On Fri, 13 Jul 2001, Greg J wrote:
> This message was sent from Geocrawler.com by "Greg J" <[EMAIL PROTECTED]>
>
> Jeff,
>
> Your little diagram is exactly right. My notebook
> has no ip except the one assigned by my ISP when
> I dial in. Whether my IPSec client is assigning a
> virtual IP to my notebook interface or not, I
> have no idea although when I do a tcpdump on the
> LRP/ipsec0 it shows my ISP assigned ip as the
> source of the ping, if that helps.
No idea? "route -n" or "ifconfig" ("ipconfig" on windows) ought to shed
some light...
> As far as the same network being run on two
> interfaces, as you mention, I haven't run into
> any documentation that specifically addresses
> that issue or mentions proxy arp. I'm just going
> with default ipsec configs as much as possible
> and changing only what appears to be necessary to
> keep from breaking my whole system !
Not a bad idea, but you have to figure out what your system is in order to
change it.
> The TCP dump I included here is only for ipsec0
> on the LRP box...eth1 shows no activity and eth0
> shows the ping coming in but shows no reply.
not even to the server?
> I'm no expert on this but does this make
> sense...my pings from the notebook through the
> tunnel to the network server go unanswered
> because the private network is sending the reply
> out the 'real' default gateway on 192.168.210.5
> (eth1) instead of back through a 'virtual'
> gateway, back through the tunnel to the notebook ?
You are the one with the setup and the tcpdump. Don't limit yourself to
the ipsec interface during the test. I can imagine the packet
being able to get back just fine via the normal routing path.
And I don't imagine the ping program will recognize the masqueraded
answer.
It looks like you need to fix the notebook so it uses a private ip number
for the IPSec interface. If that number is on your internal net, you will
need to proxy-arp. If not, you will need to set the routing table
appropriately.
>
>
> ---------------------------------------
>
> ---------- Forwarded message ----------
> Date: Fri, 13 Jul 2001 09:52:00 -0700 (PDT)
> From: [EMAIL PROTECTED]
> To: Greg J <[EMAIL PROTECTED]>
> Subject: Re: Routing ?
>
> On Fri, 13 Jul 2001, Greg J wrote:
>
> > Jeff,
> >
> > Thanks for your reply on the mailing
> list...sorry to spam your
> > personal mail but I'm including a routing table
> and a tcpdump which I
> > didn't want to post on the mail list...
>
> This is exactly the kind of data needed on the
> mailing list in order to
> diagnose problems, and I am cc'ing my message
> there so the answer will be
> archived and others can suggest better
> alternatives.
>
> > hoping you can point me in the
> > right direction. I think I just need a route to
> my private net from
> > the vpn but I'm not sure the best way to do it.
>
> I am not quite sure either, because as I said
> before, I haven't
> implemented an IPSec server or client. But you
> have to have a clear
> idea which interfaces are involved and why
> packets should route through
> each one. Routing information on your notebook
> is part of this picture
> not shown here.
>
> Actually, a picture might help quite a bit:
>
> +---------------------------------------------+
> | notebook |
> | ipsec--ipsec.static.nbk.ip--+ |
> | | |
> | ppp--pub.dyn.nbk.ip---------+ |
> +------+--------------------------------------+
> |
> |
> +------+----------------------------------+
> | eth0--pub.static.lrp.ip------+ LRP |
> | | |
> | ipsec0--ipsec.static.lrp.ip--+ |
> | |
> | eth1--192.168.210.5 |
> +-----+-----------------------------------+
> |
> |
> +-----+--------------------------+
> | eth0--192.168.210.1 server |
> +--------------------------------+
>
> > My notebook is on a dynamic ip from my ISP, in
> response to your question.
>
> The ip assigned to your notebook by the ISP is
> not the issue.
>
> The issue is the ip assigned to the notebook's
> IPSec tunnel virtual
> network interface. If that is in the
> 192.168.210.0/24 network, you will
> have to proxy arp on LRP so the machines on your
> LAN will know that your
> LRP will take care of packets destined for it.
>
> > TCPdump on LRP when I ping the internal LRP NIC
> from the notebook through the tunnel :
> > 17:40:20.550415
> nbsjcvx04ip142166142096.nbnet.nb.ca >
> 192.168.210.5:
> icmp: echo request
> >
> > 17:40:20.551375 192.168.210.5 >
> nbsjcvx04ip142166142096.nbnet.nb.ca: icmp: echo
> reply
>
> My lack of experience with IPSec tunnels is
> shining right now, since I
> cannot figure out what this means without more
> information from you. My
> read of this is that nbshwhatever is the
> dynamically assigned ip of the
> laptop, and that 192.168.210.5 is the ip of your
> internal NIC, and I am
> baffled how the packet ever arrived because your
> notebook should have
> routed this packet directly out of the virtual
> interface using the ip of
> the virtual interface as the source ip. As it
> is, it looks like the
> packet left your notebooks public interface
> directly, and how a private ip
> ever got routed to your LRP box through a public
> network withough being
> inside the tunnel (with appropriate source ip)
> mystifies me.
>
> [...]
>
> > TCPdump when I ping my private network server
> (or anything else on the
> private net) from the notebook
> >
> > 17:40:27.729676
> nbsjcvx04ip142166142096.nbnet.nb.ca >
> 192.168.210.1:
> icmp: echo request
> >
> > 17:40:28.965846
> nbsjcvx04ip142166142096.nbnet.nb.ca >
> 192.168.210.1:
> icmp: echo request
>
> You didn't indicate what kind of filter is on
> this tcpdump. I would
> expect the network server to use 192.168.210.5
> for its default gateway
> and for the return packet to bypass the IPSec
> interface completely
> because nbsjwhatever is a public address. If
> this trace includes all
> interfaces, it says the private network server
> doesn't use 192.168.210.5
> to get to nbsjwhatever (normally through default
> route).
>
> [...]
>
> > Here's my routing table on the LRP box :
> >
> > Kernel IP routing table
> >
> > Destination Gateway Genmask Flags Metric Ref
> Use Iface
> >
> > stjhts20d114.nb 142.166.76.49 255.255.255.255
> UGH 0 0 0 ipsec0
> >
> > 142.166.76.0 * 255.255.255.0 U 0 0 0 eth0
> >
> > 142.166.76.0 * 255.255.255.0 U 0 0 0 ipsec0
>
> You are putting the same network on two
> interfaces. You can only do this
> if you use proxy-arp. Are you?
>
> >
> > 192.168.210.0 * 255.255.255.0 U 0 0 0 eth1
> >
> > default 142.166.76.49 0.0.0.0 UG 0 0 0 eth0
> >
> > Thanks a lot...if you can help I really
> appreciate it.
>
> I think you may need to answer some of my
> questions, and get someone else
> to chime in before this gets resolved.
>
> > On Wed, 11 Jul 2001, Greg J wrote:
> >
> > > I have a private network (192.168.1.0) with
> an LRP / IPSec box
> > > (192.168.1.5) NATing on a DSL connection to
> the internet. I have a
> > > Win98 notebook on a dialup connection to the
> internet using an IRE vpn
> > > client to connect back to the private
> network. I can get a secure
> > > connection from the notebook back to the
> local network to the point
> > > where I can ping the internal NIC on my LRP
> router. I cannot ping
> > > anything else on the private network...tried
> everything I know. Am I
> > > looking at a firewall issue ?
> >
> > I don't do IPSec (yet?), but this sounds like a
> routing issue to me.
> > You don't say what the IP number on the laptop
> is, but if it is the same
> > as the private net then you won't be able to
> route. If it is different,
> > then you will probably need to see where the
> packets are (not) being
> > routed. tcpdump or ipchains (using logging
> creatively) can be used to
> > confirm where the packets get to.
>
> --------------------------------------------------
> -------------------------
> Jeff Newmiller
> The ..... ..... Go Live...
> DCN:<[EMAIL PROTECTED]> Basics:
> ##.#. ##.#. Live Go...
> Live:
> OO#.. Dead: OO#.. Playing
> Research Engineer (Solar/Batteries
> O.O#. #.O#. with
> /Software/Embedded
> Controllers) .OO#. .OO#.
> rocks...2k
> --------------------------------------------------
> -------------------------
>
>
>
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-
> user
>
>
>
> Geocrawler.com - The Knowledge Archive
>
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
