[NCLUG] cipe "virtual identity"

listz at hate.cx listz at hate.cx
Fri May 9 14:28:43 MDT 2003 

thanks for the help, i've got a tunnel (mostly) working after i started to play
aroung with it. the problem i have now is that when i try to tunnel ssh my
machines complain about MTU size. i've allowed icmp type 3 through the local
firewall, however the connection is still not fragmenting to accomodate. any
ideas? here is a snippet of some tcpdump output:

14:24:13.887049 99.41.5.59 > 99.41.5.60: icmp: 10.0.0.2 unreachable -
need to frag (mtu 1418) [tos 0xc0] 
14:25:07.644738 99.41.5.59 > 99.41.5.60: icmp: 10.0.0.2 unreachable -
need to frag (mtu 1418) [tos 0xc0] 

i'm wondering because i'm nat'ing the cipe internal addresses if when the
destination machine sees the "10.0.0.2 unreachable - need to frag" its just like
"i don't care, i'm not talking to 10.0.0.2" 


on Thu May 08 22:15, Kevin Fenzi disclosed: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> >>>>> "listz" == listz  <listz at hate.cx> writes:
> 
> listz> but what about if the firewall and gateway are seperated by the
> listz> internet. 
> 
> It doesn't matter. CIPE needs a connection of some kind to tunnel
> over, but anything will do. PPP, slip, wireless, ethernet, etc... 
> 
> listz> lets assume 192.168.0.10 is a real address. does the
> listz> tunnel have its own addresses inside the tunnel? like a real
> 
> Yes, you tell cipe:
> 
> On the client:
> 
> peer is example.com
> my ipaddress is 192.168.1.2
> point to point ip is 192.168.1.1
> 
> On the server:
> 
> peer is anyone
> my ipaddress is 192.168.1.1
> point to point ip is 192.168.1.2
> 
> So, when the client brings up it's cipe interface it connects to
> example.com (a real ip on the server) and then the cipe tunnel has
> 192.168.1.1 on the server side, and 192.168.1.2 on the client side. 
> 
> listz> address of 216.17.172.1 on eth0 of the laptop, and the firewall
> listz> has an address of 192.168.0.11 (again, assuming its routable).
> listz> maybe i'm being confusing, and maybe i just need to play around
> listz> with it some.
> 
> You can then route anything you like over that cipe tunnel... 
> ie, (on the client)
> 
> route add -net 10.1.1.0/24 gw 192.168.1.1
> 
> then all traffic to 10.1.1.0/24 net will go over the cipe tunnel to
> the server and then (if the server knows how to get to 10.1.1.0/24) to
> the network in question. 
> 
> listz> i guess let me explain a bit more what i want to do. there is
> listz> an internal server that is only accessible from known ip
> listz> addresses (via local iptables rules, tcp-wrappers, etc.). when
> listz> i'm on travel i could be using any ip address, but if i need to
> listz> connect back to the internal server i need the connection to
> listz> appear as if it were coming from some known ip address. i
> listz> figured a vpn would be able to accomplish this task. can cipe
> listz> do this or even frees/wan?
> 
> yes. 
> In the above case you just need allow connections from 192.168.1.2 to
> your machine and it will be fine. 
> 
> kevin
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
> 
> iD8DBQE+uytV3imCezTjY0ERAkwlAJsFXVwtBiCBO2UK3Cybg37IdExIawCfWxpo
> xB7o66yb0IrGkITWi19oUrY=
> =AQpw
> -----END PGP SIGNATURE-----
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde
statik at hate.cx / security engineer \ "My God, it's full of stars..."
PGP fingerprint: D656 01EB 79FC 9285 F110  2AB1 D8BC B3BA BEA2 E0C5

More information about the NCLUG mailing list