Chad Carr wrote:
> Hello routing and tunneling guys and gals! I have a tunneling quandry for
> ye.
>
> I am doing an implementation of mobile ip and have finally solidified all
> of the protocol bits to implement a foreign agent, and have come to the
> part where I need to accept ip-in-ip tunneled packets for a mobile node,
> detunnel them, and deliver them to him. I am using the kernel ipip.o
> module for this, and have configured the tunnel as follows:
>
> __________ _____________ ___________
> | | | | | |
> |home agent|===(router)===>|foreign agent|------->|mobile node|
> |__________| |_____________| |___________|
>
>
> home agent ip - 172.24.8.99
> foreign agent ip - 172.24.20.104
> mobile node ip - 172.24.8.24 (on the foreign network)
I question the ip addresses below....
>
> I am not in control of the home agent, but I have verified with a sniffer
> that he is sending me well-formed ip-in-ip packets for the mobile node,
> plus he works with anothe foreign agent that I have, so he is not the
> problem.
>
> foreign agent configuration:
>
> # bring up tunnel device
> ip tunnel add mode ipip # (default tunnel tunl0; local *->remote *)
>
> # add static arp table entry since mobile node can't reply
> ip neigh add 172.24.8.24 lladdr 00:00:0d:2f:a0:b0 dev eth0 nud perm
>
> # add static host route
> ip route add 172.24.8.24 dev eth0
Is 172.24.8.24 really connected to eth0 or is the it eth1?
>
> I have verified the following:
>
> 1) The packets are getting delivered to the foreign agent;
> 2) The packets are being accepted by tunl0 and processed;
> 3) They are the expected size (the size of the inner ip packet);
> 4) They are not being delivered anywhere outside the box.
But it seems like you haven't enabled logging all packets on
the foreign agent that come from the home agent or are destined
for the home agent. I find adding those types of firewall rules
essential to these routing jobs. Seriously. Log them packys.
Then you'd see if the traffic is even moving out eth0 on the
foreign agent on its way to the remote node.
> I figure the following bits are true:
>
> The foreign agent is holding a copy of the ip packet addressed to the
> mobile node. He may do one of the following: a) assume that the packet
> is for delivery on the local link, look up the ip in the arp table,
> and deliver it to the mobile node b) hit the routing table again and see
> the host route, see that it is directly connected, look up the ip in
> the arp table, and deliver it to the mobile node.
> c) drop the packet
>
> Obviously, given the way I have configured the box, I believe that "b"
> should be what is happening. However, it seems plain that "c" is the
> option that has been chosen by the tunl0 device.
>
> I am obviously missing something quite overt, so I thought that one of you
> guys might be able to see what I can't.
If you're running a /16 netmask all over, and you didn't tell
us that, then the packets should be accepted unless they are
dropped by the firewall rules or the config is wrong. At first
glance I don't spot anything wrong, but don't trust that :)
If the netmask is not /16 all around, then what have you done
on the foreign agent to tell it that it's bridging the two networks,
namely > foreign agent ip - 172.24.20.104
> mobile node ip - 172.24.8.24
It'd help if you pasted in any relevant messages in from the foreign
agent syslog showing the trail of the packets being accepted and moving
in and out eth cards. Any masqing/forwarding enabled on the Foreign Host?
Well, got to walk the pooch. Hope I brought something up
that might be useful, Matt
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
