[ LUGOS ] Virtual private network

Jure Koren idiot na gimp.ml.org
Ned Jan 3 10:11:58 CET 1999 

On Sat, 2 Jan 1999, andy wrote:

> Mene zanima nekaj dejanskega, ne pa en txt file, ki je se iz casa
> kernelov 1.2.*.

Dejanskega? Mislis nekaj, kjer lahko odkljukas checkbox, naj se
ta dva subneta vidita, kaj me briga, kako? Da bi se kdo izmislil
feature in vtaknil dokumentacijo v kernel, implementacije pa ne,
to se mi se ni zgodilo. Ampak testirat bos moral pa ti, jaz nimam
dveh masquerading subnetov z razlicnih koncev neta.

To je iz 2.1.130 in iz 2.0.36 kernelov:
  
 Tunneling means encapsulating data of one protocol type within          
 another protocol and sending it over a channel that understands the     
 encapsulating protocol. This particular tunneling driver implements     
 encapsulation of IP within IP, which sounds kind of pointless, but      
 can be useful if you want to make your (or some other) machine          
 appear on a different network than it physically is, or to use          
 mobile-IP facilities (allowing laptops to seamlessly move between       
 networks without changing their IP addresses; check out                 
 http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html).               
  
 Saying Y to this option will produce two modules ( = code which can     
 be inserted in and removed from the running kernel whenever you         
 want), one encapsulator called tunnel.o and one decapsulator called     
 ipip.o. You can read details in drivers/net/README.tunnel. Most         
 people won't need this and can say N.                                   

V kernelu 2.0.36 obstaja tudi drivers/net/README.tunnel iz katerega
ponujam en koscek:

        Machine A has an ethernet interface with an IP address
of 111.112.101.37, while machine B is on a different network, with
an ethernet interface at IP address 111.112.100.86.  For some
reason, machine A needs to appear on machine B's network.  It could
do that by setting up an IP tunnel with machine B.

First, the commands that would be run on machine A:
(Assuming both machines are Linux hosts, running Linux 1.1.x)

# insmod ipip.o ; insmod tunnel.o          // Here the drivers are loaded.
# ifconfig tunl 111.112.100.87 pointopoint 111.112.100.86
# ifconfig tunl netmask 255.255.255.0      // Set a proper netmask.
# route add 111.112.100.86 dev eth0        // Set a static route to B.
# route add -net 111.112.100.0 dev tunl    // Set up other routes.

At this point, machine A is ready to route all traffic to the
network that machine B resides on.  But now, machine B needs to
set up its half of the IP tunnel:

# insmod ipip.o ; insmod tunnel.o          // Here the drivers are loaded.
# ifconfig tunl 111.112.100.86 pointopoint 111.112.101.37
# ifconfig tunl netmask 255.255.255.0      // Set a proper netmask.
# route add 111.112.100.87 dev eth0        // Set a static route to B.
# arp -s 111.112.100.87 EE.EE.EE.EE.EE pub // Act as a proxy arp server.

The extra step of "arp -s" is needed so that when machines on
network B query to see if 111.112.100.87 (the "ghost" host)
exists, machine B will respond, acting as an arp proxy for machine
A.  In the command line, EE.EE.EE.EE.EE should be replaced with
the ethernet hardware address of machine B's ethernet card.

Notice that machine B's setup is almost the inverse of machine A's
setup.  This is because IP tunneling is a peer-to-peer concept.
There is no client and no server, there is no state to keep track
of.  The concept is simple.  Every IP packet outbound through the
tunnel interface is wrapped and sent to the pointopoint address
and every incoming IP-in-IP packet bound for the local machine is
unwrapped and re-routed normally.


Zame bi bila to dovolj velika spodbuda, da poizkusim.

				Jure

Dodatne informacije o seznamu Starilist