Re: More Quick 'n' Easy IPv6 for Debian, Wireless

To: Jeroen Massar <jeroen@unfix.org>
Cc: debian-ipv6@lists.debian.org
Subject: Re: More Quick 'n' Easy IPv6 for Debian, Wireless
From: Marc Singer <elf@buici.com>
Date: Wed, 21 Jan 2004 09:26:52 -0800
Message-id: <[🔎] 20040121172652.GA1888@buici.com>
In-reply-to: <[🔎] 003501c3e00e$f0bdcb40$210d640a@unfix.org>
References: <[🔎] 20040121030028.GA3045@buici.com> <[🔎] 003501c3e00e$f0bdcb40$210d640a@unfix.org>

On Wed, Jan 21, 2004 at 12:08:46PM +0100, Jeroen Massar wrote:
> 
> <BIG SNIP>
> 
> > Not exactly.
> > 
> > 
> > [6to4 anycast relay]
> >       ^
> >       |
> >   [Internet]
> >       |
> >       v
> >    [Router] <---> [AP] <---> [Wireless Host]
> >       ^
> >       |
> >       v
> >  [Wired Host]  
> 
> That is indeed much easier. Let the router do 6to4 and announce
> the prefixes using radvd directly or over a tunnel. Done(tm)

OK.  That sounds great.  My plan is to use two addres network to link
the Router to the Host, e.g. 192.168.100.0/30.  The Router gets .1 and
the Host gets .2.  On the Host side, the tunnel will be the default
gateway.  Will radvd automatically announce to .2 if .1 is assigned to
the tunnel device?

I am having a devil of a time getting the tunnel up.  It all makes
sense when I don't have the AP in the way NATing this and NATing that.
In other words, I've gotten ipsec working when the Router and Host are
connected by an Ethernet hub.  However, the key exchange appears to be
failing with the AP in the way.  I can see the requests on port 500
getting to the Router but the responses from the Router don't get back
to the Host.

> >   2) I'd really like to let there be a radvd server for the Wireless
> >      Hosts, but I don't see how I can do this unless I can get one of
> >      the Router's interfaces to appear in the collision domain of the
> >      wireless network. 
> 
> The AP will probably have a "bridge" mode, thus extending the interface.
> I guess you have currently set it to make a seperate network of it.

I don't see how to do that.  I recognize that it's mostly a tin box a'
poop.  It will let me disable the DHCP server, but there's no explicit
option to bridge instead of NAT.  And once DHCP is disabled it doesn't
work at all.

> >   3) The next best thing is to for an IPSEC tunnel from the Wireless
> >      Host to the Router since this kind of tunnel is recognized by the
> >      AP.  As an aside, the AP is really dumb in this respect.  It
> >      requires that the IPSEC tunnel use ISAKMP because of the port 500
> >      exchange that triggers the special super secret pass-through
> >      mode. I'd use another kind of tunnel, but I don't think there is
> >      one that will work with the AP.
> 
> tinc/openvpn etc all use normal tcp and udp thus should not pose
> a problem. 

Part of the motivation for doing this is to implement ipsec.  I
see that there are other methods that will work and may fall back to
them when I exhaust my ideas.

> I actually wonder why the AP is needing to know about L4 stuff.

Do you mean you don't know why they do NAT?  AFAICT, these access
points are designed for simple setups where the WAN port connects to
the ISP without an intervening Router.  Once they introduce NAT to
solve *their* problem they create all sorts of headaches for those of
us who'd rather do the Right Thing (tm). 

Cheers.

Reply to:

References:
- Re: More Quick 'n' Easy IPv6 for Debian, Wireless
  - From: Marc Singer <elf@buici.com>
- RE: More Quick 'n' Easy IPv6 for Debian, Wireless
  - From: "Jeroen Massar" <jeroen@unfix.org>

Prev by Date: RE: More Quick 'n' Easy IPv6 for Debian, Wireless
Next by Date: tunnel problems
Previous by thread: RE: More Quick 'n' Easy IPv6 for Debian, Wireless
Next by thread: Re: More Quick 'n' Easy IPv6 for Debian, Wireless
Index(es):
- Date
- Thread