Hello everyone, I have a problem regarding gre tunneling, I have two linux box both of them has a private network and the linux A is connected to the internet via wireless radio and the other linux B is connected to the internet via lease line. Here is the setup of my two linux box Linux A eth0 = 203.189.x.1 (internet) eth1 = 192.168.1.1 (going to hub private network) Linux B eth0 = 205.198.x.1 (internet) eth1 = 192.168.2.1 (going to hub private network) here is my configuration in Linux A and B. I also load the modules needed (insmod ip_gre) Linux A ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 ip link set netb up ip addr add 192.168.1.1 dev netb ip route add 192.168.2.0/24 dev netb Linux B ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 ip link set neta up ip addr add 192.168.2.1 dev neta ip route add 192.168.1.0/24 dev neta I could ping both sides the eth0 and also the eth1 with is for the private network, here is my problem i couldnt ping the other private ip addresses which my eth1 is connected to the hub, anyone can help me, whats my error. pls reply asap. thanks Glynn Condez
Hello Christoph, actually I havent done with netfilter rules and i dont have any restrictions applied for the linux, its a normal configuration, I also enable the forwarding under the /proc/sys/net/ipv4/ip_forward with the value of 1. can you figure out whats the problem? thanks Glynn ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "glynn" <glynn@itextron.com> Cc: <lartc@mailman.ds9a.nl> Sent: Monday, January 07, 2002 7:41 PM Subject: Re: [LARTC] Gre Tunneling Problem> On Sun, 6 Jan 2002 17:39:46 +0800 > "glynn" <glynn@itextron.com> wrote: > > > Hello everyone, I have a problem regarding gre tunneling, I have two > > linux box both of them has a private network and the linux A is > > connected to the internet via wireless radio and the other linux B is > > connected to the internet via lease line. Here is the setup of my two > > linux box > > > > Linux A > > eth0 = 203.189.x.1 (internet) > > eth1 = 192.168.1.1 (going to hub private network) > > > > Linux B > > eth0 = 205.198.x.1 (internet) > > eth1 = 192.168.2.1 (going to hub private network) > > > > here is my configuration in Linux A and B. I also load the modules > > needed (insmod ip_gre) > > > > Linux A > > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > > ip link set netb up > > ip addr add 192.168.1.1 dev netb > > ip route add 192.168.2.0/24 dev netb > > > > Linux B > > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > > ip link set neta up > > ip addr add 192.168.2.1 dev neta > > ip route add 192.168.1.0/24 dev neta > > > > I could ping both sides the eth0 and also the eth1 with is for the > > private network, here is my problem i couldnt ping the other private ip > > addresses which my eth1 is connected to the hub, anyone can help me, > > whats my error. pls reply asap. thanks > > Do you have any netfilter rules not letting pass proto 47? You''ll also > have to allow forwarding. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . >
Hi joe, i will try your suggestion and ill inform you guys if its working or not, I really badly needed to work guys :( hope you understand. thanks again, Glynn --- Original Message ----- From: "Joe Patterson" <jpatterson@asgardgroup.com> To: "glynn" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 9:01 AM Subject: RE: [LARTC] Gre Tunneling Problem> I would suggest using a different network for the gre tunnel, like: > > Linux A > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > ip link set netb up > ip addr add 192.168.3.1/30 dev netb > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > Linux B > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > ip link set neta up > ip addr add 192.168.3.2/30 dev neta > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimesdoesn''t> work... > > -Joe > > > > -----Original Message----- > > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > > Behalf Of glynn > > Sent: Sunday, January 06, 2002 7:59 PM > > To: Christoph Simon > > Cc: lartc@mailman.ds9a.nl > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > Hello Christoph, actually I havent done with netfilter rules and > > i dont have > > any restrictions applied for the linux, its a normal configuration, Ialso> > enable the forwarding under the /proc/sys/net/ipv4/ip_forward > > with the value > > of 1. can you figure out whats the problem? thanks > > > > Glynn > > > > ----- Original Message ----- > > From: "Christoph Simon" <ciccio@kiosknet.com.br> > > To: "glynn" <glynn@itextron.com> > > Cc: <lartc@mailman.ds9a.nl> > > Sent: Monday, January 07, 2002 7:41 PM > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > > On Sun, 6 Jan 2002 17:39:46 +0800 > > > "glynn" <glynn@itextron.com> wrote: > > > > > > > Hello everyone, I have a problem regarding gre tunneling, I have two > > > > linux box both of them has a private network and the linux A is > > > > connected to the internet via wireless radio and the other linux Bis> > > > connected to the internet via lease line. Here is the setup of mytwo> > > > linux box > > > > > > > > Linux A > > > > eth0 = 203.189.x.1 (internet) > > > > eth1 = 192.168.1.1 (going to hub private network) > > > > > > > > Linux B > > > > eth0 = 205.198.x.1 (internet) > > > > eth1 = 192.168.2.1 (going to hub private network) > > > > > > > > here is my configuration in Linux A and B. I also load the modules > > > > needed (insmod ip_gre) > > > > > > > > Linux A > > > > ip tunnel add netb mode gre remote 205.198.x.1 local > > 203.189.x.1 ttl 255 > > > > ip link set netb up > > > > ip addr add 192.168.1.1 dev netb > > > > ip route add 192.168.2.0/24 dev netb > > > > > > > > Linux B > > > > ip tunnel add neta mode gre remote 203.189.x.1 local > > 205.198.x.1 ttl 255 > > > > ip link set neta up > > > > ip addr add 192.168.2.1 dev neta > > > > ip route add 192.168.1.0/24 dev neta > > > > > > > > I could ping both sides the eth0 and also the eth1 with is for the > > > > private network, here is my problem i couldnt ping the other > > private ip > > > > addresses which my eth1 is connected to the hub, anyone can help me, > > > > whats my error. pls reply asap. thanks > > > > > > Do you have any netfilter rules not letting pass proto 47? You''ll also > > > have to allow forwarding. > > > > > > -- > > > Christoph Simon > > > ciccio@kiosknet.com.br > > > --- > > > ^X^C > > > q > > > quit > > > :q > > > ^C > > > end > > > x > > > exit > > > ZZ > > > ^D > > > ? > > > help > > > . > > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://ds9a.nl/lartc/> > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
Hi Joe, I tried it and it wont work, same result, I could ping both but it wont result the internal ip addresses, it seems that it only resolves the in the interfaces but it wont allow to forward. can you figure out again pls. Thanks. Glynn ----- Original Message ----- From: "Joe Patterson" <jpatterson@asgardgroup.com> To: "glynn" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 9:01 AM Subject: RE: [LARTC] Gre Tunneling Problem> I would suggest using a different network for the gre tunnel, like: > > Linux A > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > ip link set netb up > ip addr add 192.168.3.1/30 dev netb > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > Linux B > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > ip link set neta up > ip addr add 192.168.3.2/30 dev neta > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimesdoesn''t> work... > > -Joe > > > > -----Original Message----- > > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > > Behalf Of glynn > > Sent: Sunday, January 06, 2002 7:59 PM > > To: Christoph Simon > > Cc: lartc@mailman.ds9a.nl > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > Hello Christoph, actually I havent done with netfilter rules and > > i dont have > > any restrictions applied for the linux, its a normal configuration, Ialso> > enable the forwarding under the /proc/sys/net/ipv4/ip_forward > > with the value > > of 1. can you figure out whats the problem? thanks > > > > Glynn > > > > ----- Original Message ----- > > From: "Christoph Simon" <ciccio@kiosknet.com.br> > > To: "glynn" <glynn@itextron.com> > > Cc: <lartc@mailman.ds9a.nl> > > Sent: Monday, January 07, 2002 7:41 PM > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > > On Sun, 6 Jan 2002 17:39:46 +0800 > > > "glynn" <glynn@itextron.com> wrote: > > > > > > > Hello everyone, I have a problem regarding gre tunneling, I have two > > > > linux box both of them has a private network and the linux A is > > > > connected to the internet via wireless radio and the other linux Bis> > > > connected to the internet via lease line. Here is the setup of mytwo> > > > linux box > > > > > > > > Linux A > > > > eth0 = 203.189.x.1 (internet) > > > > eth1 = 192.168.1.1 (going to hub private network) > > > > > > > > Linux B > > > > eth0 = 205.198.x.1 (internet) > > > > eth1 = 192.168.2.1 (going to hub private network) > > > > > > > > here is my configuration in Linux A and B. I also load the modules > > > > needed (insmod ip_gre) > > > > > > > > Linux A > > > > ip tunnel add netb mode gre remote 205.198.x.1 local > > 203.189.x.1 ttl 255 > > > > ip link set netb up > > > > ip addr add 192.168.1.1 dev netb > > > > ip route add 192.168.2.0/24 dev netb > > > > > > > > Linux B > > > > ip tunnel add neta mode gre remote 203.189.x.1 local > > 205.198.x.1 ttl 255 > > > > ip link set neta up > > > > ip addr add 192.168.2.1 dev neta > > > > ip route add 192.168.1.0/24 dev neta > > > > > > > > I could ping both sides the eth0 and also the eth1 with is for the > > > > private network, here is my problem i couldnt ping the other > > private ip > > > > addresses which my eth1 is connected to the hub, anyone can help me, > > > > whats my error. pls reply asap. thanks > > > > > > Do you have any netfilter rules not letting pass proto 47? You''ll also > > > have to allow forwarding. > > > > > > -- > > > Christoph Simon > > > ciccio@kiosknet.com.br > > > --- > > > ^X^C > > > q > > > quit > > > :q > > > ^C > > > end > > > x > > > exit > > > ZZ > > > ^D > > > ? > > > help > > > . > > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://ds9a.nl/lartc/> > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
It wont work Joe, I tried everything, I almost search the howto in the web thru gre tunneling and almost the same. btw in configuring gre tunneling in Redhat 6.0, pls help Thanks Glynn ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "Joe Patterson" <jpatterson@asgardgroup.com> Cc: <glynn@itextron.com>; <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 9:18 AM Subject: Re: [LARTC] Gre Tunneling Problem> On Mon, 7 Jan 2002 20:01:00 -0500 > "Joe Patterson" <jpatterson@asgardgroup.com> wrote: > > > I would suggest using a different network for the gre tunnel, like: > > > > Linux A > > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > > ip link set netb up > > ip addr add 192.168.3.1/30 dev netb > > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > > > Linux B > > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > > ip link set neta up > > ip addr add 192.168.3.2/30 dev neta > > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimes > > doesn''t work... > > Don''t know if this helps, but it''s working here just as Glynn postet > and just as it''s written in the Howto. I guess the problem must be at > another spot. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
now im trying to install a new slackware 7, maybe it work :( ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "Joe Patterson" <jpatterson@asgardgroup.com> Cc: <glynn@itextron.com>; <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 9:18 AM Subject: Re: [LARTC] Gre Tunneling Problem> On Mon, 7 Jan 2002 20:01:00 -0500 > "Joe Patterson" <jpatterson@asgardgroup.com> wrote: > > > I would suggest using a different network for the gre tunnel, like: > > > > Linux A > > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > > ip link set netb up > > ip addr add 192.168.3.1/30 dev netb > > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > > > Linux B > > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > > ip link set neta up > > ip addr add 192.168.3.2/30 dev neta > > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimes > > doesn''t work... > > Don''t know if this helps, but it''s working here just as Glynn postet > and just as it''s written in the Howto. I guess the problem must be at > another spot. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
when you configure that tunneling did you reconfigure your kernel? what should i enable in my kernel? by the way when i log-on to the linux A, I could ping the linux B eth0(internet) and eth1(let say "192.168.1.1") but when i ping the "192.168.1.2" which is a windows workstation connected to hub it wont pass thru. how do i sniff the interface where the packets go, can you help me about that pls. Thanks Glynn ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "glynn" <glynn@itextron.com> Cc: <jpatterson@asgardgroup.com>; <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 5:14 PM Subject: Re: [LARTC] Gre Tunneling Problem> On Mon, 7 Jan 2002 14:35:08 +0800 > "glynn" <glynn@itextron.com> wrote: > > > now im trying to install a new slackware 7, maybe it work :( > > I''m running debian here. But I do think, you should try to trace the > problem. Send a ping and sniff on each interface, step by step, where > the packets go and what they look like. Trying different distributions > seems little reasonable for me, but mabe you want to recompile the > kernel just to make sure, everything''s OK, no strange patches, etc. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . >
Well thats good to hear that my tunnel is slightly working now, well its almost evening, i need to fetch my wife at her office, now i could sleep a little bit this evening, ill work for it tomorrow. thanks for the help chris. ill get in touch with you for the result tom or if i have some questions. thanks glynn ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "glynn" <glynn@itextron.com> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 5:48 PM Subject: Re: [LARTC] Gre Tunneling Problem> On Mon, 7 Jan 2002 17:40:47 +0800 > "glynn" <glynn@itextron.com> wrote: > > > when you configure that tunneling did you reconfigure your kernel? what > > should i enable in my kernel? by the way when i log-on to the linux A, I > > could ping the linux B eth0(internet) and eth1(let say "192.168.1.1") > > but when i ping the "192.168.1.2" which is a windows workstation > > connected to hub it wont pass thru. how do i sniff the interface where > > the packets go, can you help me about that pls. Thanks > > So you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it > means that the tunnel definitively is working. > > Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows > box, it seems to fail. First I would try to ping from 192.168.1.1 to > 192.168.1.2, just to make sure, everything is working fine locally. If > this works too, I would make tcpdump listen at the external interface > of 192.168.2.1. Does the packet actually go out? If not, the routing > or filter problem must be there. If it works, I''d listen on the > external interface of 192.168.1.1; obviously these must arrive because > the tunnel is working and the packet left at the other side. Now you > can listen to the internal interface, seeing if the packet is actually > being forwarded. If this fails, your problem is routing, filtering or > forwarding on 192.168.1.1. Don''t know how to sniff on a Windows, but > as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there > shouldn''t be a need. > > If you have access and there is no other traffic, a much simpler > method would be just to watch the leds on the modems, network cards, > hubs, etc. This will help finding out where your problem is. As you > can ping the first computer after the tunnel, I feel sure, the tunnel > is working fine, the problem must be in another place, probably a > stupid little detail. > > Note that the suggestion of introducing a different network address > for the tunnel interfaces themselves will slightly complicate > routing. But if you pay attention, this shouldn''t be a problem. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
On Sun, 6 Jan 2002 17:39:46 +0800 "glynn" <glynn@itextron.com> wrote:> Hello everyone, I have a problem regarding gre tunneling, I have two > linux box both of them has a private network and the linux A is > connected to the internet via wireless radio and the other linux B is > connected to the internet via lease line. Here is the setup of my two > linux box > > Linux A > eth0 = 203.189.x.1 (internet) > eth1 = 192.168.1.1 (going to hub private network) > > Linux B > eth0 = 205.198.x.1 (internet) > eth1 = 192.168.2.1 (going to hub private network) > > here is my configuration in Linux A and B. I also load the modules > needed (insmod ip_gre) > > Linux A > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > ip link set netb up > ip addr add 192.168.1.1 dev netb > ip route add 192.168.2.0/24 dev netb > > Linux B > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > ip link set neta up > ip addr add 192.168.2.1 dev neta > ip route add 192.168.1.0/24 dev neta > > I could ping both sides the eth0 and also the eth1 with is for the > private network, here is my problem i couldnt ping the other private ip > addresses which my eth1 is connected to the hub, anyone can help me, > whats my error. pls reply asap. thanksDo you have any netfilter rules not letting pass proto 47? You''ll also have to allow forwarding. -- Christoph Simon ciccio@kiosknet.com.br --- ^X^C q quit :q ^C end x exit ZZ ^D ? help .
On Mon, 7 Jan 2002 08:58:46 +0800 "glynn" <glynn@itextron.com> wrote:> Hello Christoph, actually I havent done with netfilter rules and i dont > have any restrictions applied for the linux, its a normal configuration, > I also enable the forwarding under the /proc/sys/net/ipv4/ip_forward > with the value of 1. can you figure out whats the problem? thanksI don''t know what''s wrong. It''s working here. I can ping the external and internal addresses of the peer, and, through the tunnel, any host connected to that. Try to follow the packets using tcpdump or similar. -- Christoph Simon ciccio@kiosknet.com.br --- ^X^C q quit :q ^C end x exit ZZ ^D ? help .
I would suggest using a different network for the gre tunnel, like: Linux A ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 ip link set netb up ip addr add 192.168.3.1/30 dev netb ip route add 192.168.2.0/24 dev netb via 192.168.3.2 Linux B ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 ip link set neta up ip addr add 192.168.3.2/30 dev neta ip route add 192.168.1.0/24 dev neta via 192.168.3.1 Otherwise, it''s just wierd. Not that that''s bad, it just sometimes doesn''t work... -Joe> -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > Behalf Of glynn > Sent: Sunday, January 06, 2002 7:59 PM > To: Christoph Simon > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Gre Tunneling Problem > > > Hello Christoph, actually I havent done with netfilter rules and > i dont have > any restrictions applied for the linux, its a normal configuration, I also > enable the forwarding under the /proc/sys/net/ipv4/ip_forward > with the value > of 1. can you figure out whats the problem? thanks > > Glynn > > ----- Original Message ----- > From: "Christoph Simon" <ciccio@kiosknet.com.br> > To: "glynn" <glynn@itextron.com> > Cc: <lartc@mailman.ds9a.nl> > Sent: Monday, January 07, 2002 7:41 PM > Subject: Re: [LARTC] Gre Tunneling Problem > > > > On Sun, 6 Jan 2002 17:39:46 +0800 > > "glynn" <glynn@itextron.com> wrote: > > > > > Hello everyone, I have a problem regarding gre tunneling, I have two > > > linux box both of them has a private network and the linux A is > > > connected to the internet via wireless radio and the other linux B is > > > connected to the internet via lease line. Here is the setup of my two > > > linux box > > > > > > Linux A > > > eth0 = 203.189.x.1 (internet) > > > eth1 = 192.168.1.1 (going to hub private network) > > > > > > Linux B > > > eth0 = 205.198.x.1 (internet) > > > eth1 = 192.168.2.1 (going to hub private network) > > > > > > here is my configuration in Linux A and B. I also load the modules > > > needed (insmod ip_gre) > > > > > > Linux A > > > ip tunnel add netb mode gre remote 205.198.x.1 local > 203.189.x.1 ttl 255 > > > ip link set netb up > > > ip addr add 192.168.1.1 dev netb > > > ip route add 192.168.2.0/24 dev netb > > > > > > Linux B > > > ip tunnel add neta mode gre remote 203.189.x.1 local > 205.198.x.1 ttl 255 > > > ip link set neta up > > > ip addr add 192.168.2.1 dev neta > > > ip route add 192.168.1.0/24 dev neta > > > > > > I could ping both sides the eth0 and also the eth1 with is for the > > > private network, here is my problem i couldnt ping the other > private ip > > > addresses which my eth1 is connected to the hub, anyone can help me, > > > whats my error. pls reply asap. thanks > > > > Do you have any netfilter rules not letting pass proto 47? You''ll also > > have to allow forwarding. > > > > -- > > Christoph Simon > > ciccio@kiosknet.com.br > > --- > > ^X^C > > q > > quit > > :q > > ^C > > end > > x > > exit > > ZZ > > ^D > > ? > > help > > . > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
Does PPTP VPN and gre tunneling the same? Thanks Glynn ----- Original Message ----- From: "Greg Scott" <GregScott@InfraSupportEtc.com> To: "''glynn''" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 8:40 PM Subject: RE: [LARTC] Gre Tunneling Problem> > btw in configuring gre tunneling in > > Redhat 6.0, pls help > > Could this be your problem? I thought the PPTP VPN stuff needs the 2.4 > kernel. The testing I mentioned earlier was with Red Hat 7.1 on both ends > of the tunnel, which is a 2.4.n kernel. > > - Greg > > > > -----Original Message----- > From: glynn [mailto:glynn@itextron.com] > Sent: Monday, January 07, 2002 12:29 AM > To: Christoph Simon; Joe Patterson > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Gre Tunneling Problem > > > It wont work Joe, I tried everything, I almost search the howto in the web > thru gre tunneling and almost the same. btw in configuring gre tunnelingin> Redhat 6.0, pls help > Thanks > > Glynn > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
hello good morning, i would like to ask, do i need to configure nat/masq in both linux boxes? I could ping both eth1 which is the private ip of the interfaces but private network wont work. ----- Original Message ----- From: "Christoph Simon" <ciccio@kiosknet.com.br> To: "glynn" <glynn@itextron.com> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 5:48 PM Subject: Re: [LARTC] Gre Tunneling Problem> On Mon, 7 Jan 2002 17:40:47 +0800 > "glynn" <glynn@itextron.com> wrote: > > > when you configure that tunneling did you reconfigure your kernel? what > > should i enable in my kernel? by the way when i log-on to the linux A, I > > could ping the linux B eth0(internet) and eth1(let say "192.168.1.1") > > but when i ping the "192.168.1.2" which is a windows workstation > > connected to hub it wont pass thru. how do i sniff the interface where > > the packets go, can you help me about that pls. Thanks > > So you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it > means that the tunnel definitively is working. > > Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows > box, it seems to fail. First I would try to ping from 192.168.1.1 to > 192.168.1.2, just to make sure, everything is working fine locally. If > this works too, I would make tcpdump listen at the external interface > of 192.168.2.1. Does the packet actually go out? If not, the routing > or filter problem must be there. If it works, I''d listen on the > external interface of 192.168.1.1; obviously these must arrive because > the tunnel is working and the packet left at the other side. Now you > can listen to the internal interface, seeing if the packet is actually > being forwarded. If this fails, your problem is routing, filtering or > forwarding on 192.168.1.1. Don''t know how to sniff on a Windows, but > as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there > shouldn''t be a need. > > If you have access and there is no other traffic, a much simpler > method would be just to watch the leds on the modems, network cards, > hubs, etc. This will help finding out where your problem is. As you > can ping the first computer after the tunnel, I feel sure, the tunnel > is working fine, the problem must be in another place, probably a > stupid little detail. > > Note that the suggestion of introducing a different network address > for the tunnel interfaces themselves will slightly complicate > routing. But if you pay attention, this shouldn''t be a problem. > > -- > Christoph Simon > ciccio@kiosknet.com.br > --- > ^X^C > q > quit > :q > ^C > end > x > exit > ZZ > ^D > ? > help > . > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
On Mon, 7 Jan 2002 20:01:00 -0500 "Joe Patterson" <jpatterson@asgardgroup.com> wrote:> I would suggest using a different network for the gre tunnel, like: > > Linux A > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > ip link set netb up > ip addr add 192.168.3.1/30 dev netb > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > Linux B > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > ip link set neta up > ip addr add 192.168.3.2/30 dev neta > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimes > doesn''t work...Don''t know if this helps, but it''s working here just as Glynn postet and just as it''s written in the Howto. I guess the problem must be at another spot. -- Christoph Simon ciccio@kiosknet.com.br --- ^X^C q quit :q ^C end x exit ZZ ^D ? help .
I tried an experiment a couple months ago, lifted the commands right out of the HOWTO and chzanged the IP addresses and it all worked just fine. For a bunch of unrelated reasons, I didn''t get to put mine into long term production, but I am confident that the HOWTO works. Here''s what''s been bugging me - I didn''t see anything about shared secrets or passwords or anything like that. How does the security work? What''s to stop any Joe Blow from impersonating one of the IP Addresses in a Linux PPTP-GRE tunnel? Is there any encryption? - Greg ----- Original Message ----- From: "glynn" <glynn@itextron.com> To: "Joe Patterson" <jpatterson@asgardgroup.com>; "Christoph Simon" <ciccio@kiosknet.com.br> Cc: <lartc@mailman.ds9a.nl> Sent: Sunday, January 06, 2002 10:04 PM Subject: Re: [LARTC] Gre Tunneling Problem> Hi Joe, I tried it and it wont work, same result, I could ping both but it > wont result the internal ip addresses, it seems that it only resolves thein> the interfaces but it wont allow to forward. can you figure out again pls. > Thanks. > > Glynn > > > ----- Original Message ----- > From: "Joe Patterson" <jpatterson@asgardgroup.com> > To: "glynn" <glynn@itextron.com>; "Christoph Simon"<ciccio@kiosknet.com.br>> Cc: <lartc@mailman.ds9a.nl> > Sent: Tuesday, January 08, 2002 9:01 AM > Subject: RE: [LARTC] Gre Tunneling Problem > > > > I would suggest using a different network for the gre tunnel, like: > > > > Linux A > > ip tunnel add netb mode gre remote 205.198.x.1 local 203.189.x.1 ttl 255 > > ip link set netb up > > ip addr add 192.168.3.1/30 dev netb > > ip route add 192.168.2.0/24 dev netb via 192.168.3.2 > > > > Linux B > > ip tunnel add neta mode gre remote 203.189.x.1 local 205.198.x.1 ttl 255 > > ip link set neta up > > ip addr add 192.168.3.2/30 dev neta > > ip route add 192.168.1.0/24 dev neta via 192.168.3.1 > > > > Otherwise, it''s just wierd. Not that that''s bad, it just sometimes > doesn''t > > work... > > > > -Joe > > > > > > > -----Original Message----- > > > From: lartc-admin@mailman.ds9a.nl[mailto:lartc-admin@mailman.ds9a.nl]On> > > Behalf Of glynn > > > Sent: Sunday, January 06, 2002 7:59 PM > > > To: Christoph Simon > > > Cc: lartc@mailman.ds9a.nl > > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > > > > Hello Christoph, actually I havent done with netfilter rules and > > > i dont have > > > any restrictions applied for the linux, its a normal configuration, I > also > > > enable the forwarding under the /proc/sys/net/ipv4/ip_forward > > > with the value > > > of 1. can you figure out whats the problem? thanks > > > > > > Glynn > > > > > > ----- Original Message ----- > > > From: "Christoph Simon" <ciccio@kiosknet.com.br> > > > To: "glynn" <glynn@itextron.com> > > > Cc: <lartc@mailman.ds9a.nl> > > > Sent: Monday, January 07, 2002 7:41 PM > > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > > > > > On Sun, 6 Jan 2002 17:39:46 +0800 > > > > "glynn" <glynn@itextron.com> wrote: > > > > > > > > > Hello everyone, I have a problem regarding gre tunneling, I havetwo> > > > > linux box both of them has a private network and the linux A is > > > > > connected to the internet via wireless radio and the other linux B > is > > > > > connected to the internet via lease line. Here is the setup of my > two > > > > > linux box > > > > > > > > > > Linux A > > > > > eth0 = 203.189.x.1 (internet) > > > > > eth1 = 192.168.1.1 (going to hub private network) > > > > > > > > > > Linux B > > > > > eth0 = 205.198.x.1 (internet) > > > > > eth1 = 192.168.2.1 (going to hub private network) > > > > > > > > > > here is my configuration in Linux A and B. I also load the modules > > > > > needed (insmod ip_gre) > > > > > > > > > > Linux A > > > > > ip tunnel add netb mode gre remote 205.198.x.1 local > > > 203.189.x.1 ttl 255 > > > > > ip link set netb up > > > > > ip addr add 192.168.1.1 dev netb > > > > > ip route add 192.168.2.0/24 dev netb > > > > > > > > > > Linux B > > > > > ip tunnel add neta mode gre remote 203.189.x.1 local > > > 205.198.x.1 ttl 255 > > > > > ip link set neta up > > > > > ip addr add 192.168.2.1 dev neta > > > > > ip route add 192.168.1.0/24 dev neta > > > > > > > > > > I could ping both sides the eth0 and also the eth1 with is for the > > > > > private network, here is my problem i couldnt ping the other > > > private ip > > > > > addresses which my eth1 is connected to the hub, anyone can helpme,> > > > > whats my error. pls reply asap. thanks > > > > > > > > Do you have any netfilter rules not letting pass proto 47? You''llalso> > > > have to allow forwarding. > > > > > > > > -- > > > > Christoph Simon > > > > ciccio@kiosknet.com.br > > > > --- > > > > ^X^C > > > > q > > > > quit > > > > :q > > > > ^C > > > > end > > > > x > > > > exit > > > > ZZ > > > > ^D > > > > ? > > > > help > > > > . > > > > > > > > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://ds9a.nl/lartc/ > > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://ds9a.nl/lartc/> > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
Guys I just want you to know that my tunneling is working now. the only thing ive addess is the NAT, i configure nat both linux boxes and it works. thanks for the help guys, I really appreciate you help. til next time. Thanks Glynn ----- Original Message ----- From: "Greg Scott" <GregScott@InfraSupportEtc.com> To: "''glynn''" <glynn@itextron.com>; "Christoph Simon" <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com> Cc: <lartc@mailman.ds9a.nl> Sent: Tuesday, January 08, 2002 8:40 PM Subject: RE: [LARTC] Gre Tunneling Problem> > btw in configuring gre tunneling in > > Redhat 6.0, pls help > > Could this be your problem? I thought the PPTP VPN stuff needs the 2.4 > kernel. The testing I mentioned earlier was with Red Hat 7.1 on both ends > of the tunnel, which is a 2.4.n kernel. > > - Greg > > > > -----Original Message----- > From: glynn [mailto:glynn@itextron.com] > Sent: Monday, January 07, 2002 12:29 AM > To: Christoph Simon; Joe Patterson > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Gre Tunneling Problem > > > It wont work Joe, I tried everything, I almost search the howto in the web > thru gre tunneling and almost the same. btw in configuring gre tunnelingin> Redhat 6.0, pls help > Thanks > > Glynn > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >
On Mon, 7 Jan 2002 14:35:08 +0800 "glynn" <glynn@itextron.com> wrote:> now im trying to install a new slackware 7, maybe it work :(I''m running debian here. But I do think, you should try to trace the problem. Send a ping and sniff on each interface, step by step, where the packets go and what they look like. Trying different distributions seems little reasonable for me, but mabe you want to recompile the kernel just to make sure, everything''s OK, no strange patches, etc. -- Christoph Simon ciccio@kiosknet.com.br --- ^X^C q quit :q ^C end x exit ZZ ^D ? help .
On Mon, 7 Jan 2002 17:40:47 +0800 "glynn" <glynn@itextron.com> wrote:> when you configure that tunneling did you reconfigure your kernel? what > should i enable in my kernel? by the way when i log-on to the linux A, I > could ping the linux B eth0(internet) and eth1(let say "192.168.1.1") > but when i ping the "192.168.1.2" which is a windows workstation > connected to hub it wont pass thru. how do i sniff the interface where > the packets go, can you help me about that pls. ThanksSo you can ping from 192.168.2.1 to 192.168.1.1, this is good, as it means that the tunnel definitively is working. Now, if you try to ping from 192.168.2.1 to 192.168.1.2, the Windows box, it seems to fail. First I would try to ping from 192.168.1.1 to 192.168.1.2, just to make sure, everything is working fine locally. If this works too, I would make tcpdump listen at the external interface of 192.168.2.1. Does the packet actually go out? If not, the routing or filter problem must be there. If it works, I''d listen on the external interface of 192.168.1.1; obviously these must arrive because the tunnel is working and the packet left at the other side. Now you can listen to the internal interface, seeing if the packet is actually being forwarded. If this fails, your problem is routing, filtering or forwarding on 192.168.1.1. Don''t know how to sniff on a Windows, but as the ping from 192.168.1.1 to 192.168.1.2 presumibly worked, there shouldn''t be a need. If you have access and there is no other traffic, a much simpler method would be just to watch the leds on the modems, network cards, hubs, etc. This will help finding out where your problem is. As you can ping the first computer after the tunnel, I feel sure, the tunnel is working fine, the problem must be in another place, probably a stupid little detail. Note that the suggestion of introducing a different network address for the tunnel interfaces themselves will slightly complicate routing. But if you pay attention, this shouldn''t be a problem. -- Christoph Simon ciccio@kiosknet.com.br --- ^X^C q quit :q ^C end x exit ZZ ^D ? help .
> btw in configuring gre tunneling in > Redhat 6.0, pls helpCould this be your problem? I thought the PPTP VPN stuff needs the 2.4 kernel. The testing I mentioned earlier was with Red Hat 7.1 on both ends of the tunnel, which is a 2.4.n kernel. - Greg -----Original Message----- From: glynn [mailto:glynn@itextron.com] Sent: Monday, January 07, 2002 12:29 AM To: Christoph Simon; Joe Patterson Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Gre Tunneling Problem It wont work Joe, I tried everything, I almost search the howto in the web thru gre tunneling and almost the same. btw in configuring gre tunneling in Redhat 6.0, pls help Thanks Glynn
Yes - they are both the same. GRE is the name of the IP protocol used for exchanging messages. PPTP - Point to Point Tunneling Protocol. - Greg -----Original Message----- From: glynn [mailto:glynn@itextron.com] Sent: Monday, January 07, 2002 7:08 PM To: Greg Scott; Christoph Simon; Joe Patterson Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Gre Tunneling Problem Does PPTP VPN and gre tunneling the same? Thanks Glynn
Hi! sorry i wasnt able to reply to your email immediately since im busy with my test in my newly tunnel setup. Sure i could help you regarding in setting up gre tunneling in linux. Here is base in own setup network need to tunnel. I have two networks, Network A has a running Linux Slackware 7 acting as a gateway of the private network 192.168.100.0/24. the linux server has a two NIC, eth0 is connected to the internet with the ip address of x.x.x.x/32 and the eth1 is connected to the hub to private network with the ip address of 192.168.100.1/24. Same with the Network B but the Linux is running a Redhat 6.0 with a private network 192.168.200.0/24, eth0 (internet) d.d.d.d/32 ip address and eth1 (private network) 192.168.200.1/24. If you build this linux boxes, always include the kernel sources, development and also some compilers coz you need to recompile your kernel if something wont work and also for compiling the iproute2 package. Here is the setup you need in both linux servers. Download the iproute2 package here. ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz Once you download the tar, just extract is wherever you wish to extract the package, let say /usr/local/src extract the package /usr/local/src# tar zxvf iproute2-current.tar.gz go to the iproute2 folder /usr/local/src# cd iproute2 compile the package /usr/local/src/iproute2# make after compiling the package go to folder ip and copy the executable file ip to your /bin /usr/local/src/iproute2/ip# cp ip /bin now you have a working ip command. you can try it by typing ip addr show or ip link show Now masquerade both network using ipchains command, try "ipchains -L", you will see this result if you havent setup a masq for both networks. Chain input (policy ACCEPT): Chain forward (policy ACCEPT): Chain output (policy ACCEPT): Now enable the ip forwarding and masq # echo 1 > /proc/sys/net/ipv4/ip_forward # ipchains -A forward -s 192.168.100.0/24 -j MASQ # ipchains -A forward -s 192.168.200.0/24 -j MASQ Now try to look your ipchains table, type "ipchains -L" youll see llike this Chain input (policy ACCEPT): Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 192.168.100.0/24 anywhere n/a MASQ all ------ 192.168.200.0/24 anywhere n/a Chain output (policy ACCEPT): Now for the tunnel part. Load the modules for tunneling and setting the tunnel. #insmod ip_gre #ip tunnel add netb mode gre remote d.d.d.d local x.x.x.x ttl 255 #ip link set netb up #ip addr add 192.168.100.1 dev netb #ip route add 192.168.200.0/24 dev netb This setup is in Network A. -------------------------------------------------------- Now do the Network B, untar iproute2 package # echo 1 > /proc/sys/net/ipv4/ip_forward # ipchains -A forward -s 192.168.200.0/24 -j MASQ # ipchains -A forward -s 192.168.100.0/24 -j MASQ #insmod ip_gre #ip tunnel add neta mode gre remote x.x.x.x local d.d.d.d ttl 255 #ip link set neta up #ip addr add 192.168.200.1 dev neta #ip route add 192.168.100.0/24 dev neta Now try ping both NIC IP address of both linux servers. if its resolving try the private network ip''s, hope its working. wheew. Glynn ----- Original Message ----- From: "Sagar Srivastava" <sagar@vpn.cwlglobal.com> To: "glynn" <glynn@itextron.com> Sent: Wednesday, January 09, 2002 4:41 PM Subject: Re: [LARTC] Gre Tunneling Problem> Glynn, > > It is nice to hear that you tunneling is working. I have setup a VPN using > PPTP in win2000 and I am desperate to set a similar VPN in Linux. I Need > your help! > > It would be nice if you tell the steps to do this, the tools you used, or > tell me the links to the pages the describe it and also something youwould> like to advice. > > Thank you very much for going through my problem. > > Sagar, India > ----- Original Message ----- > From: "glynn" <glynn@itextron.com> > To: "Greg Scott" <GregScott@InfraSupportEtc.com>; "Christoph Simon" > <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com> > Cc: <lartc@mailman.ds9a.nl> > Sent: Tuesday, January 08, 2002 12:58 PM > Subject: Re: [LARTC] Gre Tunneling Problem > > > > Guys I just want you to know that my tunneling is working now. the only > > thing ive addess is the NAT, i configure nat both linux boxes and it > works. > > thanks for the help guys, I really appreciate you help. til next time. > > > > Thanks > > Glynn > > > > ----- Original Message ----- > > From: "Greg Scott" <GregScott@InfraSupportEtc.com> > > To: "''glynn''" <glynn@itextron.com>; "Christoph Simon" > > <ciccio@kiosknet.com.br>; "Joe Patterson" <jpatterson@asgardgroup.com> > > Cc: <lartc@mailman.ds9a.nl> > > Sent: Tuesday, January 08, 2002 8:40 PM > > Subject: RE: [LARTC] Gre Tunneling Problem > > > > > > > > btw in configuring gre tunneling in > > > > Redhat 6.0, pls help > > > > > > Could this be your problem? I thought the PPTP VPN stuff needs the2.4> > > kernel. The testing I mentioned earlier was with Red Hat 7.1 on both > ends > > > of the tunnel, which is a 2.4.n kernel. > > > > > > - Greg > > > > > > > > > > > > -----Original Message----- > > > From: glynn [mailto:glynn@itextron.com] > > > Sent: Monday, January 07, 2002 12:29 AM > > > To: Christoph Simon; Joe Patterson > > > Cc: lartc@mailman.ds9a.nl > > > Subject: Re: [LARTC] Gre Tunneling Problem > > > > > > > > > It wont work Joe, I tried everything, I almost search the howto in the > web > > > thru gre tunneling and almost the same. btw in configuring gretunneling> > in > > > Redhat 6.0, pls help > > > Thanks > > > > > > Glynn > > > > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://ds9a.nl/lartc/ > > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://ds9a.nl/lartc/> > >
That''s something I haven''t seen well mentioned elsewhere; like in the Linux options for GRE tunneling. Anyone know where else this association should be mentioned? On Tue, Jan 08, 2002 at 08:44:31PM -0600, Greg Scott wrote:> Yes - they are both the same. GRE is the name of the IP protocol used > for exchanging messages. PPTP - Point to Point Tunneling Protocol.-- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
On Wed, Jan 09, 2002 at 12:01:09PM -0600, Greg Scott wrote:> What I don''t understand is, how does the security work? I think the > two tunnel endpoints are supposed to authenticate eachother with the > TCP port 1723 packets, but what do the Linux systems use for a shared > secret? I would use this all over the place if I felt good about its > security.If you want the gory details on the (in)security of it, go to Google and search for "pptp mudge counterpane". The first link you get should be a security audit of PPtP at counterpane.com done by Mudge of L0pht.com fame and Bruce Schneier, author of Applied Cryptography and Secrets and Lies (as well as both having general Internet recognition in security). The paper deals mostly with MS-CHAP2 which is the authentication protocol Microsoft uses in its PPTP stuff. For those who don''t like PDFs, the HTML version can be seen (as rendered by Google) at (one line): http://www.google.com/search?q=cache:fKZC3BSAczQC:www.counterpane.com/pptp.pdf+pptp+mudge+counterpane+pdf&hl=en -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
I found lots of stuff in a bunch of Windows 2000 documentation and in abook about Windows 2000 VPNs by Thaddeus Fortenberry. Ziegler''s Linux Firewalls Second Edition barely mentions VPNs in a brief chapter in the back of his book. I stumbled across the HOWTO that had the sample VPN commands and my jaw dropped - I''ve been looking for that capability for months! I don''t even remember where that HOWTO lives any more, but that''s OK because I copied it so I would always have it handy. What happens is, the two tunnel endpoints exchange some TCP port 1723 messages to handshake with eachother and then they have a conversation using IP protocol 47, also named GRE. So the whole thing, handshake and authentication, is called PPTP. What I don''t understand is, how does the security work? I think the two tunnel endpoints are supposed to authenticate eachother with the TCP port 1723 packets, but what do the Linux systems use for a shared secret? I would use this all over the place if I felt good about its security. - Greg -----Original Message----- From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] Sent: Wednesday, January 09, 2002 8:28 AM To: LARTC List Subject: Re: [LARTC] Gre Tunneling Problem That''s something I haven''t seen well mentioned elsewhere; like in the Linux options for GRE tunneling. Anyone know where else this association should be mentioned? On Tue, Jan 08, 2002 at 08:44:31PM -0600, Greg Scott wrote:> Yes - they are both the same. GRE is the name of the IP protocol used > for exchanging messages. PPTP - Point to Point Tunneling Protocol.-- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
That paper (great work!) tells about the Microsoft PPTP problems. But what about the Linux GRE tunnel documented in the HOWTO? Does it have the same implementation problems? - Greg -----Original Message----- From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] Sent: Wednesday, January 09, 2002 11:58 AM To: Greg Scott Cc: LARTC List Subject: Re: [LARTC] Gre Tunneling Problem On Wed, Jan 09, 2002 at 12:01:09PM -0600, Greg Scott wrote:> What I don''t understand is, how does the security work? I think the > two tunnel endpoints are supposed to authenticate eachother with the > TCP port 1723 packets, but what do the Linux systems use for a shared > secret? I would use this all over the place if I felt good about its > security.If you want the gory details on the (in)security of it, go to Google and search for "pptp mudge counterpane". The first link you get should be a security audit of PPtP at counterpane.com done by Mudge of L0pht.com fame and Bruce Schneier, author of Applied Cryptography and Secrets and Lies (as well as both having general Internet recognition in security). The paper deals mostly with MS-CHAP2 which is the authentication protocol Microsoft uses in its PPTP stuff. For those who don''t like PDFs, the HTML version can be seen (as rendered by Google) at (one line): http://www.google.com/search?q=cache:fKZC3BSAczQC:www.counterpane.com/pptp.p df+pptp+mudge+counterpane+pdf&hl=en -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:> That paper (great work!) tells about the Microsoft PPTP problems. > > But what about the Linux GRE tunnel documented in the HOWTO? Does > it have the same implementation problems?I have no idea ;-) You could E-mail Bruce and ask though ;-) -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
Who is Bruce? geez, I''m an idiot! That GRE tunneling stuff is in chapter 5 of the advanced routing HOWTO! But who is Bruce? - Greg -----Original Message----- From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] Sent: Wednesday, January 09, 2002 12:44 PM To: Greg Scott Cc: LARTC List Subject: Re: [LARTC] Gre Tunneling Problem On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:> That paper (great work!) tells about the Microsoft PPTP problems. > > But what about the Linux GRE tunnel documented in the HOWTO? Does > it have the same implementation problems?I have no idea ;-) You could E-mail Bruce and ask though ;-) -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
Does anybody know how security works in Linux GRE tunnels? (It''s not in the HOWTO.) And who is Bruce anyway? - Greg -----Original Message----- From: Greg Scott Sent: Wednesday, January 09, 2002 1:40 PM To: ''Michael T. Babcock'' Cc: LARTC List Subject: RE: [LARTC] Gre Tunneling Problem Who is Bruce? geez, I''m an idiot! That GRE tunneling stuff is in chapter 5 of the advanced routing HOWTO! But who is Bruce? - Greg -----Original Message----- From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] Sent: Wednesday, January 09, 2002 12:44 PM To: Greg Scott Cc: LARTC List Subject: Re: [LARTC] Gre Tunneling Problem On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote:> That paper (great work!) tells about the Microsoft PPTP problems. > > But what about the Linux GRE tunnel documented in the HOWTO? Does > it have the same implementation problems?I have no idea ;-) You could E-mail Bruce and ask though ;-) -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
There is trivial security in GRE tunnels. Or possibly none at all. If you make your GRE tunnel with the command "ip tunnel add $tun mode gre remote $remaddr local $localaddr key $key" (I believe that''s the correct syntax), then your tunnel has a key. It''s not an encryption key, it''s an authentication key, and it''s sent in cleartext, but it''s a key. If you want security, wrap your GRE in IPSec or similar. Bruce is Bruce Schneier, author of "Applied Cryptography" and "Secrets and Lies", head of Counterpane Internet Security (http://www.counterpane.com/), frequent speaker and general luminary on the topics of computer and internet security, encryption etc.., and generally all around cool guy. Although you may not get much from e-mailing him directly (he''s pretty busy), reading back issues of his newsletter (CryptoGram) is generally enlightening, and he''s written some very good whitepapers on cryptography issues (I beleive the original "mail Bruce" comment came about from a question on his paper on the weaknesses of the PPTP protocol) -Joe> -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > Behalf Of Greg Scott > Sent: Friday, January 11, 2002 9:22 AM > To: ''Michael T. Babcock'' > Cc: ''LARTC List'' > Subject: RE: [LARTC] Gre Tunneling Problem > > > Does anybody know how security works in Linux GRE tunnels? (It''s not > in the HOWTO.) And who is Bruce anyway? > > - Greg > > > -----Original Message----- > From: Greg Scott > Sent: Wednesday, January 09, 2002 1:40 PM > To: ''Michael T. Babcock'' > Cc: LARTC List > Subject: RE: [LARTC] Gre Tunneling Problem > > > Who is Bruce? > > geez, I''m an idiot! That GRE tunneling stuff is in chapter 5 of the > advanced routing HOWTO! But who is Bruce? > > - Greg > > > > -----Original Message----- > From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] > Sent: Wednesday, January 09, 2002 12:44 PM > To: Greg Scott > Cc: LARTC List > Subject: Re: [LARTC] Gre Tunneling Problem > > > On Wed, Jan 09, 2002 at 12:28:12PM -0600, Greg Scott wrote: > > That paper (great work!) tells about the Microsoft PPTP problems. > > > > But what about the Linux GRE tunnel documented in the HOWTO? Does > > it have the same implementation problems? > > I have no idea ;-) > > You could E-mail Bruce and ask though ;-) > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/ >