I have two Windows hosts that will be roaming onto other networks.  I have been using a /32 tunnelled address and OpenVPN.  Looks like OpenVPN is the easiest to reply on the client (Windows) side.

The idea is to use interior routing where possible and resort to tunnelling only for the few sites that are not on the same network.

Still, I am having trouble getting the IPIP tunnels to come up.  I am not sure if this is because of the fact that I am also BGP routed, or whether this is because I am doing something wrong.

Sorry this is rather lengthy, I did truncate command output to limit to what’s relevant.  My assigned address space is 44.135.197.0/24, the gateway public IP is 64.184.193.14.  I created a gateway in the portal for that with both “direct” and “ipip” checked off.

This what I am doing to get IPIP up on Linux:

ip tunnel add ampr0 mode ipip local 64.184.193.14 ttl 255   ip link set dev ampr0 up   ifconfig ampr0 multicast   ip addr add 44.135.197.253/32 dev ampr0   ip rule add to 44.0.0.0/8 table 44 priority 44   ip rule add from 44.0.0.0/8 table 44 priority 45   ./ampr-ripd -t 44 -i ampr0 -d -v -p <secret pwd>

Ifconfig shows my ampr0 interface properly

ampr0     Link encap:IPIP Tunnel  HWaddr              inet addr:44.135.197.253  Mask:255.255.255.255           UP RUNNING NOARP MULTICAST  MTU:1480  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0            RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

My routing table looks ok, not sure why the 44.0.0.0/8 source route would be needed, but the few example I’ve seen all have it.

root@amprnetgw:~# ip rule show   0: from all lookup local    44: from all to 44.0.0.0/8 lookup 44    45: from 44.0.0.0/8 lookup 44    32766: from all lookup main    32767: from all lookup default

The ripd daemon populated the table

root@amprnetgw:~# ip route show table 44 | head -5   44.2.2.0/24 via 24.52.189.1 dev ampr0  proto 44 onlink  window 840   44.2.5.0/25 via 176.183.139.74 dev ampr0  proto 44 onlink  window 840   44.2.10.0/29 via 104.49.12.130 dev ampr0  proto 44 onlink  window 840   44.2.14.0/29 via 50.79.156.221 dev ampr0  proto 44 onlink  window 840   44.2.50.0/29 via 75.140.109.173 dev ampr0  proto 44 onlink  window 840

Bt no go pinging various amor.org hosts:

root@amprnetgw:~# ping -c 3 f4gve.ampr.org   PING f4gve.ampr.org (44.151.74.102) 56(84) bytes of data.

--- f4gve.ampr.org ping statistics ---   3 packets transmitted, 0 received, 100% packet loss, time 2015ms

Looking at what’s happening with tcpdump, I see packets going out via ampr0, but it almost looks like something unrecognizable coming back???

On ampr0 I see packet going out and “defective” replies:

root@amprnetgw:~/ampr_tun_docs/src# tcpdump -i ampr0 -n   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode   listening on ampr0, link-type RAW (Raw IP), capture size 262144 bytes   08:41:16.537532 IP truncated-ip - 26540 bytes missing! 151.80.196.50 > 169.228.66.251: ip-proto-4   08:41:17.396730 IP 44.135.197.253 > 44.151.74.102: ICMP echo request, id 9059, seq 23, length 64   08:41:17.545379 IP truncated-ip - 26540 bytes missing! 151.80.196.50 > 169.228.66.251: ip-proto-4   08:41:18.404691 IP 44.135.197.253 > 44.151.74.102: ICMP echo request, id 9059, seq 24, length 64

On eth0 I see replies

root@amprnetgw:~/ampr_tun_docs/src# tcpdump -i eth0 -n host 169.228.66.251   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode   listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes   08:40:59.409308 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes missing!  151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)   08:41:00.417480 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes missing! 151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)   08:41:01.416735 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes missing! 151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)

It almost looks like I am seeing encapsulated packets coming in over the tunnel interface?  Per routing table 151.80.196.50 is the gateway for f4gve.ampr.org/44.151.74.102.

root@amprnetgw:~# ip route show table 44 | grep 151.80.196.50   44.151.74.102 via 151.80.196.50 dev ampr0  proto 44 onlink  window 840

Thanks, Adi VA3ADI

Hi Tom,

Thank you for providing some IP addresses I can work with for testing.  I did try confirming f4gve.ampr.org is alive before I selected it as a host for testing.  It is still alive.

adi@Jazz:~/Working$ ping -c 3 f4gve.ampr.org     PING f4gve.ampr.org (44.151.74.102): 56 data bytes     64 bytes from 44.151.74.102: icmp_seq=0 ttl=48 time=249.300 ms     64 bytes from 44.151.74.102: icmp_seq=1 ttl=48 time=286.401 ms     64 bytes from 44.151.74.102: icmp_seq=2 ttl=48 time=256.990 ms

--- f4gve.ampr.org ping statistics ---     3 packets transmitted, 3 packets received, 0.0% packet loss     round-trip min/avg/max/stddev = 249.300/264.230/286.401/15.988 ms

Adi

...

root@amprnetgw:~# ping -c 3 f4gve.ampr.org PING f4gve.ampr.org (44.151.74.102) 56(84) bytes of data.

Above host is _NOT_ reachable at all. Instead try: 44.151.44.55 - 24h/day on line. My own: 44.165.2.2 / .3 / .5 / .8 and 44.165.15.1

Because you are advertising a route to your subnet via BGP, packets addressed to that subnet will go to you directly and will not reach the gateway at UCSD, and so therefore cannot reach you over a tunnel. - Brian

On Sat, Jan 21, 2017 at 08:52:56AM -0600, Adi Linden via 44Net wrote:

I have two Windows hosts that will be roaming onto other networks. ??I have been using a /32 tunnelled address and OpenVPN. ??Looks like OpenVPN is the easiest to reply on the client (Windows) side.