Sign in to follow this  
Followers 0
Original Poster

GRE?

42 posts in this topic

As BudMan says, if you need a decent router that doesn't lack functions, you'll need to upgrade. So you think OSPF and PPP are simple stuff? oO How do you use OSPF and PPP in that router?

lol I meant within the labs, and privately, the labs are state of the art *hits the server with a hammer to stop buzzing*

Share this post


Link to post
Share on other sites

Do you need a site 2 site or do you just need a individual machines to access?

What is the aim of the connection?

The simple answer may well be you need different equipment, there is no point trying to bodge something if it is important, it WILL break, and everyone will forgot you said 'look it works, but it's a bit of a bodge because you don't want to pay'

If you need a site 2 site get kit that suits that matches the far end if you can.

This doesn't need to be expensive, a Cisco 860 series is <?100 second hand, is a great little unit and will talk to pretty much anything.

If its just a single machine, then you shouldn't need to worry, take the client and settings they give you, you shouldn't need to do anything router-wise.

Shrewsoft VPN is a pretty decent IPSEC client if you need one, free and comes with some good walkthroughs too.

Share this post


Link to post
Share on other sites

Not there is no way that router supports OSPF, I would be surprise if ripv1 ;) He must be talking in his labs.

So they have a cisco vpn concentrator at their end? Again doing it from a box inside your network to create a site to site is not best way. Your going to have issues with routing since the endpoint is not your gateway. Going to have to create host routes on your devices most likely.

 

I got the connecting working! now I am trying to feed it into my lab.... problem is I can ping the linux box (192.168.0.1) and I can ping the tunnel (10.10.10.1) from 192.168.0.0/24 but I cannot ping any external IPs from 192.168.0.0/24 but I can ping via the tunnel using ping -I tun0 8.8.8.8 .... I have made the pass from eth1 to tun0 using iptables...

 

 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A FORWARD -i eth1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT

 

iptables -A INPUT -i lo -j ACCEPT

 

iptables -A INPUT -i eth1 -j ACCEPT

 

 

can you think of what im doing wrong?

Share this post


Link to post
Share on other sites

Like I told you - the box with the tunnel is not the gateway. What gateway does the tunnel box point to.. Hosts on ths network as the tunnel box where do they point for a gateway -- they need to know how to get to 8.8.8.8. They need to have a gateway off their local network. And the box that has the tunnel out needs to know that hey go down the tunnel if its not a local network.

Share this post


Link to post
Share on other sites

lol I meant within the labs, and privately, the labs are state of the art *hits the server with a hammer to stop buzzing*

Hehe ok. What are the devices you have in your lab?

Share this post


Link to post
Share on other sites
 

Like I told you - the box with the tunnel is not the gateway. What gateway does the tunnel box point to.. Hosts on ths network as the tunnel box where do they point for a gateway -- they need to know how to get to 8.8.8.8. They need to have a gateway off their local network. And the box that has the tunnel out needs to know that hey go down the tunnel if its not a local network.

 

sorry Im not quiet following what you mean, I can ping the web via the tunnel, but I created a gateway on a separate iface to act as a network below the 10.10.10.1 and forward it on as if it is an ISP, ive done this before fairly recently just not using a tunnel so I am just a little lost :( 

Share this post


Link to post
Share on other sites

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

Also are you trying to connect to stuff on the other side of the tunnel or just use the tunnel as internet - what is the network on the other side of the tunnel?

your network 192.168.0.0/24

tunnel 10.1.2.0/30

remote network 172.16.1.0/24

those are example please fill in the details of your setup vs my example networks.

Share this post


Link to post
Share on other sites

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

 

I created the interface so the box can act as a router and share the VPN connection via a subnet work so all equipment can be on the VPN such as laptops etc 

 

0.0.0.0         192.168.0.254   0.0.0.0         UG    0      0        0 eth0

4.2.2.2         0.0.0.0         255.255.255.255 UH    0      0        0 tun0

8.8.8.8         0.0.0.0         255.255.255.255 UH    0      0        0 tun0

*.*.*.*   192.168.0.254   255.255.255.255 UGH   0      0        0 eth0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

 

(stars are private ips to vpn)

Share this post


Link to post
Share on other sites

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

Also are you trying to connect to stuff on the other side of the tunnel or just use the tunnel as internet - what is the network on the other side of the tunnel?

your network 192.168.0.0/24

tunnel 10.1.2.0/30

remote network 172.16.1.0/24

those are example please fill in the details of your setup vs my example networks.

im just using the tunnel as internet thats all it is, its just to simulate another location without having to be there

Share this post


Link to post
Share on other sites

It already has an interface, and the tunnel - why would it need another interface?

0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

Where does it go to get to the internet -- 192.168.0.254, is that the tunnel.. Then how and the hell would it get to the internet via the tunnel if your telling it to go to 192.168.0.254?

Also it should be routing out via an IP that it has on your side of tunnel.. Where is your tunnel interface IP in this table?

Share this post


Link to post
Share on other sites

It already has an interface, and the tunnel - why would it need another interface?

0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

Where does it go to get to the internet -- 192.168.0.254, is that the tunnel.. Then how and the hell would it get to the internet via the tunnel if your telling it to go to 192.168.0.254?

Also it should be routing out via an IP that it has on your side of tunnel.. Where is your tunnel interface IP in this ta

the *.*.*.* is the destination and the out is 0.254 

 

i added another interface so i have eth0 and eth1 and tun0....

 

eth0 + tun0 = tunnel and internet

 

eth1 = the interface which has a network of 60 devices behind which need to use the tunnel on this box

Share this post


Link to post
Share on other sites

And that is not correct..

So here is how I picture your network

post-14624-0-81408900-1404395250.png

Please correct and label networks correctly. Are you saying those 60 other devices are connected to eth1 and not on same network as eth0?

So one of the 60 devices wants to get to the internet, lets say neowin at 74.204.71.249, your route table says to go to 192.168.0.254 for unknown IPs, ie the detault gateway. How is that traffic suppose to route out the tunnel from your router table?

Share this post


Link to post
Share on other sites

And that is not correct..

So here is how I picture your network

attachicon.gifisthiscorrect.png

Please correct and label networks correctly. Are you saying those 60 other devices are connected to eth1 and not on same network as eth0?

So one of the 60 devices wants to get to the internet, lets say neowin at 74.204.71.249, your route table says to go to 192.168.0.254 for unknown IPs, ie the detault gateway. How is that traffic suppose to route out the tunnel from your router table?

 

that is basically right but the remote network is basically straight through to the internet the other side, like a private proxy... and yes eth1 is a separate network from eth0 but what i did was use eth1 as 192.168.1.1 / the gateway and when traffic hit 1.1 i forwarded it on to tun0.... tun0 (the tunnel) works Im 99.9% sure of that 

 

but eth0 into the vpn end box is 192.168.0.0/24

 

and eth1 out of/into vpn is 192.168.1.0/24  

 

60 devices are on 192.168.1.0/24 -> 192.168.1.1 (GW) -> tun0 (tunnel) via ip tables forwarding

 

I understand if its not right but I dont know what to do all my logic (wrong or not) is telling me to direct all traffic from net work 1.0/24 to tun0 (10.10.10.1)

Share this post


Link to post
Share on other sites

ok so you have no need to talk to any devices on the remote network.

But where is your route on your vpn box to go down tunnel for say 74.204.71.249 (neowin)

You don't show it!!! And also how does the vpn server your connecting too know to send the traffic back down the tunnel to get to the 192.168.1.0/24 network? Are you natting 192.168.1.0/24 to your vpn endpoint tunnel IP?

Share this post


Link to post
Share on other sites

ok so you have no need to talk to any devices on the remote network.

But where is your route on your vpn box to go down tunnel for say 74.204.71.249 (neowin)

You don't show it!!! And also how does the vpn server your connecting too know to send the traffic back down the tunnel to get to the 192.168.1.0/24 network? Are you natting 192.168.1.0/24 to your vpn endpoint tunnel IP?

 

I am logging in using a converted pcf file via vnpc (thats all i honestly know, VPNs are lost on me)

Share this post


Link to post
Share on other sites

forget its a tunnel - just think of it as network connection between 2 routers or 2 endpoints that act as routers.

You have to have the routing on both sides so devices can talk to each other.

If 192.168.1.100 sends traffic to 192.168.1.1 (eth1 on your vpn endpoint) for 74.204.71.249 where in the routing table that you listed does that box know to send the traffic down the tunnel? Is that traffic natted or will its source be 192.168.1.100? When it gets to the vpn server (other end of the tunnel) Does that box have routes to send out its internet gateway. Does it nat it? When the answer comes back, does that end point know to send it back down the tunnel - what is the source IP going to be when it comes back. What is the network on the remote side - if 192.168.1.0/24 or overlap you can have problems.

At min your going to have to have 1 nat somewhere, could be double - you could even have a triple nat scenario in your setup depending.

Where did you come up with 192.168.1.0/24 - does the remote side, your vpn server know about this network?

Is the vpn server your connecting to an actual cisco vpn concentrator at the edge of that network, or something inside that network going through a nat at their edge? If your tunnel is up, lets forget all the protocols and details of how the tunnel works and just think of it as a simple network segment (transient network) to get to the internet.

You end up with this something like this

post-14624-0-17292300-1404401322.png

So both of the routers in this picture need to know where to route the traffic, and where does the nat(s) take place since your dest in public internet and your IP is private.

Share this post


Link to post
Share on other sites

forget its a tunnel - just think of it as network connection between 2 routers or 2 endpoints that act as routers.

You have to have the routing on both sides so devices can talk to each other.

If 192.168.1.100 sends traffic to 192.168.1.1 (eth1 on your vpn endpoint) for 74.204.71.249 where in the routing table that you listed does that box know to send the traffic down the tunnel? Is that traffic natted or will its source be 192.168.1.100? When it gets to the vpn server (other end of the tunnel) Does that box have routes to send out its internet gateway. Does it nat it? When the answer comes back, does that end point know to send it back down the tunnel - what is the source IP going to be when it comes back. What is the network on the remote side - if 192.168.1.0/24 or overlap you can have problems.

At min your going to have to have 1 nat somewhere, could be double - you could even have a triple nat scenario in your setup depending.

Where did you come up with 192.168.1.0/24 - does the remote side, your vpn server know about this network?

Is the vpn server your connecting to an actual cisco vpn concentrator at the edge of that network, or something inside that network going through a nat at their edge? If your tunnel is up, lets forget all the protocols and details of how the tunnel works and just think of it as a simple network segment (transient network) to get to the internet.

You end up with this something like this

routingthruvpn.png

So both of the routers in this picture need to know where to route the traffic, and where does the nat(s) take place since your dest in public internet and your IP is private.

Hey budman just to say sorry for not replying i pulled out my hair and ran away to japan! Still here but i was just doing a website check and thought it would be polite to respond and il fill you in on how the matter got solved upon my return :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.