[NCLUG] cipe "virtual identity"

listz at hate.cx listz at hate.cx
Fri May 9 16:04:18 MDT 2003 

the tcpdump output came from the destination machine, so it is getting the icmp
type 3 packets and i do have the rule:

iptables -A INPUT -j ACCEPT -p icmp -s 0.0.0.0/0 -d $LOCALHOST --icmp-type 3

in the firewall script. in addition i can get to an https site through the cipe
tunnel just fine.

on Fri May 09 15:47, Kevin Fenzi disclosed: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> >>>>> "listz" == listz  <listz at hate.cx> writes:
> 
> listz> thanks for the help, i've got a tunnel (mostly) working after i
> listz> started to play aroung with it. the problem i have now is that
> listz> when i try to tunnel ssh my machines complain about MTU
> listz> size. i've allowed icmp type 3 through the local firewall,
> listz> however the connection is still not fragmenting to
> listz> accomodate. any ideas? here is a snippet of some tcpdump
> listz> output:
> 
> listz> 14:24:13.887049 99.41.5.59 > 99.41.5.60: icmp: 10.0.0.2
> listz> unreachable - need to frag (mtu 1418) [tos 0xc0]
> listz> 14:25:07.644738 99.41.5.59 > 99.41.5.60: icmp: 10.0.0.2
> listz> unreachable - need to frag (mtu 1418) [tos 0xc0]
> 
> listz> i'm wondering because i'm nat'ing the cipe internal addresses
> listz> if when the destination machine sees the "10.0.0.2 unreachable
> listz> - need to frag" its just like "i don't care, i'm not talking to
> listz> 10.0.0.2"
> 
> Humm... NAT should work fine as long as it's setup right... 
> 
> I haven't ever seen CIPE complain about MTU like that before. Sounds
> like something is going on with your NAT setup, or something in
> between. 
> 
> You might doublecheck your firewall (make sure type 3 icmp isn't being
> denied) and your NAT rules. 
> 
> kevin
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
> 
> iD8DBQE+vCHj3imCezTjY0ERAtEeAJ99QbWsoT6Gt+hfREo3FrK7EdMAJQCfZT80
> DqXfT2nKtEOIjVuXhKFN5Ig=
> =tj5J
> -----END PGP SIGNATURE-----
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde
statik at hate.cx / security engineer \ "My God, it's full of stars..."
PGP fingerprint: D656 01EB 79FC 9285 F110  2AB1 D8BC B3BA BEA2 E0C5

More information about the NCLUG mailing list