Re: doesn't anybody use tunnelling / vpn?

[will trillich]

Amaury Darsch wrote:
> 
> Ok,
> 
> Looks like you are really suffering with this one - I'll try to do my best
> to help you. We will go step by step ...

thanks! you have no idea...!

> a) I assume you work with the kernel 2.2.17

# uname -a
Linux server 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown

> b) Check the kernel network config - the "ip" command is very picky about this
>    Note that in the example below - the IP tunneling and GRE are modules
>    I'll give you my config here.
> 
> x <*> Packet socket
>   x x [*] Kernel/User netlink socket
>   x x [*] Routing messages
>   x x < > Netlink device emulation
>   x x [*] Network firewalls
>   x x [*] Socket Filtering
>   x x <*> Unix domain sockets
>   x x [*] TCP/IP networking
>   x x [*] IP: multicasting
>   x x [*] IP: advanced router
>       [*] IP: policy routing
>   x x [ ] IP: equal cost multipath
>   x x [ ] IP: use TOS value as routing key
>   x x [*] IP: verbose route monitoring
>   x x [ ] IP: large routing tables
>   x x [ ] IP: fast network address translation
>   x x [ ] IP: kernel level autoconfiguration
>   x x [*] IP: firewalling
>   x x [ ] IP: firewall packet netlink device
>   x x [*] IP: use FWMARK value as routing key
>       [*] IP: transparent proxy support
>   x x [ ] IP: masquerading
>   x x [ ] IP: optimize as router not host
>   x x <M> IP: tunneling
>   x x <M> IP: GRE tunnels over IP
>   x x [*] IP: broadcast GRE over IP
>   x x [ ] IP: multicast routing
>   x x [*] IP: aliasing support
>   x x [ ] IP: ARP daemon support (EXPERIMENTAL)

well, um, <newbie>i'm not sure where to go to compare what i've
got, with that. </newbie>is it a source-code-tree thing? maybe a
probe-command output? or modules from modconf? something from 
the bowels of /proc/net? dselect?

my ipmasq works fine to connect my other two computers
(2 mac, 1 windon't) to the 'net. so tcp/inetd.conf services
are all hunky/dory.

# lsmod
Module                  Size  Used by
ip_gre                  6168   1 
slip                    7388   0  (autoclean)
ppp                    20684   0  (autoclean)
slhc                    4436   1  (autoclean) [slip ppp]
nls_koi8-r              3400   0  (unused)
tap1                    2284   0  (unused)
netlink_dev             1552   0  (unused)
tap0                    2284   0  (unused)
af_packet               6040   0  (autoclean)
serial                 19564   1  (autoclean)
3c509                   6548   2 
ipv6                   92464  -1 
ipip                    5156   0 
ip_masq_ftp             2456   0 
unix                   10212  15  (autoclean)

so i've got ipip and ip_gre installed, PLUS the
tap and netlink things mentioned for TUNNELV, which i
also couldn't get going.

> c) install the gre module - without it - nothing will work
>    modpobe ip_gre (or insmod ip_gre)
> 
>    Check that it is installed with the "lsmod" command.
> 
> d) now the magic test - install the tunnel
> 
>    ip tunnel add tunl0 mode gre local 192.168.0.1 remote 192.168.0.2
> 
>    If you have any error here (I saw some ioctl error) then do not bother to
>    continue - you have a kernel problem.
> 
>    check that the tunnel is installed
> 
>    ip link show

BOOM.

# ip link show
Cannot send dump request: Connection refused
# ip addr show
Cannot send dump request: Connection refused
# ip route show
Cannot send dump request: Connection refused
# ip neigh show
Cannot send dump request: Connection refused
# ip tunnel show
tunl0: ip/ip  remote any  local any  ttl inherit  nopmtudisc
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc
gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
dave: gre/ip  remote 208.7.139.219  local 208.33.90.85  ttl inherit 

why d'you suppose that tunnels are the only things it lets
me show? what am i missing?


>    You should see the following (more or less)
> 
>    4: [EMAIL PROTECTED]: <NOARP> mtu 1476 qdisc noop
>     link/gre 0.0.0.0 brd 0.0.0.0
>    5: [EMAIL PROTECTED]: <POINTOPOINT,NOARP> mtu 1476 qdisc noop
>     link/gre 192.168.0.1 peer 192.168.0.2

it should, but does't. "show" goes bang, for me. except on tunnels.


> e) turn the link up
> 
>    ip link set dev tunl0 up
> 
>    check again that the link is up with "ip link show"
> 
>    4: [EMAIL PROTECTED]: <NOARP> mtu 1476 qdisc noop
>     link/gre 0.0.0.0 brd 0.0.0.0
>    5: [EMAIL PROTECTED]: <POINTOPOINT,NOARP,UP> mtu 1476 qdisc noqueue
>     link/gre 192.168.0.1 peer 192.168.0.2

i use "ifconfig" to get it running. should i not?


> At this stage, the tunnel is set - you need to do the same with the peer. You
> will have also to set your routing table - If you have a gateway turn on the
> forwarding. My config has the firewall enabled - If you do the same make sure
> you install the right ACCEPT rule. But as far as I can see, the source of your
> problems seems located around a kernel config.
> 
> Hope this will help ...

thanks for your pointers! i wish i'd had them two weeks ago,
but i didn't know what to ask for...

here's what i've got that seems to work:

#!/bin/sh

# create new device

ip tunnel add $DEV \
        local $OUTSIDE_HERE \
        remote $OUTSIDE_THERE \
        mode gre \
        ttl 255

# set it up to talk between these two points (with network on far end)

ifconfig $DEV $INSIDE_HERE pointopoint $INSIDE_THERE \
        netmask 255.255.255.0

# now re-establish our firewall rules to include the new gadget

ipmasq

--

and it doesn't seem to matter where i specify TTL, either:
        # ip tunnel add dave \
                ttl 255 \
                local 208.33.90.85 remote 208.7.139.219 \
                mode gre
        # ip tunnel show | grep dave
        dave: gre/ip  remote 208.7.139.219  local 208.33.90.85  ttl inherit 

ttl always slips back to 'inherit'...

thanks for your help!