Tunneling issues

[Mike Tancsa]

At 01:30 PM 7/9/2008, zaphod at fsklaw.com wrote:

>Seems pretty straight forward a tunnel.  But nothing heads out. Can't ping
>a thing.

I think your tunnel endpoints are overlapping your remote subnets. 
The GIF tunnel IP addresses are not supposed to be on the same internal LAN.

If server 1's public IP is 1.1.1.1 and server 2 is 2.2.2.2 and 
server1's internet network is 192.168.1.0/24 and server2's inside 
network is 192.168.2.0/24

This should work.

#!/bin/sh
#server1 to connect to server2
MEOUTSIDE=1.1.1.1
MEINSIDE=10.10.69.1
REMOTEOUTSIDE=2.2.2.2
REMOTEINSIDE=10.10.69.2
REMOTENET=192.168.2.0/24
/sbin/ifconfig gif1 create tunnel $MEOUTSIDE $REMOTEOUTSIDE
/sbin/ifconfig gif1 $MEINSIDE netmask 255.255.255.252 $REMOTEINSIDE
/sbin/route delete $REMOTENET
/sbin/route add $REMOTENET $REMOTEINSIDE

#!/bin/sh
#server2 script to connect to server1
MEOUTSIDE=2.2.2.2
MEINSIDE=10.10.69.2
REMOTEOUTSIDE=1.1.1.1
REMOTEINSIDE=10.10.69.1
REMOTENET=192.168.1.0/24
/sbin/ifconfig gif1 create tunnel $MEOUTSIDE $REMOTEOUTSIDE
/sbin/ifconfig gif1 $MEINSIDE netmask 255.255.255.252 $REMOTEINSIDE
/sbin/route delete $REMOTENET
/sbin/route add $REMOTENET $REMOTEINSIDE


Also, dont confuse using GIF and IPSEC.  To create some IPSEC 
tunnels, you dont need gif or gre interfaces. The policies will do 
that for you.


         ---Mike



>Server1
>
>orange# more mkgif
>#/bin/sh
>ifconfig gif1 create
>ifconfig gif1 1.1.1.1 2.2.2.2
>ifconfig gif1 inet 192.168.72.1 192.168.70.1 netmask 255.255.255.0
>ifconfig gif1 tunnel 1.1.1.1 2.2.2.2
>ifconfig gif1 mtu 1500
>route change 192.168.70.0 192.168.70.1 255.255.255.0
>route change 192.168.71.0 192.168.70.1 255.255.255.0
>
>Server2
>to# more mkgif
>#/bin/sh
>ifconfig gif1 create
>ifconfig gif1 2.2.2.2 1.1.1.1
>ifconfig gif1 inet 192.168.70.1 192.168.72.1 netmask 255.255.255.0
>ifconfig gif1 tunnel 2.2.2.2 1.1.1.1
>ifconfig gif1 mtu 1500
>route change 192.168.72.0 192.168.72.1 255.255.255.0