tinc - Mar 2005 - Different networks over NAT

Hi,

I've been struggling for almost a week now, but I can't get the 
following setup to work.

At home I have class A network: 10.0.0.0/16 with a masquerading gateway 
10.0.0.1 running tinc.

At work (http://www.eastsite.nl) we have a 192.168.0.0/24 network. The 
gateway is called 'ed'

I've set up tinc on 'gateway' and everything is working fine from 
'gateway', but none of the machines on my local network can access the 
remote network.

Here's what I've got:

[root@gateway eastsite]# cat tinc.conf
# tinc configuration
Name = tinc_linux
ConnectTo = tinc_ed
KeyExpire = 30000000
#Mode = hub

[root@gateway eastsite]# cat tinc-up
ifconfig $INTERFACE 192.168.4.1 netmask 255.255.0.0
route add -net 192.168.4.0 netmask 255.255.255.0 eth1
route add -net 192.168.0.0 netmask 255.255.255.0 $INTERFACE

[root@gateway hosts]# cat tinc_ed
Address = remote.address.nl
Subnet = 192.168.0.0/24
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

[root@gateway hosts]# cat tinc_linux
Address = local.address.nl
Subnet = 192.168.4.0/24
Subnet = 10.0.0.0/8
Port=655
TCPOnly = yes
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

I've also added some rules to the firewall:

$LOGGER "VPN regels"
iptables -A INPUT  -p tcp --dport 655         -j ACCEPT
iptables -A INPUT  -p udp --dport 655         -j ACCEPT
iptables -A OUTPUT -p tcp --dport 655         -j ACCEPT
iptables -A OUTPUT -p udp --dport 655         -j ACCEPT

iptables -t nat -A PREROUTING -j DNAT -i $EXTIF -p tcp --dport 655 --to 
10.0.0.1:655

------------ results ------------------------------

[root@gateway hosts]# ping ed
PING ed (192.168.0.1) 56(84) bytes of data.
64 bytes from ed (192.168.0.1): icmp_seq=1 ttl=64 time=44.3 ms
64 bytes from ed (192.168.0.1): icmp_seq=2 ttl=64 time=48.4 ms

--- ed ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2026ms
rtt min/avg/max/mdev = 44.359/46.428/48.498/2.080 ms

[root@gateway hosts]# ping zion
PING zion (192.168.0.3) 56(84) bytes of data.
64 bytes from zion (192.168.0.3): icmp_seq=1 ttl=63 time=47.3 ms

--- zion ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 47.387/47.387/47.387/0.000 ms

On another machine:

haayman@linux:~> ping ed
PING ed (192.168.0.1) 56(84) bytes of data.

--- ed ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms


Changing the routing-table on 'ed' is no option, because our 
system-administrator refuses (rightly so) to add routing to every 
employees network.

What seems to be the problem?

-- 
Arjen Haayman
-- cogito ergo bicyclo --

  

-- 
Arjen Haayman
-- cogito ergo bicyclo --

On Wed, Mar 09, 2005 at 09:47:37PM +0100, Arjen Haayman wrote:
> I've set up tinc on 'gateway' and everything is working fine
from
> 'gateway', but none of the machines on my local network can access
the
> remote network.
[...]
> [root@gateway eastsite]# cat tinc-up
> ifconfig $INTERFACE 192.168.4.1 netmask 255.255.0.0
> route add -net 192.168.4.0 netmask 255.255.255.0 eth1
> route add -net 192.168.0.0 netmask 255.255.255.0 $INTERFACE
Can you also show me ed's tinc-up?
> Changing the routing-table on 'ed' is no option, because our 
> system-administrator refuses (rightly so) to add routing to every 
> employees network.
> 
> What seems to be the problem?
I guess the routing table on ed then. Your machines at home have
10.0.x.x addresses, so if you want to be able to ping ed from them, then
ed has to have a route to 10.0.0.0/16 via tinc's interface.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://brouwer.uvt.nl/pipermail/tinc/attachments/20050309/cbf57628/attachment.pgp