avinashb050800
asked on
Multiple IP addresses
My requirement is to simulate a scenario
in which 2 machines are connected via
gateways accross an insecure network.
A --G1--<insecure net>--G2-- B
But the problem is that I have only two machines
available. One of them has 2 network cards which
I would be using to simulate the '2 gateways across
the net' (G1 and G2). But the other machine has just one network
card, but I would like to simulate it as the 2 'end-point'
machines (A and B).
So I tried cloning the eth0 (having address for A) with a different
IP address (for B, for a different subnet) and tried to
route the packets through the 'gateway' to the 'other' IP
address ('B') but apparently the kernel (or whatever) detects
that the 'remote' address is of the same host and the
packets are never transferred through the network card -
they are simply looped back.
Is it possible to configure the 'end-point' machine
such that it cannot detect it's own 'other' IP address
and is forced to route the packet to the specified
gateway ?
in which 2 machines are connected via
gateways accross an insecure network.
A --G1--<insecure net>--G2-- B
But the problem is that I have only two machines
available. One of them has 2 network cards which
I would be using to simulate the '2 gateways across
the net' (G1 and G2). But the other machine has just one network
card, but I would like to simulate it as the 2 'end-point'
machines (A and B).
So I tried cloning the eth0 (having address for A) with a different
IP address (for B, for a different subnet) and tried to
route the packets through the 'gateway' to the 'other' IP
address ('B') but apparently the kernel (or whatever) detects
that the 'remote' address is of the same host and the
packets are never transferred through the network card -
they are simply looped back.
Is it possible to configure the 'end-point' machine
such that it cannot detect it's own 'other' IP address
and is forced to route the packet to the specified
gateway ?
ASKER
Thanks Jlevie for your comment - but let me put my question in a sharper focus.
If I have a machine with 2 IP addresses and only 1 NIC, is possible to route the packets between them through an external gateway ?
I tried modifying the routing tables to affect that but the packets never reach the NIC. Apparently at some stage the IP detects that the destination address is 'local' ...
Avinash
If I have a machine with 2 IP addresses and only 1 NIC, is possible to route the packets between them through an external gateway ?
I tried modifying the routing tables to affect that but the packets never reach the NIC. Apparently at some stage the IP detects that the destination address is 'local' ...
Avinash
Could you give a specific example of how you've configured the IP's?
Looks like you're trying to implement a VPN. IP tunneling could be a solution to your scenario. In which case private packets are encapsulated and forwarded by way of public, insecure connection.
You need to configure the Linux kernels to support these features on both end stations. Of course I'm just point out this direction. If this suite your situation, you'd want step-by-step instructions and more detailed documentation on how to configure the interfaces.
You need to configure the Linux kernels to support these features on both end stations. Of course I'm just point out this direction. If this suite your situation, you'd want step-by-step instructions and more detailed documentation on how to configure the interfaces.
ASKER
I have cloned my eth0 so I now have
-->eth0 with IP addr 192.9.201.100
-->eth0:0 with IP addr 192.9.205.7
and in the routing tables I have added
Dest gw Iface
192.9.205.0 192.9.201.74 eth0
The configuraration works for all '205.*' bound packets except for '205.7'.
-->eth0 with IP addr 192.9.201.100
-->eth0:0 with IP addr 192.9.205.7
and in the routing tables I have added
Dest gw Iface
192.9.205.0 192.9.201.74 eth0
The configuraration works for all '205.*' bound packets except for '205.7'.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suppose the insecure connection that A has now is eth0 (192.9.201.100) through GW1 (192.9.201.74) to the other end point B.
Now what you want to accomplish is establish an end-to-end 192.9.205.0 connection through the above link, am I right? If this is what you have in mind, then continue...
The IP-IP, or IP tunneling which implements the GRE, generic routing protocol, is what you need.
In your case, it's not necessary to have two physical network interfaces in each endpoint. You create and configure a (pseudo, virtual...) tunnel interface for 192.9.205.7 on A, also similar on endpoint B. The kernel, IP protocol stack, will encapsulate these 192.9.205.0 packets with 192.9.201.0 headers so that they can be forwarded through the default gateway. On the other endpoint, the kernel of course will take care of the decapsulation.
Different venders have different implementation. Here we have Linux, right?
Now what you want to accomplish is establish an end-to-end 192.9.205.0 connection through the above link, am I right? If this is what you have in mind, then continue...
The IP-IP, or IP tunneling which implements the GRE, generic routing protocol, is what you need.
In your case, it's not necessary to have two physical network interfaces in each endpoint. You create and configure a (pseudo, virtual...) tunnel interface for 192.9.205.7 on A, also similar on endpoint B. The kernel, IP protocol stack, will encapsulate these 192.9.205.0 packets with 192.9.201.0 headers so that they can be forwarded through the default gateway. On the other endpoint, the kernel of course will take care of the decapsulation.
Different venders have different implementation. Here we have Linux, right?
ASKER
I guess jlevie, you've got a point. I would need a reeeeal low level tweaking in the kernel to manage this (route.c ?)...
Ummm, yeah I think that would require major surgery of the kernel's routing engine.
You really need more than two systems to do this. As I think that you are trying to play with encrypted VPNs you'd want four to fully simulate the scenario. However, if you don't have that you could come pretty close by simply treating the link between the two boxes as the insecure network and running the VPN over that. If you think each of the nodes as an encrypting "gateway", it doesn't really make much difference to the box whether the traffic originates from within the box or from a second NIC. Presumably the routing engine is taking care of where the traffic originated and when it's time to encrypt it and pass it out over the link the traffic has effectively become "local".
You really need more than two systems to do this. As I think that you are trying to play with encrypted VPNs you'd want four to fully simulate the scenario. However, if you don't have that you could come pretty close by simply treating the link between the two boxes as the insecure network and running the VPN over that. If you think each of the nodes as an encrypting "gateway", it doesn't really make much difference to the box whether the traffic originates from within the box or from a second NIC. Presumably the routing engine is taking care of where the traffic originated and when it's time to encrypt it and pass it out over the link the traffic has effectively become "local".
You'd need a minimum of four systems to set up the scenario for any realistic testing (but you probably already know that). If the goal is work with mechanisms for transport over insecure networks (encrypted tunnels and the like) you can work that part of the problem with just two systems, each with a single NIC. The routing issues can't be examined without the presence of the gateway boxes.