>
> Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows
> box, it seems to fail. First I would try to ping from 192.168.1.1 to
> 192.168.1.2, just to make sure, everything is working fine locally. If
> this works too, I would make tcpdump listen at the external interface
> of 192.168.2.1. Does the packet actually go out? If not, the routing
> or filter problem must be there. If it works, I'd listen on the
> external interface of 192.168.1.1; obviously these must arrive because
> the tunnel is working and the packet left at the other side. Now you
> can listen to the internal interface, seeing if the packet is actually
> being forwarded. If this fails, your problem is routing, filtering or
> forwarding on 192.168.1.1. Don't know how to sniff on a Windows, but
> as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there
> shouldn't be a need.
>
> If you have access and there is no other traffic, a much simpler
> method would be just to watch the leds on the modems, network cards,
> hubs, etc. This will help finding out where your problem is. As you
> can ping the first computer after the tunnel, I feel sure, the tunnel
> is working fine, the problem must be in another place, probably a
> stupid little detail.
>
> Note that the suggestion of introducing a different network address
> for the tunnel interfaces themselves will slightly complicate
> routing. But if you pay attention, this shouldn't be a problem.
>
> --
> Christoph Simon
> ciccio@kiosknet.com.br
> ---
> ^X^C
> q
> quit
> :q
> ^C
> end
> x
> exit
> ZZ
> ^D
> ?
> help
> .
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Christoph Simon]

On Mon, 7 Jan 2002 20:01:00 -0500
"Joe Patterson" <jpatterson@asgardgroup.com> wrote:

> I would suggest using a different network for the gre tunnel, like:
> 
> Linux A
> ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> ip link set netb up
> ip addr add 192.168.3.1/30 dev netb
> ip route add 192.168.2.0/24 dev netb via 192.168.3.2
> 
> Linux B
> ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> ip link set neta up
> ip addr add 192.168.3.2/30 dev neta
> ip route add 192.168.1.0/24 dev neta via 192.168.3.1
> 
> Otherwise, it's just wierd.  Not that that's bad, it just sometimes
> doesn't work...

Don't know if this helps, but it's working here just as Glynn postet
and just as it's written in the Howto. I guess the problem must be at
another spot.

-- 
Christoph Simon
ciccio@kiosknet.com.br
---
^X^C
q
quit
:q
^C
end
x
exit
ZZ
^D
?
help
.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Greg Scott]

I tried an experiment a couple months ago, lifted the commands right out of
the HOWTO and
chzanged the IP addresses and it all worked just fine.  For a bunch of
unrelated reasons, I
didn't get to put mine into long term production, but I am confident that
the HOWTO works.

Here's what's been bugging me - I didn't see anything about shared secrets
or passwords or anything like that.  How does the security work?  What's to
stop any Joe Blow from
impersonating one of the IP Addresses in a Linux PPTP-GRE tunnel?  Is there
any encryption?

- Greg


----- Original Message -----
From: "glynn" <glynn@itextron.com>
To: "Joe Patterson" <jpatterson@asgardgroup.com>; "Christoph Simon"
<ciccio@kiosknet.com.br>
Cc: <lartc@mailman.ds9a.nl>
Sent: Sunday, January 06, 2002 10:04 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> Hi Joe, I tried it and it wont work, same result, I could ping both but it
> wont result the internal ip addresses, it seems that it only resolves the
in
> the interfaces but it wont allow to forward. can you figure out again pls.
> Thanks.
>
> Glynn
>
>
> ----- Original Message -----
> From: "Joe Patterson" <jpatterson@asgardgroup.com>
> To: "glynn" <glynn@itextron.com>; "Christoph Simon"
<ciccio@kiosknet.com.br>
> Cc: <lartc@mailman.ds9a.nl>
> Sent: Tuesday, January 08, 2002 9:01 AM
> Subject: RE: [LARTC] Gre Tunneling Problem
>
>
> > I would suggest using a different network for the gre tunnel, like:
> >
> > Linux A
> > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255
> > ip link set netb up
> > ip addr add 192.168.3.1/30 dev netb
> > ip route add 192.168.2.0/24 dev netb via 192.168.3.2
> >
> > Linux B
> > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255
> > ip link set neta up
> > ip addr add 192.168.3.2/30 dev neta
> > ip route add 192.168.1.0/24 dev neta via 192.168.3.1
> >
> > Otherwise, it's just wierd.  Not that that's bad, it just sometimes
> doesn't
> > work...
> >
> > -Joe
> >
> >
> > > -----Original Message-----
> > > From: lartc-admin@mailman.ds9a.nl
[mailto:lartc-admin@mailman.ds9a.nl]On
> > > Behalf Of glynn
> > > Sent: Sunday, January 06, 2002 7:59 PM
> > > To: Christoph Simon
> > > Cc: lartc@mailman.ds9a.nl
> > > Subject: Re: [LARTC] Gre Tunneling Problem
> > >
> > >
> > > Hello Christoph, actually I havent done with netfilter rules and
> > > i dont have
> > > any restrictions applied for the linux, its a normal configuration, I
> also
> > > enable the forwarding under the /proc/sys/net/ipv4/ip_forward
> > > with the value
> > > of 1. can you figure out whats the problem? thanks
> > >
> > > Glynn
> > >
> > > ----- Original Message -----
> > > From: "Christoph Simon" <ciccio@kiosknet.com.br>
> > > To: "glynn" <glynn@itextron.com>
> > > Cc: <lartc@mailman.ds9a.nl>
> > > Sent: Monday, January 07, 2002 7:41 PM
> > > Subject: Re: [LARTC] Gre Tunneling Problem
> > >
> > >
> > > > On Sun, 6 Jan 2002 17:39:46 +0800
> > > > "glynn" <glynn@itextron.com> wrote:
> > > >
> > > > > Hello everyone, I have a problem regarding gre tunneling, I have
two
> > > > > linux box both of them has a private network and the linux A is
> > > > > connected to the internet via wireless radio and the other linux B
> is
> > > > > connected to the internet via lease line. Here is the setup of my
> two
> > > > > linux box
> > > > >
> > > > > Linux A
> > > > > eth0 = 203.189.x.1 (internet)
> > > > > eth1 = 192.168.1.1 (going to hub private network)
> > > > >
> > > > > Linux B
> > > > > eth0 = 205.198.x.1 (internet)
> > > > > eth1 = 192.168.2.1 (going to hub private network)
> > > > >
> > > > > here is my configuration in Linux A and B. I also load the modules
> > > > > needed (insmod ip_gre)
> > > > >
> > > > > Linux A
> > > > > ip tunnel add netb mode gre remote 205.198.x.1 local
> > > 203.189.x.1 ttl 255
> > > > > ip link set netb up
> > > > > ip addr add 192.168.1.1 dev netb
> > > > > ip route add 192.168.2.0/24 dev netb
> > > > >
> > > > > Linux B
> > > > > ip tunnel add neta mode gre remote 203.189.x.1 local
> > > 205.198.x.1 ttl 255
> > > > > ip link set neta up
> > > > > ip addr add 192.168.2.1 dev neta
> > > > > ip route add 192.168.1.0/24 dev neta
> > > > >
> > > > > I could ping both sides the eth0 and also the eth1 with is for the
> > > > > private network, here is my problem i couldnt ping the other
> > > private ip
> > > > > addresses which my eth1 is connected to the hub, anyone can help
me,
> > > > > whats my error. pls reply asap. thanks
> > > >
> > > > Do you have any netfilter rules not letting pass proto 47? You'll
also
> > > > have to allow forwarding.
> > > >
> > > > --
> > > > Christoph Simon
> > > > ciccio@kiosknet.com.br
> > > > ---
> > > > ^X^C
> > > > q
> > > > quit
> > > > :q
> > > > ^C
> > > > end
> > > > x
> > > > exit
> > > > ZZ
> > > > ^D
> > > > ?
> > > > help
> > > > .
> > > >
> > >
> > >
> > > _______________________________________________
> > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> http://ds9a.nl/lartc/
> > >
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Guys I just want you to know that my tunneling is working now. the only
thing ive addess is the NAT, i configure nat both linux boxes and it works.
thanks for the help guys, I really appreciate you help. til next time.

Thanks
Glynn

----- Original Message -----
From: "Greg Scott" <GregScott@InfraSupportEtc.com>
To: "'glynn'" <glynn@itextron.com>; "Christoph Simon"
<ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Tuesday, January 08, 2002 8:40 PM
Subject: RE: [LARTC] Gre Tunneling Problem


> > btw in configuring gre tunneling in
> > Redhat 6.0, pls help
>
> Could this be your problem?  I thought the PPTP VPN stuff needs the 2.4
> kernel.  The testing I mentioned earlier was with Red Hat 7.1 on both ends
> of the tunnel, which is a 2.4.n kernel.
>
> - Greg
>
>
>
> -----Original Message-----
> From: glynn [mailto:glynn@itextron.com]
> Sent: Monday, January 07, 2002 12:29 AM
> To: Christoph Simon; Joe Patterson
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> It wont work Joe, I tried everything, I almost search the howto in the web
> thru gre tunneling and almost the same. btw in configuring gre tunneling
in
> Redhat 6.0, pls help
> Thanks
>
> Glynn
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Christoph Simon]

On Mon, 7 Jan 2002 14:35:08 +0800
"glynn" <glynn@itextron.com> wrote:

> now im trying to install a new slackware 7, maybe it work :(

I'm running debian here. But I do think, you should try to trace the
problem. Send a ping and sniff on each interface, step by step, where
the packets go and what they look like. Trying different distributions
seems little reasonable for me, but mabe you want to recompile the
kernel just to make sure, everything's OK, no strange patches, etc.

-- 
Christoph Simon
ciccio@kiosknet.com.br
---
^X^C
q
quit
:q
^C
end
x
exit
ZZ
^D
?
help
.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Christoph Simon]

On Mon, 7 Jan 2002 17:40:47 +0800
"glynn" <glynn@itextron.com> wrote:

> when you configure that tunneling did you reconfigure your kernel? what
> should i enable in my kernel? by the way when i log-on to the linux A, I
> could ping the linux B eth0(internet) and eth1(let say "192.168.1.1")
> but when i ping the "192.168.1.2" which is a windows workstation
> connected to hub it wont pass thru. how do i sniff the interface where
> the packets go, can you help me about that pls. Thanks

So you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it
means that the tunnel definitively is working.

Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows
box, it seems to fail. First I would try to ping from 192.168.1.1 to
192.168.1.2, just to make sure, everything is working fine locally. If
this works too, I would make tcpdump listen at the external interface
of 192.168.2.1. Does the packet actually go out? If not, the routing
or filter problem must be there. If it works, I'd listen on the
external interface of 192.168.1.1; obviously these must arrive because
the tunnel is working and the packet left at the other side. Now you
can listen to the internal interface, seeing if the packet is actually
being forwarded. If this fails, your problem is routing, filtering or
forwarding on 192.168.1.1. Don't know how to sniff on a Windows, but
as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there
shouldn't be a need.

If you have access and there is no other traffic, a much simpler
method would be just to watch the leds on the modems, network cards,
hubs, etc. This will help finding out where your problem is. As you
can ping the first computer after the tunnel, I feel sure, the tunnel
is working fine, the problem must be in another place, probably a
stupid little detail.

Note that the suggestion of introducing a different network address
for the tunnel interfaces themselves will slightly complicate
routing. But if you pay attention, this shouldn't be a problem.

-- 
Christoph Simon
ciccio@kiosknet.com.br
---
^X^C
q
quit
:q
^C
end
x
exit
ZZ
^D
?
help
.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

> btw in configuring gre tunneling in
> Redhat 6.0, pls help

Could this be your problem?  I thought the PPTP VPN stuff needs the 2.4 
kernel.  The testing I mentioned earlier was with Red Hat 7.1 on both ends
of the tunnel, which is a 2.4.n kernel.

- Greg



-----Original Message-----
From: glynn [mailto:glynn@itextron.com]
Sent: Monday, January 07, 2002 12:29 AM
To: Christoph Simon; Joe Patterson
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Gre Tunneling Problem


It wont work Joe, I tried everything, I almost search the howto in the web
thru gre tunneling and almost the same. btw in configuring gre tunneling in
Redhat 6.0, pls help
Thanks

Glynn


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

Yes - they are both the same.  GRE is the name of the IP protocol used
for exchanging messages.  PPTP - Point to Point Tunneling Protocol.

- Greg

-----Original Message-----
From: glynn [mailto:glynn@itextron.com]
Sent: Monday, January 07, 2002 7:08 PM
To: Greg Scott; Christoph Simon; Joe Patterson
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Gre Tunneling Problem


Does PPTP VPN and gre tunneling the same?

Thanks
Glynn


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[glynn]

Hi! sorry i wasnt able to reply to your email immediately since im busy with
my test in my newly tunnel setup.

Sure i could help you regarding in setting up gre tunneling in linux. Here
is base in own setup network need to tunnel.

I have two networks, Network A has a running Linux Slackware 7 acting as a
gateway of the private network 192.168.100.0/24. the linux server has a two
NIC, eth0 is connected to the internet with the ip address of x.x.x.x/32 and
the eth1 is connected to the hub to private network with the ip address of
192.168.100.1/24.
Same with the Network B but the Linux is running a Redhat 6.0 with a private
network 192.168.200.0/24, eth0 (internet) d.d.d.d/32 ip address and eth1
(private network) 192.168.200.1/24.

If you build this linux boxes, always include the kernel sources,
development and also some compilers coz you need to recompile your kernel if
something wont work and also for compiling the iproute2 package.

Here is the setup you need in both linux servers.
Download the iproute2 package here.
ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz

Once you download the tar, just extract is wherever you wish to extract the
package, let say /usr/local/src

extract the package
/usr/local/src# tar zxvf iproute2-current.tar.gz
go to the iproute2 folder
/usr/local/src# cd iproute2
compile the package
/usr/local/src/iproute2# make
after compiling the package go to folder ip and copy the executable file ip
to your /bin
/usr/local/src/iproute2/ip# cp ip /bin
now you have a working ip command. you can try it by typing ip addr show or
ip link show

Now masquerade both network using ipchains command, try "ipchains -L", you
will see this result if you havent setup a masq for both networks.

Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Now enable the ip forwarding and masq

# echo 1 > /proc/sys/net/ipv4/ip_forward
# ipchains -A forward -s 192.168.100.0/24 -j MASQ
# ipchains -A forward -s 192.168.200.0/24 -j MASQ

Now try to look your ipchains table, type "ipchains -L" youll see llike this

Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.100.0/24      anywhere              n/a
MASQ       all  ------  192.168.200.0/24      anywhere              n/a
Chain output (policy ACCEPT):

Now for the tunnel part. Load the modules for tunneling and setting the
tunnel.

#insmod ip_gre
#ip tunnel add netb mode gre remote d.d.d.d local x.x.x.x ttl 255
#ip link set netb up
#ip addr add 192.168.100.1 dev netb
#ip route add 192.168.200.0/24 dev netb

This setup is in Network A.

--------------------------------------------------------

Now do the Network B, untar iproute2 package

# echo 1 > /proc/sys/net/ipv4/ip_forward
# ipchains -A forward -s 192.168.200.0/24 -j MASQ
# ipchains -A forward -s 192.168.100.0/24 -j MASQ

#insmod ip_gre
#ip tunnel add neta mode gre remote x.x.x.x local d.d.d.d ttl 255
#ip link set neta up
#ip addr add 192.168.200.1 dev neta
#ip route add 192.168.100.0/24 dev neta

Now try ping both NIC IP address of both linux servers. if its resolving try
the private network ip's, hope its working.

wheew.

Glynn


----- Original Message -----
From: "Sagar Srivastava" <sagar@vpn.cwlglobal.com>
To: "glynn" <glynn@itextron.com>
Sent: Wednesday, January 09, 2002 4:41 PM
Subject: Re: [LARTC] Gre Tunneling Problem


> Glynn,
>
> It is nice to hear that you tunneling is working. I have setup a VPN using
> PPTP in win2000 and I am desperate to set a similar VPN in Linux. I Need
> your help!
>
> It would be nice if you tell the steps to do this, the tools you used, or
> tell me the links to the pages the describe it and also something you
would
> like to advice.
>
> Thank you very much for going through my problem.
>
> Sagar, India
> ----- Original Message -----
> From: "glynn" <glynn@itextron.com>
> To: "Greg Scott" <GregScott@InfraSupportEtc.com>; "Christoph Simon"
> <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com>
> Cc: <lartc@mailman.ds9a.nl>
> Sent: Tuesday, January 08, 2002 12:58 PM
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> > Guys I just want you to know that my tunneling is working now. the only
> > thing ive addess is the NAT, i configure nat both linux boxes and it
> works.
> > thanks for the help guys, I really appreciate you help. til next time.
> >
> > Thanks
> > Glynn
> >
> > ----- Original Message -----
> > From: "Greg Scott" <GregScott@InfraSupportEtc.com>
> > To: "'glynn'" <glynn@itextron.com>; "Christoph Simon"
> > <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com>
> > Cc: <lartc@mailman.ds9a.nl>
> > Sent: Tuesday, January 08, 2002 8:40 PM
> > Subject: RE: [LARTC] Gre Tunneling Problem
> >
> >
> > > > btw in configuring gre tunneling in
> > > > Redhat 6.0, pls help
> > >
> > > Could this be your problem?  I thought the PPTP VPN stuff needs the
2.4
> > > kernel.  The testing I mentioned earlier was with Red Hat 7.1 on both
> ends
> > > of the tunnel, which is a 2.4.n kernel.
> > >
> > > - Greg
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: glynn [mailto:glynn@itextron.com]
> > > Sent: Monday, January 07, 2002 12:29 AM
> > > To: Christoph Simon; Joe Patterson
> > > Cc: lartc@mailman.ds9a.nl
> > > Subject: Re: [LARTC] Gre Tunneling Problem
> > >
> > >
> > > It wont work Joe, I tried everything, I almost search the howto in the
> web
> > > thru gre tunneling and almost the same. btw in configuring gre
tunneling
> > in
> > > Redhat 6.0, pls help
> > > Thanks
> > >
> > > Glynn
> > >
> > >
> > > _______________________________________________
> > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> http://ds9a.nl/lartc/
> > >
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >
>



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Michael T. Babcock]

That's something I haven't seen well mentioned elsewhere; like in the
Linux options for GRE tunneling.  Anyone know where else this association
should be mentioned?

On Tue, Jan 08, 2002 at 08:44:31PM -0600, Greg Scott wrote:
> Yes - they are both the same.  GRE is the name of the IP protocol used
> for exchanging messages.  PPTP - Point to Point Tunneling Protocol.
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

I found lots of stuff in a bunch of Windows 2000 documentation and 
in abook about Windows 2000 VPNs by Thaddeus Fortenberry.  Ziegler's 
Linux Firewalls Second Edition barely mentions VPNs in a brief 
chapter in the back of his book.  

I stumbled across the HOWTO that had the sample VPN commands and my 
jaw dropped - I've been looking for that capability for months!  I
don't even remember where that HOWTO lives any more, but that's OK
because I copied it so I would always have it handy.  

What happens is, the two tunnel endpoints exchange some TCP port 1723
messages to handshake with eachother and then they have a conversation
using IP protocol 47, also named GRE.  So the whole thing, handshake
and authentication, is called PPTP.

What I don't understand is, how does the security work?  I think the 
two tunnel endpoints are supposed to authenticate eachother with the
TCP port 1723 packets, but what do the Linux systems use for a shared 
secret?  I would use this all over the place if I felt good about its
security.

- Greg



-----Original Message-----
From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
Sent: Wednesday, January 09, 2002 8:28 AM
To: LARTC List
Subject: Re: [LARTC] Gre Tunneling Problem


That's something I haven't seen well mentioned elsewhere; like in the
Linux options for GRE tunneling.  Anyone know where else this association
should be mentioned?

On Tue, Jan 08, 2002 at 08:44:31PM -0600, Greg Scott wrote:
> Yes - they are both the same.  GRE is the name of the IP protocol used
> for exchanging messages.  PPTP - Point to Point Tunneling Protocol.
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Michael T. Babcock]

On Wed, Jan 09, 2002 at 12:01:09PM -0600, Greg Scott wrote:
> What I don't understand is, how does the security work?  I think the 
> two tunnel endpoints are supposed to authenticate eachother with the
> TCP port 1723 packets, but what do the Linux systems use for a shared 
> secret?  I would use this all over the place if I felt good about its
> security.

If you want the gory details on the (in)security of it, go to Google and
search for "pptp mudge counterpane".  The first link you get should be
a security audit of PPtP at counterpane.com done by Mudge of L0pht.com
fame and Bruce Schneier, author of Applied Cryptography and Secrets and
Lies (as well as both having general Internet recognition in security).

The paper deals mostly with MS-CHAP2 which is the authentication protocol
Microsoft uses in its PPTP stuff.  For those who don't like PDFs, the
HTML version can be seen (as rendered by Google) at (one line):
http://www.google.com/search?q che:fKZC3BSAczQC:www.counterpane.com/pptp.pdf+pptp+mudge+counterpane+pdf&hl=en

-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

That paper (great work!) tells about the Microsoft PPTP problems.

But what about the Linux GRE tunnel documented in the HOWTO?  Does
it have the same implementation problems?

- Greg



-----Original Message-----
From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
Sent: Wednesday, January 09, 2002 11:58 AM
To: Greg Scott
Cc: LARTC List
Subject: Re: [LARTC] Gre Tunneling Problem


On Wed, Jan 09, 2002 at 12:01:09PM -0600, Greg Scott wrote:
> What I don't understand is, how does the security work?  I think the 
> two tunnel endpoints are supposed to authenticate eachother with the
> TCP port 1723 packets, but what do the Linux systems use for a shared 
> secret?  I would use this all over the place if I felt good about its
> security.

If you want the gory details on the (in)security of it, go to Google and
search for "pptp mudge counterpane".  The first link you get should be
a security audit of PPtP at counterpane.com done by Mudge of L0pht.com
fame and Bruce Schneier, author of Applied Cryptography and Secrets and
Lies (as well as both having general Internet recognition in security).

The paper deals mostly with MS-CHAP2 which is the authentication protocol
Microsoft uses in its PPTP stuff.  For those who don't like PDFs, the
HTML version can be seen (as rendered by Google) at (one line):
http://www.google.com/search?q che:fKZC3BSAczQC:www.counterpane.com/pptp.p
df+pptp+mudge+counterpane+pdf&hl=en

-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Gre Tunneling Problem

[Michael T. Babcock]

On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:
> That paper (great work!) tells about the Microsoft PPTP problems.
> 
> But what about the Linux GRE tunnel documented in the HOWTO?  Does
> it have the same implementation problems?

I have no idea ;-)

You could E-mail Bruce and ask though ;-)
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

Who is Bruce?

geez, I'm an idiot!  That GRE tunneling stuff is in chapter 5 of the 
advanced routing HOWTO!  But who is Bruce?

- Greg



-----Original Message-----
From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
Sent: Wednesday, January 09, 2002 12:44 PM
To: Greg Scott
Cc: LARTC List
Subject: Re: [LARTC] Gre Tunneling Problem


On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:
> That paper (great work!) tells about the Microsoft PPTP problems.
> 
> But what about the Linux GRE tunnel documented in the HOWTO?  Does
> it have the same implementation problems?

I have no idea ;-)

You could E-mail Bruce and ask though ;-)
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Greg Scott]

Does anybody know how security works in Linux GRE tunnels?  (It's not 
in the HOWTO.)  And who is Bruce anyway?

- Greg


-----Original Message-----
From: Greg Scott 
Sent: Wednesday, January 09, 2002 1:40 PM
To: 'Michael T. Babcock'
Cc: LARTC List
Subject: RE: [LARTC] Gre Tunneling Problem


Who is Bruce?

geez, I'm an idiot!  That GRE tunneling stuff is in chapter 5 of the 
advanced routing HOWTO!  But who is Bruce?

- Greg



-----Original Message-----
From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
Sent: Wednesday, January 09, 2002 12:44 PM
To: Greg Scott
Cc: LARTC List
Subject: Re: [LARTC] Gre Tunneling Problem


On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:
> That paper (great work!) tells about the Microsoft PPTP problems.
> 
> But what about the Linux GRE tunnel documented in the HOWTO?  Does
> it have the same implementation problems?

I have no idea ;-)

You could E-mail Bruce and ask though ;-)
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] Gre Tunneling Problem

[Joe Patterson]

There is trivial security in GRE tunnels.  Or possibly none at all.  If you
make your GRE tunnel with the command "ip tunnel add $tun mode gre remote
$remaddr local $localaddr key $key"  (I believe that's the correct syntax),
then your tunnel has a key.  It's not an encryption key, it's an
authentication key, and it's sent in cleartext, but it's a key.  If you want
security, wrap your GRE in IPSec or similar.

Bruce is Bruce Schneier, author of "Applied Cryptography" and "Secrets and
Lies", head of Counterpane Internet Security (http://www.counterpane.com/),
frequent speaker and general luminary on the topics of computer and internet
security, encryption etc.., and generally all around cool guy.  Although you
may not get much from e-mailing him directly (he's pretty busy), reading
back issues of his newsletter (CryptoGram) is generally enlightening, and
he's written some very good whitepapers on cryptography issues (I beleive
the original "mail Bruce" comment came about from a question on his paper on
the weaknesses of the PPTP protocol)

-Joe

> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> Behalf Of Greg Scott
> Sent: Friday, January 11, 2002 9:22 AM
> To: 'Michael T. Babcock'
> Cc: 'LARTC List'
> Subject: RE: [LARTC] Gre Tunneling Problem
>
>
> Does anybody know how security works in Linux GRE tunnels?  (It's not
> in the HOWTO.)  And who is Bruce anyway?
>
> - Greg
>
>
> -----Original Message-----
> From: Greg Scott
> Sent: Wednesday, January 09, 2002 1:40 PM
> To: 'Michael T. Babcock'
> Cc: LARTC List
> Subject: RE: [LARTC] Gre Tunneling Problem
>
>
> Who is Bruce?
>
> geez, I'm an idiot!  That GRE tunneling stuff is in chapter 5 of the
> advanced routing HOWTO!  But who is Bruce?
>
> - Greg
>
>
>
> -----Original Message-----
> From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net]
> Sent: Wednesday, January 09, 2002 12:44 PM
> To: Greg Scott
> Cc: LARTC List
> Subject: Re: [LARTC] Gre Tunneling Problem
>
>
> On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:
> > That paper (great work!) tells about the Microsoft PPTP problems.
> >
> > But what about the Linux GRE tunnel documented in the HOWTO?  Does
> > it have the same implementation problems?
>
> I have no idea ;-)
>
> You could E-mail Bruce and ask though ;-)
> --
> Michael T. Babcock
> CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
> http://www.fibrespeed.net/~mbabcock/
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/