On 04/10/2014 02:33 PM, Marc, LX1DUC wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 10/04/2014 23:23, Bart Kus wrote:
At step (c) the packet matched a route that is associated with an IPIP tunnel. The inner headers are from-44.whatever and to-44.24.240.0/20. When that match is made, the packet is IPIP encapsulated, and given new outer src/dst IPs. The dst-IP in this case should be 44.24.221.1, and the src-IP should be whatever local-address was configured for the IPIP tunnel (which should be routable over his public ISP). Then the router has to make a 2nd routing decision about how to deliver to 44.24.221.1. In this case, it should match default route (0.0.0.0/0).
The default route for traffic with ORIGIN (read NOT necessary DESTINATION) inside 44/8 will be routed via IPIP to UCSD.
The Internet, in general, does not care about your source IP when making routing decisions. Routing tables work on destination IP information.
I suspect you're referring to a specific case of policy-based routing rules that have been deployed at UCSD and are causing breakage. That's a separate problem I'll deal with later. UCSD is not necessary for the success of the IPIP tunnel mesh communications.
Any potential traffic for 44.24.240.0/20 should never touch UCSD. It's either sent directly via Internet, or via the IPIP tunnel mesh. Traffic to/from UCSD itself may have a problem due to aforementioned routing weirdness @ UCSD, which we'll look at later.
Routing via ISP without NAT won't work! Read BCP38.
Before recommending NAT, please note we don't want NAT because we want to keep the 44net ORIGIN intact.
I'm not sure why you're bringing up NAT. If you're terminating your IPIP tunnels on your edge router the de/encapsulation and communication can take place entirely without engaging NAT. Your edge router would hold your public IP, and can associate the IPIP tunnels with it. If you're terminating the tunnels inside your network instead, then yes, you'll need some forwarding rules and NAT. I would suggest terminating on your edge router for simplest config.
Read BCP38. Really read BCP38. Read BCP38 again.
What is it you think I'm missing here that's in BCP38?
--Bart