Jump to content



Photo

GRE?


  • Please log in to reply
41 replies to this topic

#31 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 12:17

 

Like I told you - the box with the tunnel is not the gateway. What gateway does the tunnel box point to.. Hosts on ths network as the tunnel box where do they point for a gateway -- they need to know how to get to 8.8.8.8. They need to have a gateway off their local network. And the box that has the tunnel out needs to know that hey go down the tunnel if its not a local network.

 

sorry Im not quiet following what you mean, I can ping the web via the tunnel, but I created a gateway on a separate iface to act as a network below the 10.10.10.1 and forward it on as if it is an ISP, ive done this before fairly recently just not using a tunnel so I am just a little lost :( 




#32 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 12:23

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

Also are you trying to connect to stuff on the other side of the tunnel or just use the tunnel as internet - what is the network on the other side of the tunnel?

your network 192.168.0.0/24

tunnel 10.1.2.0/30

remote network 172.16.1.0/24

those are example please fill in the details of your setup vs my example networks.

#33 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 12:31

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

 

I created the interface so the box can act as a router and share the VPN connection via a subnet work so all equipment can be on the VPN such as laptops etc 

 

0.0.0.0         192.168.0.254   0.0.0.0         UG    0      0        0 eth0

4.2.2.2         0.0.0.0         255.255.255.255 UH    0      0        0 tun0

8.8.8.8         0.0.0.0         255.255.255.255 UH    0      0        0 tun0

*.*.*.*   192.168.0.254   255.255.255.255 UGH   0      0        0 eth0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

 

(stars are private ips to vpn)



#34 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 12:36

Show us the route table on this vpn endpoint

Show us a route table from another box that wants to use this box as gateway to say 8.8.8.8 and I will show you what is wrong.

Why would you create a interface? This host already has an interface in your local network.. Please post your routing tables!

Also are you trying to connect to stuff on the other side of the tunnel or just use the tunnel as internet - what is the network on the other side of the tunnel?

your network 192.168.0.0/24

tunnel 10.1.2.0/30

remote network 172.16.1.0/24

those are example please fill in the details of your setup vs my example networks.

im just using the tunnel as internet thats all it is, its just to simulate another location without having to be there



#35 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 12:40

It already has an interface, and the tunnel - why would it need another interface?

0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

Where does it go to get to the internet -- 192.168.0.254, is that the tunnel.. Then how and the hell would it get to the internet via the tunnel if your telling it to go to 192.168.0.254?

Also it should be routing out via an IP that it has on your side of tunnel.. Where is your tunnel interface IP in this table?

#36 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 12:55

It already has an interface, and the tunnel - why would it need another interface?

0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

Where does it go to get to the internet -- 192.168.0.254, is that the tunnel.. Then how and the hell would it get to the internet via the tunnel if your telling it to go to 192.168.0.254?

Also it should be routing out via an IP that it has on your side of tunnel.. Where is your tunnel interface IP in this ta

the *.*.*.* is the destination and the out is 0.254 

 

i added another interface so i have eth0 and eth1 and tun0....

 

eth0 + tun0 = tunnel and internet

 

eth1 = the interface which has a network of 60 devices behind which need to use the tunnel on this box



#37 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 13:50

And that is not correct..

So here is how I picture your network

isthiscorrect.png

Please correct and label networks correctly. Are you saying those 60 other devices are connected to eth1 and not on same network as eth0?

So one of the 60 devices wants to get to the internet, lets say neowin at 74.204.71.249, your route table says to go to 192.168.0.254 for unknown IPs, ie the detault gateway. How is that traffic suppose to route out the tunnel from your router table?

#38 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 14:06

And that is not correct..

So here is how I picture your network

attachicon.gifisthiscorrect.png

Please correct and label networks correctly. Are you saying those 60 other devices are connected to eth1 and not on same network as eth0?

So one of the 60 devices wants to get to the internet, lets say neowin at 74.204.71.249, your route table says to go to 192.168.0.254 for unknown IPs, ie the detault gateway. How is that traffic suppose to route out the tunnel from your router table?

 

that is basically right but the remote network is basically straight through to the internet the other side, like a private proxy... and yes eth1 is a separate network from eth0 but what i did was use eth1 as 192.168.1.1 / the gateway and when traffic hit 1.1 i forwarded it on to tun0.... tun0 (the tunnel) works Im 99.9% sure of that 

 

but eth0 into the vpn end box is 192.168.0.0/24

 

and eth1 out of/into vpn is 192.168.1.0/24  

 

60 devices are on 192.168.1.0/24 -> 192.168.1.1 (GW) -> tun0 (tunnel) via ip tables forwarding

 

I understand if its not right but I dont know what to do all my logic (wrong or not) is telling me to direct all traffic from net work 1.0/24 to tun0 (10.10.10.1)



#39 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 14:46

ok so you have no need to talk to any devices on the remote network.

But where is your route on your vpn box to go down tunnel for say 74.204.71.249 (neowin)

You don't show it!!! And also how does the vpn server your connecting too know to send the traffic back down the tunnel to get to the 192.168.1.0/24 network? Are you natting 192.168.1.0/24 to your vpn endpoint tunnel IP?

#40 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 03 July 2014 - 14:56

ok so you have no need to talk to any devices on the remote network.

But where is your route on your vpn box to go down tunnel for say 74.204.71.249 (neowin)

You don't show it!!! And also how does the vpn server your connecting too know to send the traffic back down the tunnel to get to the 192.168.1.0/24 network? Are you natting 192.168.1.0/24 to your vpn endpoint tunnel IP?

 

I am logging in using a converted pcf file via vnpc (thats all i honestly know, VPNs are lost on me)



#41 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 July 2014 - 15:29

forget its a tunnel - just think of it as network connection between 2 routers or 2 endpoints that act as routers.

You have to have the routing on both sides so devices can talk to each other.

If 192.168.1.100 sends traffic to 192.168.1.1 (eth1 on your vpn endpoint) for 74.204.71.249 where in the routing table that you listed does that box know to send the traffic down the tunnel? Is that traffic natted or will its source be 192.168.1.100? When it gets to the vpn server (other end of the tunnel) Does that box have routes to send out its internet gateway. Does it nat it? When the answer comes back, does that end point know to send it back down the tunnel - what is the source IP going to be when it comes back. What is the network on the remote side - if 192.168.1.0/24 or overlap you can have problems.

At min your going to have to have 1 nat somewhere, could be double - you could even have a triple nat scenario in your setup depending.

Where did you come up with 192.168.1.0/24 - does the remote side, your vpn server know about this network?

Is the vpn server your connecting to an actual cisco vpn concentrator at the edge of that network, or something inside that network going through a nat at their edge? If your tunnel is up, lets forget all the protocols and details of how the tunnel works and just think of it as a simple network segment (transient network) to get to the internet.

You end up with this something like this

routingthruvpn.png

So both of the routers in this picture need to know where to route the traffic, and where does the nat(s) take place since your dest in public internet and your IP is private.

#42 OP Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 20 July 2014 - 11:06

forget its a tunnel - just think of it as network connection between 2 routers or 2 endpoints that act as routers.

You have to have the routing on both sides so devices can talk to each other.

If 192.168.1.100 sends traffic to 192.168.1.1 (eth1 on your vpn endpoint) for 74.204.71.249 where in the routing table that you listed does that box know to send the traffic down the tunnel? Is that traffic natted or will its source be 192.168.1.100? When it gets to the vpn server (other end of the tunnel) Does that box have routes to send out its internet gateway. Does it nat it? When the answer comes back, does that end point know to send it back down the tunnel - what is the source IP going to be when it comes back. What is the network on the remote side - if 192.168.1.0/24 or overlap you can have problems.

At min your going to have to have 1 nat somewhere, could be double - you could even have a triple nat scenario in your setup depending.

Where did you come up with 192.168.1.0/24 - does the remote side, your vpn server know about this network?

Is the vpn server your connecting to an actual cisco vpn concentrator at the edge of that network, or something inside that network going through a nat at their edge? If your tunnel is up, lets forget all the protocols and details of how the tunnel works and just think of it as a simple network segment (transient network) to get to the internet.

You end up with this something like this

routingthruvpn.png

So both of the routers in this picture need to know where to route the traffic, and where does the nat(s) take place since your dest in public internet and your IP is private.



Hey budman just to say sorry for not replying i pulled out my hair and ran away to japan! Still here but i was just doing a website check and thought it would be polite to respond and il fill you in on how the matter got solved upon my return :)