First off I don't claim to know much about VPNs and encapsulation.
Everyone I talk to tells me openvpn should do what I want.
I take it that is a state full type of connection?
Brian, the problem I see if if I setup another rip44 listener gateway, how do I direct the encapped traffic to our natted, internal IP? An entry in the portal will get it to their router (outside address), but having them place a forwarding rule to get it from there to out 192 internet address probably won't happen.
---- Quote------
On Wed, Apr 17, 2013 at 12:38:01AM -0500, kb9mwr at gmail.com http://hamradio.ucsd.edu/mailman/listinfo/44net wrote:
- It doesn't really make sense to put another gateway in the portal, as I*>* doubt the rip packets will pass though.*
The AMPRNet internal RIP packets from 'amprgw' are sent encapsulated, so if you can do IP-IP tunnels at all, the RIP should get through too.
One way to see whether a firewall will pass IP-IP tunnels is to add its address as a gateway and see if you get tunnel traffic on the other side. Since the internal RIP is sent every 5 minutes, it can be a simple test of your incoming connectivity. - Brian
On Wed, Apr 17, 2013 at 09:21:42AM -0500, kb9mwr@gmail.com wrote:
Brian, the problem I see if if I setup another rip44 listener gateway, how do I direct the encapped traffic to our natted, internal IP? An entry in the portal will get it to their router (outside address), but having them place a forwarding rule to get it from there to out 192 internet address probably won't happen.
I'm unclear on the topology of your network; I'm going to assume that the separate clusters each have a separate NAT/firewall protecting them.
In that case, I believe you may get the IPIP traffic to pass through the NAT/firewall to the internal host by designating the internal host as a DMZ host. You would then register the NAT/firewall's public IP address as the gateway host.
I'd wager it depends on the software in the NAT/firewall so some may do it and others may not. I heard that OpenWRT does handle IPIP encapsulation.
I've not tried that myself so others who have done so should comment on whether this approach actually works.
I'd much appreciate you writing up what you wind up doing and publish it on the wiki so others may share your experience. - Brian
Why not use protocols that are designed for this type of distributed network, like MPLShttp://en.wikipedia.org/wiki/Multiprotocol_Label_Switching ?
Even very inexpensive routers http://routerboard.com/ can now build MPLS circuits http://wiki.mikrotik.com/wiki/Manual:MPLS.
------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 http://k7ve.org/blog http://twitter.com/#!/john_hays http://www.facebook.com/john.d.hays
On Wed, Apr 17, 2013 at 9:47 AM, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Wed, Apr 17, 2013 at 09:21:42AM -0500, kb9mwr@gmail.com wrote:
Brian, the problem I see if if I setup another rip44 listener gateway,
how do I
direct the encapped traffic to our natted, internal IP? An entry in the
portal
will get it to their router (outside address), but having them place a forwarding rule to get it from there to out 192 internet address
probably won't
happen.
I'm unclear on the topology of your network; I'm going to assume that the separate clusters each have a separate NAT/firewall protecting them.
In that case, I believe you may get the IPIP traffic to pass through the NAT/firewall to the internal host by designating the internal host as a DMZ host. You would then register the NAT/firewall's public IP address as the gateway host.
I'd wager it depends on the software in the NAT/firewall so some may do it and others may not. I heard that OpenWRT does handle IPIP encapsulation.
I've not tried that myself so others who have done so should comment on whether this approach actually works.
I'd much appreciate you writing up what you wind up doing and publish it on the wiki so others may share your experience. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
-
Brian Kantor -
K7VE - John -
kb9mwr@gmail.com