Re: doesn't anybody use tunnelling / vpn?
Amaury Darsch wrote:
>
> Ok,
>
> Looks like you are really suffering with this one - I'll try to do my best
> to help you. We will go step by step ...
thanks! you have no idea...!
> a) I assume you work with the kernel 2.2.17
# uname -a
Linux server 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown
> b) Check the kernel network config - the "ip" command is very picky about this
> Note that in the example below - the IP tunneling and GRE are modules
> I'll give you my config here.
>
> x <*> Packet socket
> x x [*] Kernel/User netlink socket
> x x [*] Routing messages
> x x < > Netlink device emulation
> x x [*] Network firewalls
> x x [*] Socket Filtering
> x x <*> Unix domain sockets
> x x [*] TCP/IP networking
> x x [*] IP: multicasting
> x x [*] IP: advanced router
> [*] IP: policy routing
> x x [ ] IP: equal cost multipath
> x x [ ] IP: use TOS value as routing key
> x x [*] IP: verbose route monitoring
> x x [ ] IP: large routing tables
> x x [ ] IP: fast network address translation
> x x [ ] IP: kernel level autoconfiguration
> x x [*] IP: firewalling
> x x [ ] IP: firewall packet netlink device
> x x [*] IP: use FWMARK value as routing key
> [*] IP: transparent proxy support
> x x [ ] IP: masquerading
> x x [ ] IP: optimize as router not host
> x x <M> IP: tunneling
> x x <M> IP: GRE tunnels over IP
> x x [*] IP: broadcast GRE over IP
> x x [ ] IP: multicast routing
> x x [*] IP: aliasing support
> x x [ ] IP: ARP daemon support (EXPERIMENTAL)
well, um, <newbie>i'm not sure where to go to compare what i've
got, with that. </newbie>is it a source-code-tree thing? maybe a
probe-command output? or modules from modconf? something from
the bowels of /proc/net? dselect?
my ipmasq works fine to connect my other two computers
(2 mac, 1 windon't) to the 'net. so tcp/inetd.conf services
are all hunky/dory.
# lsmod
Module Size Used by
ip_gre 6168 1
slip 7388 0 (autoclean)
ppp 20684 0 (autoclean)
slhc 4436 1 (autoclean) [slip ppp]
nls_koi8-r 3400 0 (unused)
tap1 2284 0 (unused)
netlink_dev 1552 0 (unused)
tap0 2284 0 (unused)
af_packet 6040 0 (autoclean)
serial 19564 1 (autoclean)
3c509 6548 2
ipv6 92464 -1
ipip 5156 0
ip_masq_ftp 2456 0
unix 10212 15 (autoclean)
so i've got ipip and ip_gre installed, PLUS the
tap and netlink things mentioned for TUNNELV, which i
also couldn't get going.
> c) install the gre module - without it - nothing will work
> modpobe ip_gre (or insmod ip_gre)
>
> Check that it is installed with the "lsmod" command.
>
> d) now the magic test - install the tunnel
>
> ip tunnel add tunl0 mode gre local 192.168.0.1 remote 192.168.0.2
>
> If you have any error here (I saw some ioctl error) then do not bother to
> continue - you have a kernel problem.
>
> check that the tunnel is installed
>
> ip link show
BOOM.
# ip link show
Cannot send dump request: Connection refused
# ip addr show
Cannot send dump request: Connection refused
# ip route show
Cannot send dump request: Connection refused
# ip neigh show
Cannot send dump request: Connection refused
# ip tunnel show
tunl0: ip/ip remote any local any ttl inherit nopmtudisc
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
gre0: gre/ip remote any local any ttl inherit nopmtudisc
dave: gre/ip remote 208.7.139.219 local 208.33.90.85 ttl inherit
why d'you suppose that tunnels are the only things it lets
me show? what am i missing?
> You should see the following (more or less)
>
> 4: gre0@NONE: <NOARP> mtu 1476 qdisc noop
> link/gre 0.0.0.0 brd 0.0.0.0
> 5: tunl0@NONE: <POINTOPOINT,NOARP> mtu 1476 qdisc noop
> link/gre 192.168.0.1 peer 192.168.0.2
it should, but does't. "show" goes bang, for me. except on tunnels.
> e) turn the link up
>
> ip link set dev tunl0 up
>
> check again that the link is up with "ip link show"
>
> 4: gre0@NONE: <NOARP> mtu 1476 qdisc noop
> link/gre 0.0.0.0 brd 0.0.0.0
> 5: tunl0@NONE: <POINTOPOINT,NOARP,UP> mtu 1476 qdisc noqueue
> link/gre 192.168.0.1 peer 192.168.0.2
i use "ifconfig" to get it running. should i not?
> At this stage, the tunnel is set - you need to do the same with the peer. You
> will have also to set your routing table - If you have a gateway turn on the
> forwarding. My config has the firewall enabled - If you do the same make sure
> you install the right ACCEPT rule. But as far as I can see, the source of your
> problems seems located around a kernel config.
>
> Hope this will help ...
thanks for your pointers! i wish i'd had them two weeks ago,
but i didn't know what to ask for...
here's what i've got that seems to work:
#!/bin/sh
# create new device
ip tunnel add $DEV \
local $OUTSIDE_HERE \
remote $OUTSIDE_THERE \
mode gre \
ttl 255
# set it up to talk between these two points (with network on far end)
ifconfig $DEV $INSIDE_HERE pointopoint $INSIDE_THERE \
netmask 255.255.255.0
# now re-establish our firewall rules to include the new gadget
ipmasq
--
and it doesn't seem to matter where i specify TTL, either:
# ip tunnel add dave \
ttl 255 \
local 208.33.90.85 remote 208.7.139.219 \
mode gre
# ip tunnel show | grep dave
dave: gre/ip remote 208.7.139.219 local 208.33.90.85 ttl inherit
ttl always slips back to 'inherit'...
thanks for your help!
Reply to: