tunnelling / vpn?
Amaury Darsch wrote:
>
> Ok,
>
> Looks like you are really suffering with this one - I'll try to do my best
> to help you. We will go step by step ...
>
> a) I assume you work with the kernel 2.2.17
>
> b) Check the kernel network config - the "ip" command is very picky about this
> Note that in the example below - the IP tunneling and GRE are modules
> I'll give you my config here.
>
> x <*> Packet socket
> x x [*] Kernel/User netlink socket
> x x [*] Routing messages
> x x < > Netlink device emulation
> x x [*] Network firewalls
> x x [*] Socket Filtering
> x x <*> Unix domain sockets
> x x [*] TCP/IP networking
> x x [*] IP: multicasting
> x x [*] IP: advanced router
> [*] IP: policy routing
> x x [ ] IP: equal cost multipath
> x x [ ] IP: use TOS value as routing key
> x x [*] IP: verbose route monitoring
> x x [ ] IP: large routing tables
> x x [ ] IP: fast network address translation
> x x [ ] IP: kernel level autoconfiguration
> x x [*] IP: firewalling
> x x [ ] IP: firewall packet netlink device
> x x [*] IP: use FWMARK value as routing key
> [*] IP: transparent proxy support
> x x [ ] IP: masquerading
> x x [ ] IP: optimize as router not host
> x x <M> IP: tunneling
> x x <M> IP: GRE tunnels over IP
> x x [*] IP: broadcast GRE over IP
> x x [ ] IP: multicast routing
> x x [*] IP: aliasing support
> x x [ ] IP: ARP daemon support (EXPERIMENTAL)
here's what i've got in my current kernel /boot/config-2.2.17 :
<M> Packet socket
[*] Kernel/User netlink socket
[*] Routing messages
<*> Netlink device emulation
[*] Network firewalls
[*] Socket Filtering
<M> Unix domain sockets
[*] TCP/IP networking
[*] IP: multicasting
[*] IP: advanced router
[*] IP: policy routing
[ ] IP: equal cost multipath
[*] IP: use TOS value as routing key
[*] IP: verbose route monitoring
[ ] IP: large routing tables
[*] IP: fast network address translation
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[*] IP: firewall packet netlink device
[*] IP: use FWMARK value as routing key
[ ] IP: transparent proxy support
[*] IP: masquerading
--- Protocol-specific masquerading support will be built as modules.
[*] IP: ICMP masquerading
--- Protocol-specific masquerading support will be built as modules.
[*] IP: masquerading special modules support
<M> IP: ipautofw masq support (EXPERIMENTAL)
<M> IP: ipportfw masq support (EXPERIMENTAL)
<M> IP: ip fwmark masq-forwarding support (EXPERIMENTAL)
[ ] IP: optimize as router not host
<M> IP: tunneling
<M> IP: GRE tunnels over IP
[ ] IP: broadcast GRE over IP (NEW)
[ ] IP: multicast routing (NEW)
[*] IP: aliasing support
[ ] IP: ARP daemon support (EXPERIMENTAL) (NEW)
[*] IP: TCP syncookie support (not enabled per default)
--- (it is safe to leave these untouched)
<M> IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory)
<M> The IPv6 protocol (EXPERIMENTAL)
[ ] IPv6: enable EUI-64 token format (NEW)
<M> The IPX protocol
[ ] IPX: Full internal IPX network (NEW)
<M> IPX: SPX networking (EXPERIMENTAL)
<M> Appletalk DDP
<M> CCITT X.25 Packet Layer (EXPERIMENTAL)
<M> LAPB Data Link Driver (EXPERIMENTAL)
[ ] Bridging (EXPERIMENTAL) (NEW)
[ ] 802.2 LLC (EXPERIMENTAL) (NEW)
<M> Acorn Econet/AUN protocols (EXPERIMENTAL)
[ ] AUN over UDP (NEW)
[ ] Native Econet (NEW)
<M> WAN router
[ ] Fast switching (read help!) (NEW)
[ ] Forwarding between high speed interfaces (NEW)
[ ] CPU is too slow to handle full bandwidth (NEW)
QoS and/or fair queueing --->
sure looks like i've got what i need, don't you agree?
(i'm not much of an expert...)
> c) install the gre module - without it - nothing will work
> modpobe ip_gre (or insmod ip_gre)
>
> Check that it is installed with the "lsmod" command.
got it:
# lsmod
Module Size Used by
ip_gre 6168 1
slip 7388 0 (autoclean)
ppp 20684 0 (autoclean)
slhc 4436 1 (autoclean) [slip ppp]
nls_koi8-r 3400 0 (unused)
tap1 2284 0 (unused)
netlink_dev 1552 0 (unused)
tap0 2284 0 (unused)
af_packet 6040 0 (autoclean)
serial 19564 1 (autoclean)
3c509 6548 2
ipv6 92464 -1
ipip 5156 0
ip_masq_ftp 2456 0
unix 10212 21 (autoclean)
> d) now the magic test - install the tunnel
>
> ip tunnel add tunl0 mode gre local 192.168.0.1 remote 192.168.0.2
>
> If you have any error here (I saw some ioctl error) then do not bother to
> continue - you have a kernel problem.
>
> check that the tunnel is installed
>
> ip link show
BOOM.
# ip link show
Cannot send dump request: Connection refused
what the HELL does that denote?
at least this much does work:
# ip tunnel ls
tunl0: ip/ip remote any local any ttl inherit nopmtudisc
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
gre0: gre/ip remote any local any ttl inherit nopmtudisc
dave: gre/ip remote 208.7.139.219 local 208.33.90.85 ttl 255
and here's how i've got as far as i have--
########################
# create new device
ip tunnel add $DEV \
local $OUTSIDE_HERE \
remote $OUTSIDE_THERE \
mode gre
# set it up to talk between these two points (with network on far end)
ifconfig $DEV $INSIDE_HERE pointopoint $INSIDE_THERE \
netmask 255.255.255.0
# now re-establish our firewall rules to include the new gadget
ipmasq
########################
okay, according to the
ip-cref.ps
ip-tunnels.ps
documents, it's supposed to be okay to mix the
ip *
commands with
ifconfig *
commands (they use such combos havily in their examples), but some
folks act leery of that mixture.
comments?
> At this stage, the tunnel is set - you need to do the same with the peer. You
> will have also to set your routing table - If you have a gateway turn on the
> forwarding. My config has the firewall enabled - If you do the same make sure
> you install the right ACCEPT rule. But as far as I can see, the source of your
> problems seems located around a kernel config.
>
> Hope this will help ...
it has, but i'm still limping, and would love to be able
to walk, then run...
--
mailto:will@serensoft.com
http://www.dontUthink.com/
Reply to: