Subject: Routing for ssh-ip-tunnel problem
To: None <netbsd-help@netbsd.org>
From: Gan Uesli Starling <alias@starling.us>
List: netbsd-help
Date: 01/28/2003 13:18:43
Am working on an ssh-ip-tunnel. Down to the last
stretch but has routing problems. Tunnel is fine
end-to-end as far as two end boxes are concerned.
It is getting routes from either box through and
out of the opposite box to the LAN beyond which
always fails. It fails going either direction.
The VPN consists of a PPP inside SSh. SSh and PPP seem
to be fine. Only routing to get outside the tunnel-end
boxes seems to be a problem.
From the /etc/hosts file, vpn_static_1 and vpn_dynamic_1
are the tunnel-end IPs for PPP inside of SSh. That is
for ppp1.
There is a PPP outside of SSh on box chemosh since it
gets ISP via dial-up. Those PPPs are dynamic from the
ISP. So chemosh always starts the VPN, since baal has
a known IP. Starting the VPN is no problem since
PPP connect works and SSh connect works. And routes from
box-to-box via the tunnel work. They work for ping
going either way from tunnel-end to tunnel-end. But
not through those boxes to the LANs beyond.
I do have net.inet.ip.forwarding=1 on both. So that is
not it.
Possible symptom is this. I tested PPP IPs via ping
like so...
Ping of IPs for PPP ends between chemosh and its ISP
1. Okay for near-end IP.
2. Okay for far-end IP.
Ping of IPs for PPP ends of VPN tunnel.
1. Fails for near-end IP.
2. Okay for far-end IP
I tried different netmasks for those PPP IPs, even
trying 0xffffffff but they had no effect.
About the routes I set. As per my prior experience of
a former VPN which did work I have done...
chemosh: {4} route add -net 192.168.0 vpn_static_1
...and also done...
baal: {4} route add -net 192.168.1 vpn_dynamic_1
...where my /etc/host files for both boxes say...
# /etc/hosts
#
::1 localhost
127.0.0.1 localhost
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0 10.255.255.255
# 172.16.0.0 172.31.255.255
# 192.168.0.0 192.168.255.255
#
# Netgear FR114P firwall/router/print-server
192.168.0.1 router.amalekite.net
#
# My tower PC boxes; NetBSD & Win2K
192.168.0.2 baal.amalekite.net
192.168.0.3 milcom.amalekite.net
#
# My laptops on moabite.net
192.168.1.10 marduk.moabite.net
192.168.1.11 chemosh.moabite.net
#
# For mgetty dial-in on POTS line
192.168.255.1 ppp_server_1
192.168.255.2 ppp_client_1
#
# For PPP of ssh-ip-tunnel ends
192.168.254.1 vpn_static_1
192.168.254.2 vpn_dynamic_1
#
# EOF
...where both amalekite.net and moabite.net
are netmask 0xffffff00. Then on chemosh
I get...
chemosh: {6} route show
Routing tables
Internet:
Destination Gateway Flags
default 67.217.0.7 UG
tnt1.kalamazoo.mi 67.209.188.79 UH
loopback 127.0.0.1 UGR
localhost 127.0.0.1 UH
192.168.0.0 192.168.254.1 UG
192.168.1.0 link#8 U
vpn_static_1 192.168.254.2 UH
...and on baal I get...
baal: {6} route show
Routing tables
Internet:
Destination Gateway Flags
default 192.168.0.1 UG
loopback 127.0.0.1 UGR
localhost 127.0.0.1 UH
192.168.0.0 link#1 U
router 00:09:5b:2a:43:2c UH
milcom link#1 UH
192.168.1.0 192.168.254.2 UG
vpn_dynamic_1 192.168.254.1 UH
...then I do this on chemosh...
chemosh: {7} netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default tnt1.kalamazoo.mi. UGS 1 90 - ppp0
tnt1.kalamazoo.mi. 1Cust79.tnt1.kalam UH 1 0 - ppp0
loopback localhost UGRS 0 0 33220 lo0
localhost localhost UH 1 2 33220 lo0
192.168 vpn_static_1 UGS 0 4 - ppp1
192.168.1 link#8 UC 0 0 - ne2
vpn_static_1 vpn_dynamic_1 UH 0 1 - ppp1
...and this on baal...
baal: {8} netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default router UGS 1 607 - fxp0
loopback localhost UGRS 0 0 33220 lo0
localhost localhost UH 1 0 33220 lo0
192.168 link#1 UC 2 0 - fxp0
router 00:09:5b:2a:43:2c UHLc 1 0 - fxp0
milcom link#1 UHLc 1 3 - fxp0
192.168.1 vpn_dynamic_1 UGS 0 12 - ppp0
vpn_dynamic_1 vpn_static_1 UH 0 26 - ppp0
The the VPN up, below are my performance results:
Doing "ping -nc1" from baal toward chemosh:
1. Okay via vpn_dynamic_1
2. Okay via chemosh.moabite.net
3. Okay via 192.168.1.11
4. Fails via marduk.moabite.net
5. Fails via 192.168.1.10
Doing "ping -nc1" chemosh toward baal:
1. Okay via vpn_static_1
2. Okay via baal.amalekite.net
3. Okay via 192.168.0.2
4. Fails via milcom.amalekite.net
5. Fails via 192.168.0.3
Mozilla on baal looking at chemosh:
1. Okay via http://vpn_dynamic_1
2. Okay via http://192.168.1.11
3. Okay via http://chemosh.moabite.net
Mozilla on chemosh looking at baal:
1. Okay via http://vpn_static_1
2. Fails via http://baal.amalekite.net
3. Fails via http://192.168.0.2
I am particulary curious about those listings
of 192.168 versus 192.168.0 for amalekite.net
in the tables. That makes it look like I somehow
have netmask 0xffff0000 versus 0xffffff00 which
it is. Very definiately ifconfig shows 0xffffff00
for all NICs on both LANs.
This is all on NetBSD 1.6 on the ThinkPad laptop
which has run fine for years (not the Gateway Solo
with its mystery problem).
Any ideas?
Thanks,
Gan
--
Mistera Sturno - Rarest Extinct Bird
<(+)__ Gan Uesli Starling
((__/)=- Kalamazoo, MI, USA
`||`
++ http://starling.us