Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1206
  • Last Modified:

Bridge 2 Networks using IP-in-IP tunnel?

Hello,
I have 2 private networks I would like to bridge over the internet using a pair of Windows 2000 servers.
I am not sure the best way to do this but I found IP-in-IP tunnels which looks like it might do what I need.
I do not need encryption between the networks, just a way to bridge them.
I found this link to be helpful when seting this up: http://piglet.uccs.edu/~scold/iptunnel.htm
Both servers have static ip's and both are running routing and ras to provide NAT for their internal networks.

ServerA has public ip of a.b.c.170
ServerA has private ip of 10.4.20.199
I have route in A for 10.4.20.0 mask 255.255.255.0 gateway c.a.b.253 interface IPTunnel1

ServerB has public ip of c.a.b.253
ServerB has private ip of 10.3.5.1
I have route in B for 10.3.5.0 mask 255.255.255.0 gateway a.b.c.170 interface IPTunnel1

If this is setup right, I should be able to ping any host on both private networks.  For some reason, my setup doesn't work.

My question:
Is this the proper way to do this, or am I missing something?
Is that website wrong or Is there a better way to accomplish this?
0
Frog357
Asked:
Frog357
  • 16
  • 12
  • 9
  • +3
1 Solution
 
InsolenceCommented:
... I believe 10.x.x.x addresses should have 255.0.0.0 as their subnet if you want to be able to talk from 10.3.x.x to 10.4.x.x addresses...  Or you should use 10.1.3.x and 10.1.4.x for your two server NIC ip addresses with 255.255.0.0 as their subnet.  I could be wrong about that though...  =P

 - Insolence
0
 
Frog357Author Commented:
You are correct, but using a static route, i should be able to talk with any network/netmask.  I've changed the netmask on both routers for a test and it still doesn't respond to pings.

When I try to use 255.0.0.0 for the netmask in the route dialog, it prompts me with:
"The network mask entered is not valid."
"The destination address cannot be more specific than the network mask."

0
 
lrmooreCommented:
Server A should have a route to LAN B through the tunnel and vice versa:

ServerA has public ip of a.b.c.170
ServerA has private ip of 10.4.20.199
I have route in A for 10.3.5.0 mask 255.255.255.0 gateway c.a.b.253 interface IPTunnel1
                              ^^^^^
ServerB has public ip of c.a.b.253
ServerB has private ip of 10.3.5.1
I have route in B for 10.4.20.0 mask 255.255.255.0 gateway a.b.c.170 interface IPTunnel1
                              ^^^^^^
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
The--CaptainCommented:
Frog - are you trying to bridge, or route?  You said bridge, but from here it looks like route...

Cheers,
-Jon

0
 
chicagoanCommented:
can you post the output of IPCONFIG /ALL and ROUTE PRINT for these machines?


0
 
Frog357Author Commented:
The--Captain,
You are right, I was mixing both together.  I was just trying to follow that page which told me how to do it, didn't think about that until now!

lrmoore,
I'm sorry, I made a mistake, I have it the way you explained except I wrote it wrong here.

chicagoan,
Output coming in next message.
0
 
Frog357Author Commented:
SERVER A

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : ServerA
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Peer-Peer
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : ORiNOCO PC Card (5 Volt)
        Physical Address. . . . . . . . . : 00-00-00-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 64.1.1.170
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 64.1.1.1


Ethernet adapter LAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : ADMtek ADM8511 USB To Fast Ethernet Converter
        Physical Address. . . . . . . . . : 00-00-00-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.4.20.199
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

adapter {8b7519e2-a8f7-42a6-8564-8f54dc676e0c}:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : IP in IP (Tunnel) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled

0
 
Frog357Author Commented:
SERVER B
Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : ServerB
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter LAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI NIC (3C905-TX)
        Physical Address. . . . . . . . . : 00-00-00-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.3.5.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

PPP adapter {1478FA17-0A83-424D-97BA-24A1433AFB44}:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 66.1.2.253
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 66.1.2.6
        NetBIOS over Tcpip. . . . . . . . : Disabled

adapter {58291bee-37c6-457b-8bae-97befc55c24e}:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : IP in IP (Tunnel) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled
0
 
chicagoanCommented:
and ROUTE PRINT
0
 
Frog357Author Commented:
SERVER A ROUTE PRINT

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 00 00 00 00 ...... NET8511 USB To Fast Ethernet Adapter NDIS 5.0 Miniport Driver
0x1000004 ...00 00 00 00 00 00 ...... ORINOCO PC Card
0x1000005 ...00 53 45 00 00 00 ...... IP in IP (Tunnel) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         64.1.1.1      64.1.1.170       1
         10.3.5.0    255.255.255.0          0.0.0.0         1000005       1
        10.4.20.0    255.255.255.0      10.4.20.199     10.4.20.199       1
      10.4.20.199  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255      10.4.20.199     10.4.20.199       1
     64.1.1.0    255.255.255.0   64.1.1.170  64.1.1.170       1
   64.1.1.170      255.255.255.255        127.0.0.1       127.0.0.1       1
   64.255.255.255  255.255.255.255   64.1.1.170  64.1.1.170       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0      10.4.20.199     10.4.20.199       1
        224.0.0.0        224.0.0.0   64.1.1.170  64.1.1.170       1
  255.255.255.255  255.255.255.255      10.4.20.199     10.4.20.199       1
Default Gateway:      64.1.1.1
===========================================================================
Persistent Routes:
  None

I think I see the problem, but I have no experience with IPIP tunnels.  But it looks like it's missing the gateway on the tunnel interface.  However, in the Routing and RAS MMC I show a gateway for that route!!  Whats with that?
0
 
Frog357Author Commented:
I see your comment, I'm working on them still ;)

SERVER B
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 00 00 00 00 ...... 3Com 3C90x Ethernet Adapter
0x1000003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x13000005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x13000006 ...00 53 45 00 00 00 ...... IP in IP (Tunnel) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     66.1.2.6  66.1.2.253       1
         10.3.5.0    255.255.255.0         10.3.5.1        10.3.5.1       1
         10.3.5.1  255.255.255.255        127.0.0.1       127.0.0.1       1
        10.4.20.0    255.255.255.0          0.0.0.0        13000006       1
   10.255.255.255  255.255.255.255         10.3.5.1        10.3.5.1       1
     66.1.2.6  255.255.255.255   66.1.2.253  66.1.2.253       1
   66.1.2.253  255.255.255.255        127.0.0.1       127.0.0.1       1
   66.255.255.255  255.255.255.255   66.1.2.253  66.1.2.253       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
   169.254.126.31  255.255.255.255        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0         10.3.5.1        10.3.5.1       1
        224.0.0.0        224.0.0.0   66.1.2.253  66.1.2.253       1
  255.255.255.255  255.255.255.255         10.3.5.1        10.3.5.1       1
Default Gateway:      66.1.2.6
===========================================================================
Persistent Routes:
  None
0
 
chicagoanCommented:
I don't think the lack of a gateway showing in the routing table is a problem
but you might need a route to the remote router on each side, assuming it's 10.4.20.1:

routing ip add rtmroute dest=10.4.20.1 mask=255.255.255.255 nameorindex=IPTunnel1


0
 
chicagoanCommented:
We're assuming you're using 'bridge' as a term of art to connect your networks, and that you don't really want to (technically) bridge, which would put a nasty load on a wan link. If you have specific non-routable needs they can be addressed once you get the tunnel up.

BTW, I'm assuming your outside interface with the public IP is not behind a device that's NATing as well.
0
 
ShineOnCommented:
Just a side note of advice - once you have successfully created your point-to-point tunnel, harden the you-know-what out of those servers.  Keep them patched to current security hotfixes and shut down all services not needed for VPN.  Then check them on a regular basis to make sure some joker hasn't found another vulnerability and compromised your VPN servers.
0
 
Frog357Author Commented:
chicagoan,
Correct, both Public IP's are wide open to the internet.  ServerA has a wireless connection (bridged) to our public network.  Only router here is a cisco 1500 series.  On the ServerB side, it's a dialup connection for the moment, soon it'll be a wireless connection like ServerA.  I am the admin for that dialup chassis and it's directly connected to a public network.  It's possible the public network on ServerB's side is blocking ports 135,137,138,139,445,583 would these ports prevent the tunnel from working?

I did make a mistake, after thinking about this, the subject should be "Route traffic between 2 Networks using IP-in-IP tunnel?"  A bridge is not needed, just a way to get packets from privateA -> privateB as if privateB was directly connected.
0
 
chicagoanCommented:
>possible the public network on ServerB's side is blocking ports
normally i'd do a gre tunnel on the router... here you have to get through the routers on each side but blocking the port you mentioned should impede establishment of the tunnel.

You mentioned wireless on B.. thorugh a WAP or ad hoc or ???

Did you try adding the routes to the routers above?
0
 
ShineOnCommented:
Niether PPTP or L2TP use those ports; those are primarily legacy Windows networking ports (NetBT) and I think 445 and 583 is NetMeeting, but I'm not sure.  
0
 
ShineOnCommented:
IIRC, L2TP on Win2K doesn't need GRE.
0
 
Frog357Author Commented:
Hi,
The wireless is connected to an Orinoco AP 1000 it's acting as a bridge to our public network.  It does no port blocking or any filtering, just a simple bridge.

The port 445 and 583 were blocked due to RPC flaws I think!


I tried adding the netsh routing commands you recommended, I also removed my static routes before doing this.  I tried to ping and it still doesn't work.  My route print looks like this:

Server A
0x1000005 ...00 53 45 00 00 00 ...... IP in IP (Tunnel) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     64.1.1.1  64.1.1.170       1
         10.3.5.1  255.255.255.255          0.0.0.0         1000005       1
      10.4.20.199  255.255.255.255        127.0.0.1       127.0.0.1       1

Server B
0x2000006 ...00 53 45 00 00 00 ...... IP in IP (Tunnel) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     66.1.2.6  66.1.2.253       1
         10.3.5.0    255.255.255.0         10.3.5.1        10.3.5.1       1
         10.3.5.1  255.255.255.255        127.0.0.1       127.0.0.1       1
      10.4.20.199  255.255.255.255          0.0.0.0         2000006       1


Maybe there is another way to do this?  How about standard VPN with Win2k?  That'll allow me to accomplish the same thing basically right?  Anyone have a good how-to for setting that up between 2 networks like I want to do?
0
 
ShineOnCommented:
In your RRAS MMC plugin screens, when you look at the link, does it show that it is connected?  It may not be a routing issue at all, but rather that your tunnel isn't up...
0
 
chicagoanCommented:
with 10.3.5.1  255.255.255.255          0.0.0.0         1000005       1
you can't ping 10.3.5.1 ...

the routing service is running, no>?
0
 
Frog357Author Commented:
ShineOn,
Yes on both sides it shows the tunnel as Operational and Admin Status is UP.

chicagoan,
Yes the routing service is running on both PC's, it's been running for a long time proving NAT for both internal networks.

When I try to ping 10.3.5.1 from 10.4.20.199 I get the response:
Pinging 10.3.5.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

When I try to ping 10.4.20.199 from 10.3.5.1 I get the response:
Pinging 10.4.20.199 with 32 bytes of data:

Reply from 66.1.2.253: Destination host unreachable.
Reply from 66.1.2.253: Destination host unreachable.
Reply from 66.1.2.253: Destination host unreachable.
Reply from 66.1.2.253: Destination host unreachable.
0
 
ShineOnCommented:
The other side doesn't seem to be routing through the tunnel.
0
 
ShineOnCommented:
Try assigning an IP address to the tunnel interface on both sides, using a separate network for the IP tunnel, like something in the class C or B private range, like 192.168.1.1 on one side and 192.168.1.2 on the other side...
0
 
Frog357Author Commented:
How do I do that, in the MMC it does not appear to let you do this.  Would I need to use netsh, I'm looking into this now!
0
 
ShineOnCommented:
It should be part of the RRAS config tools, IIRC.  I don't have one in front of me, or I'd look...
0
 
chicagoanCommented:

you'll also need a route to the subnets
routing ip add rtmroute dest=10.4.20.0 mask=255.255.255.0 10.3.5.1
and vice versa

sorry i see routing is enabled in ipconfig...
0
 
Frog357Author Commented:
I tried doing this to the first router,
netsh routing ip add rtmroute dest=10.3.5.0 mask=255.255.255.0 10.4.20.199
And it responded with:
The parameter is incorrect.

0
 
Frog357Author Commented:
I fixed the context and re-ran that last command like:
netsh routing ip add rtmroute dest=10.3.5.0 mask=255.255.255.0 nameorindex="IPTunnel1"

I did this to both sides, still same response from ping commands.  It's like 10.4.20.199 doesn't know what to do with the packets?

I'll run ethereal on one of the servers while I run a ping command, I'll see what is going on with my packets!
0
 
Frog357Author Commented:
I'll have to do this tonight, ServerA has ethereal installed, but that program requires more than 256 colors and Terminal services for Win2k doesn't want to allow more than 256.  ServerB is running PCAnywhere but it does not have ethereal installed :(

0
 
Frog357Author Commented:
I found a quick simple network sniffer,
From 10.3.5.1, I try to ping 10.4.20.199

The outer IP header shows:
IP Src = 66.1.2.253
IP Dest = 10.3.5.1

The inner IP header shows:
IP Src = 10.3.5.1
IP Dest = 10.4.20.199

I see the problem, the outer ip header has the wrong destination, but what is causing this??

0
 
Frog357Author Commented:
More info:
From PC with internal IP of 10.3.5.1, here are my rtmrouting table.
C:\Documents and Settings\Administrator>netsh routing ip show rtmroutes

            Prefix  Protocol    Prf  Met  Gateway          Vw  Interface
------------------  ----------  ---  ---  ---------------  --  ----------------
         0.0.0.0/0  Static        3    1  0.0.0.0          UM  Dialup
       10.3.5.0/24  Local         1    1  10.3.5.1         UM  LAN
       10.3.5.1/32  Local         1    1  127.0.0.1        U   Loopback
      10.4.20.0/24  NetMgmt      10    1  0.0.0.0          UM  IPTunnel1
    10.4.20.199/32  NetMgmt      10    1  0.0.0.0          UM  IPTunnel1
 10.255.255.255/32  Local         1    1  10.3.5.1         UM  LAN
   66.1.2.6/32  Local         1    1  0.0.0.0          UM  Dialup
 66.1.2.253/32  Local         1    1  127.0.0.1        U   Loopback
 66.255.255.255/32  Local         1    1  0.0.0.0          UM  Dialup
0
 
ShineOnCommented:
Grasping at straws, here, but could it be binding order?
0
 
Frog357Author Commented:
Not sure what the binding should be set for, it was LAN first then Remote Access Connections, I changed this so Remote Access Connections was first, but this did not seem to make any difference.
0
 
ShineOnCommented:
Are you using IPSec, or did you set it up for PPTP?
0
 
ShineOnCommented:
The guide you used is helpful in connecting a Microsoft VPN to a Linux VPN, but doesn't say an awful lot about the way Microsoft's RRAS VPN works.  It wouldn't hurt to read up on the Microsoft side of the equation, since you're not using any Linux clients in your VPN, AFAIK.

A good article on Win2K VPN:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag00/html/vpn.asp

Info on how Win2K RRAS VPN Site-to-Site works:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_rras_und_vpn_el.htm

Win2K connectiing remote sites deployment guide:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/deploy/netdepl/ndgch07.asp

Design considerations:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_vpn_us06.htm

More than you wanted to know about RRAS:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/intnetwk/part1/intch02.asp

0
 
The--CaptainCommented:
>The--Captain,
>You are right, I was mixing both together.  I was just trying to follow that page which told me how to do it, didn't think
>about that until now

Well, according to netminder, that's the main part of being a PE - I may not know the answer (sorry, but I'm really not up on most aspects of microsoft networking, mainly because I still consider that pair of words an oxymoron), but even if I can point out things which do not make sense, it often helps.

Cheers,
-Jon
EE Networking PE


0
 
chicagoanCommented:
The routing table looks right - can you traceroute the other end's public IP using this side's as the source?
0
 
ShineOnCommented:
(sorry, but I'm really not up on most aspects of microsoft networking, mainly because I still consider that pair of words an oxymoron)

The--Captain -

You are my new best friend.  hehe.  I have said something similar frequently - "Microsoft Networking is an oxymoron, kinda like Jumbo Shrimp or Military Intelligence."

Unfortunately for users, and for those of us that must support users, they DO have their own way of kinda networking stuff, with a definite leaning toward making it a "Microsoft-only" solution.  If you try to apply "real-world, industry standard" criteria to a Microsoft-based network environment, you are doomed to use Microsoft-specific technologies that "kinda-sorta" meet the standards and "sorta-kinda" follow Industry specs and guidelines - as long as all the "standards" and "specs" and "guidelines" conform to the way Microsoft has decided to support or misinterpret them to fit their own intentions - depending on whether it promotes their best interest or impedes the interest of competitors.

I will now stop "Microsoft-bashing" because they can bash themselves at least as well as I can bash them.  Just so you know I agree in principle, even if you don't necessarily agree in intensity... :-).

0
 
The--CaptainCommented:
Oh, my disgust of mickeysoft is just as intense, I assure you - I just know my audience, and the folks in this thread are almost certainly not linux geeks, so I keep my mouth shut for the most part.

Cheers,
-Jon

0
 
chicagoanCommented:
<cheers>
0
 
ShineOnCommented:
I think (and hope) that the sympathetic audience is growing...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 16
  • 12
  • 9
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now