[plug] CIPE / VPN
Brad Campbell
brad at wasp.net.au
Wed Oct 22 14:16:50 WST 2003
Brad Campbell wrote:
> Paul Arch wrote:
>
>> Hi,
>>
>> has anyone had much experience with CIPE ( Crypto IP Encapsulation -
>> VPN ) . I am setting up a connection from a Telstra GPRS modem (
>> embedded linux server monitoring cooling towers) to a central data
>> server. Can anyone suggest any experiences with encrypted tunnels
>> over the internet, notebly behind a NAT gateway.
>
>
> Yep, and it works very, very well..
> I have 2 remote tunnels to a single location.
>
> The main point is running a Fortress Firewall, I have poked 2 holes in
> it doing udp masq to an internal linux box.
> Both remote ends are behind ADSL/ISDN boxes that only do NAT.
> The remote ends are set up as dynamic ip devices, and told the static ip
> of the main point. Works a treat..
>
> The remote ends did not require any configuration of the NAT devices and
> no static ports or anything like that.
>
The bit I remembered last night was that on the remote ends if they have
a dynamic ip, if you need to initiate a connection from the static end,
you need a ping running on the dynamic end that has a cycle time of less
that your quickest nat timeout.
For example, the fortress tracks a udp "connection" for 25 seconds, so I
send a packet from the remote end and for 25 seconds any packet going
from the static end knows how to get back to the remote end. If that
timeout expires then the NAT box has no idea where to send the outgoing
udp packet to and the whole pile of cards falls down.
On my dynamic ends I have a 10 second ping running that keeps things
nice and connected.
Just a gotcha to watch anyway.
If you only ever initiate any connections from the dynamic end then this
is not required.
Brad
_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
More information about the plug
mailing list