---------- Forwarded message ----------
Date: Fri, 13 Jul 2001 09:52:00 -0700 (PDT)
From: [EMAIL PROTECTED]
To: Greg J <[EMAIL PROTECTED]>
Subject: Re: Routing ?
On Fri, 13 Jul 2001, Greg J wrote:
> Jeff,
>
> Thanks for your reply on the mailing list...sorry to spam your
> personal mail but I'm including a routing table and a tcpdump which I
> didn't want to post on the mail list...
This is exactly the kind of data needed on the mailing list in order to
diagnose problems, and I am cc'ing my message there so the answer will be
archived and others can suggest better alternatives.
> hoping you can point me in the
> right direction. I think I just need a route to my private net from
> the vpn but I'm not sure the best way to do it.
I am not quite sure either, because as I said before, I haven't
implemented an IPSec server or client. But you have to have a clear
idea which interfaces are involved and why packets should route through
each one. Routing information on your notebook is part of this picture
not shown here.
Actually, a picture might help quite a bit:
+---------------------------------------------+
| notebook |
| ipsec--ipsec.static.nbk.ip--+ |
| | |
| ppp--pub.dyn.nbk.ip---------+ |
+------+--------------------------------------+
|
|
+------+----------------------------------+
| eth0--pub.static.lrp.ip------+ LRP |
| | |
| ipsec0--ipsec.static.lrp.ip--+ |
| |
| eth1--192.168.210.5 |
+-----+-----------------------------------+
|
|
+-----+--------------------------+
| eth0--192.168.210.1 server |
+--------------------------------+
> My notebook is on a dynamic ip from my ISP, in response to your question.
The ip assigned to your notebook by the ISP is not the issue.
The issue is the ip assigned to the notebook's IPSec tunnel virtual
network interface. If that is in the 192.168.210.0/24 network, you will
have to proxy arp on LRP so the machines on your LAN will know that your
LRP will take care of packets destined for it.
> TCPdump on LRP when I ping the internal LRP NIC from the notebook through the tunnel
>:
> 17:40:20.550415 nbsjcvx04ip142166142096.nbnet.nb.ca > 192.168.210.5: icmp: echo
>request
>
> 17:40:20.551375 192.168.210.5 > nbsjcvx04ip142166142096.nbnet.nb.ca: icmp: echo reply
My lack of experience with IPSec tunnels is shining right now, since I
cannot figure out what this means without more information from you. My
read of this is that nbshwhatever is the dynamically assigned ip of the
laptop, and that 192.168.210.5 is the ip of your internal NIC, and I am
baffled how the packet ever arrived because your notebook should have
routed this packet directly out of the virtual interface using the ip of
the virtual interface as the source ip. As it is, it looks like the
packet left your notebooks public interface directly, and how a private ip
ever got routed to your LRP box through a public network withough being
inside the tunnel (with appropriate source ip) mystifies me.
[...]
> TCPdump when I ping my private network server (or anything else on the private net)
>from the notebook
>
> 17:40:27.729676 nbsjcvx04ip142166142096.nbnet.nb.ca > 192.168.210.1: icmp: echo
>request
>
> 17:40:28.965846 nbsjcvx04ip142166142096.nbnet.nb.ca > 192.168.210.1: icmp: echo
>request
You didn't indicate what kind of filter is on this tcpdump. I would
expect the network server to use 192.168.210.5 for its default gateway
and for the return packet to bypass the IPSec interface completely
because nbsjwhatever is a public address. If this trace includes all
interfaces, it says the private network server doesn't use 192.168.210.5
to get to nbsjwhatever (normally through default route).
[...]
> Here's my routing table on the LRP box :
>
> Kernel IP routing table
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
>
> stjhts20d114.nb 142.166.76.49 255.255.255.255 UGH 0 0 0 ipsec0
>
> 142.166.76.0 * 255.255.255.0 U 0 0 0 eth0
>
> 142.166.76.0 * 255.255.255.0 U 0 0 0 ipsec0
You are putting the same network on two interfaces. You can only do this
if you use proxy-arp. Are you?
>
> 192.168.210.0 * 255.255.255.0 U 0 0 0 eth1
>
> default 142.166.76.49 0.0.0.0 UG 0 0 0 eth0
>
> Thanks a lot...if you can help I really appreciate it.
I think you may need to answer some of my questions, and get someone else
to chime in before this gets resolved.
> On Wed, 11 Jul 2001, Greg J wrote:
>
> > I have a private network (192.168.1.0) with an LRP / IPSec box
> > (192.168.1.5) NATing on a DSL connection to the internet. I have a
> > Win98 notebook on a dialup connection to the internet using an IRE vpn
> > client to connect back to the private network. I can get a secure
> > connection from the notebook back to the local network to the point
> > where I can ping the internal NIC on my LRP router. I cannot ping
> > anything else on the private network...tried everything I know. Am I
> > looking at a firewall issue ?
>
> I don't do IPSec (yet?), but this sounds like a routing issue to me.
> You don't say what the IP number on the laptop is, but if it is the same
> as the private net then you won't be able to route. If it is different,
> then you will probably need to see where the packets are (not) being
> routed. tcpdump or ipchains (using logging creatively) can be used to
> confirm where the packets get to.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
