Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Routing point to point VPN (lan2lan)
PostPosted: Mon Sep 13, 2010 10:36 pm 
Offline

Joined: Sun Sep 12, 2010 1:14 pm
Posts: 4
I have been trying to figure this out for a couple of days now and I'm hitting a wall here. I have used the exact steps you have provided in this wiki info http://www.neorouter.com/wiki/index.php ... workBridge
But it still doesn't work. Below is a description of what I'm trying to accomplish here.


Code:
site2site vpn
         Neo                      Neoclient
192.168.69.0/24 <----------------------> 192.168.67.0/24
      10.1.0.2                      10.1.0.3
  Client+Server                      Client


Both client boxes are Linux and have one internet connected interface through which the connection is established.

    First box acting as server and client
    Hostname: neo
    IP: 192.168.69.119
    nrIP: 10.1.0.2

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.69.0    0.0.0.0         255.255.255.0   U     10     0        0 eth0
192.168.67.0    10.1.0.3        255.255.255.0   UG    0      0        0 nrtap
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0 nrtap


    Second box, acting as a client
    Hostname: neoclient
    IP: 192.168.67.1
    nrIP: 10.1.0.3

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.67.0    0.0.0.0         255.255.255.0   U     5      0        0 eth1
192.168.69.0    10.1.0.2        255.255.255.0   UG    0      0        0 nrtap
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0 nrtap


- Cannot ping 192.168.69.119 from 192.168.67.1 or the other way around.
- Ping goes through using 10.1.0.3 or 2 addresses
- Routing has been enabled on both machines
    [root@neoclient NeoRouter]# cat /proc/sys/net/ipv4/ip_forward
    1
    [root@neo NeoRouter]# cat /proc/sys/net/ipv4/ip_forward
    1

- Neorouter server and client versions on both: NeoRouter Free [Version 1.1.2.2110]

What am I missing? here?

One thing I have noticed when I restart the nrservice, it will print out ifconfig usage info... should it do that? I even installed two different linux distros to see if this happens on other distros too, and it does.

If anyone could point me to right direction, I would be very grateful.

Thanks
S


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Tue Sep 14, 2010 8:29 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi sai,

Did you set the enable the NetworkBridge feature and static route table in "Feature.ini"? It's necessary.
The settings should be set for all platforms.
Sample:

[Default]
NetworkBridge=1
LANSegment1=192.168.67.0/255.255.255.0,10.0.0.3
LANSegment2=192.168.69.0/255.255.255.0,10.0.0.2

The NetworkBridge allows NR Service to process misc packets. The LANSegmentX is the static route tables for NR service to route those packets.

The setting is explained in the diagram on our Wiki (http://www.neorouter.com/wiki/index.php ... idge_2.png). Sorry for confusing you.

Let us know if you still have problem.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Tue Sep 14, 2010 11:30 pm 
Offline

Joined: Sun Sep 12, 2010 1:14 pm
Posts: 4
Hey

Thanks for getting back to me this fast.

I indeed have defined these in the Feature.ini files on both of the clients, but still no success. I forgot to mention this in the first post.

They are located in /usr/local/ZebraNetworkSystems/NeoRouter as mentioned in the bridging guide.

I tried to strace to see if it really reads the Feature.ini at all and yes it does.

Code:
3791  open("/usr/local/ZebraNetworkSystems/NeoRouter/Feature.ini", O_RDONLY) = 3
3791  fstat(3, {st_mode=S_IFREG|0644, st_size=123, ...}) = 0
3791  mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8f6e545000
3791  read(3, "[Default]\nNetworkBridge=1\nLANSeg"..., 4096) = 123
3791  read(3, "", 4096)                 = 0
3791  close(3)                          = 0


Still no luck :(

Anything else I could test?


One thing bothers me, the ifconfig usage I am getting after restarting nrservice. Below is the output.

Code:
[root@neo NeoRouter]# /etc/rc.d/init.d/nrservice.sh restart
Shutting down nrservice services: /bin/bash: line 1:  3872 Terminated              /usr/bin/nrservice
Starting nrservice services:                                    [  OK  ]
[root@neo NeoRouter]# Usage:
  ifconfig [-a] [-v] [-s] <interface> [[<AF>] <address>]
  [add <address>[/<prefixlen>]]
  [del <address>[/<prefixlen>]]
  [[-]broadcast [<address>]]  [[-]pointopoint [<address>]]
  [netmask <address>]  [dstaddr <address>]  [tunnel <address>]
  [outfill <NN>] [keepalive <NN>]
  [hw <HW> <address>]  [metric <NN>]  [mtu <NN>]
  [[-]trailers]  [[-]arp]  [[-]allmulti]
  [multicast]  [[-]promisc]
  [mem_start <NN>]  [io_addr <NN>]  [irq <NN>]  [media <type>]
  [txqueuelen <NN>]
  [[-]dynamic]
  [up|down] ...

  <HW>=Hardware Type.
  List of possible hardware types:
    loop (Local Loopback) slip (Serial Line IP) cslip (VJ Serial Line IP)
    slip6 (6-bit Serial Line IP) cslip6 (VJ 6-bit Serial Line IP) adaptive (Adaptive Serial Line IP)
    strip (Metricom Starmode IP) ash (Ash) ether (Ethernet)
    tr (16/4 Mbps Token Ring) tr (16/4 Mbps Token Ring (New)) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) rose (AMPR ROSE) tunnel (IPIP Tunnel)
    ppp (Point-to-Point Protocol) hdlc ((Cisco)-HDLC) lapb (LAPB)
    arcnet (ARCnet) dlci (Frame Relay DLCI) frad (Frame Relay Access Device)
    sit (IPv6-in-IPv4) fddi (Fiber Distributed Data Interface) hippi (HIPPI)
    irda (IrLAP) ec (Econet) x25 (generic X.25)
    infiniband (InfiniBand)
  <AF>=Address family. Default: inet
  List of possible address families:
    unix (UNIX Domain) inet (DARPA Internet) inet6 (IPv6)
    ax25 (AMPR AX.25) netrom (AMPR NET/ROM) rose (AMPR ROSE)
    ipx (Novell IPX) ddp (Appletalk DDP) ec (Econet)
    ash (Ash) x25 (CCITT X.25)


I have no idea if this has something to do with the problem. But I see this same message on every Linux machine I have tried this, so it is not a distribution related thing.


I debugged this a bit and found this in strace
Code:
3798  execve("/sbin/ifconfig", ["/sbin/ifconfig", "nrtap", "hw", "ether"], [/* 49 vars */]) = 0
3798  brk(0)                            = 0x191f000


And right after that the syntax is printed out

Before that in the strace there is another execve which works, and does not print out the usage
Code:
3798  execve("/bin/sh", ["sh", "-c", "/sbin/ifconfig nrtap hw ether "], [/* 49 vars */] <unfinished ...>
3796  <... close resumed> )             = 0



BR,
Sai


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Wed Sep 15, 2010 7:32 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi sai,

It's normal that you can see the ifconfig output when you run nrservice manually.

The best tool to troubleshoot would be wireshark or tcpdump. You can hook it on the nrtap, then ping to the remote IP address see if you can capture the IP packets from nrtap. If you do, this endpoint works well; then check the other side, see if you can see the packets come to nrtap. If you can see that, the packets go to the route table.

If you cannot see thr IP packets sent in the nrtap, please check the ip_forward. One of issues would be ip_forward didn't work, as it affects on non-initialized network interfaces. So it would be better to set it in sys_ctrl.conf and restart.

Btw, please temporaryly turn off the iptables before testing.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Wed Sep 15, 2010 8:56 am 
Offline

Joined: Sun Sep 12, 2010 1:14 pm
Posts: 4
Hi

I did this.

When on Neo (just client, 10.1.0.3 & 192.168.67.1)

I take a tcpdump -n -i nrtap, then ping 192.168.69.1
I can see the packets coming to nrtap interface
Code:
16:43:21.086676 IP 10.1.0.3 > 192.168.69.1: ICMP echo request, id 3329, seq 126, length 64
16:43:22.086685 IP 10.1.0.3 > 192.168.69.1: ICMP echo request, id 3329, seq 127, length 64
16:43:23.086680 IP 10.1.0.3 > 192.168.69.1: ICMP echo request, id 3329, seq 128, length 64
16:43:24.086683 IP 10.1.0.3 > 192.168.69.1: ICMP echo request, id 3329, seq 129, length 64
16:43:25.086668 IP 10.1.0.3 > 192.168.69.1: ICMP echo request, id 3329, seq 130, length 64


On 10.1.0.2 & 192.168.69.119 nrtap interface we see nothing. The packets are not reaching the other side. Even though they are sent there.

The other side works the same way, packets are sent, but they go to bit heaven.

No iptables, forwarding works, any other clues what might be wrong?

BR,
S


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Wed Sep 15, 2010 7:40 pm 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi sai,

I cannot repro your issue in our lab, I did a similar testing and it works.

Can you try this? Ping from 10.0.0.x (one gw) to another private IP (192.168.x.x) and capture the packets if it works. At least you should see the ping icmp packets on both sites.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Tue Sep 21, 2010 12:57 am 
Offline

Joined: Sun Sep 12, 2010 1:14 pm
Posts: 4
Hey

Could you tell me the specs of your lab environment? Win/Linux what versions/distro.

If it is related to something with them. Since I really can't seem to get it working. :cry:

Sai


Top
 Profile  
 
 Post subject: Re: Routing point to point VPN (lan2lan)
PostPosted: Tue Sep 21, 2010 8:43 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi sai,

I tested the same network structure as yours. I think there would be just something wrong. But without touching your system, it would be hard for me to investigate it.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 24 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron