How to establish multiple tunnels bet. two hosts
Status: Beta
Brought to you by:
dskoll
Menu
▾
▴
#1 How to establish multiple tunnels bet. two hosts
open
nobody
None
5
2004-11-19
2004-11-19
Anonymous
No
I have two hosts that I need to create individual tunnels
between br0 interfaces and also
between br0:0 interfaces.
host1: host1 host2
br0:192.168.11.22 <-tunnel-> br0: 192.168.5.22
br0:0 192.168.11.23<- tunnel->br0:0 192.168.5.23
:
:
:
I am running l2tpd on both hosts.
I do not need to create any (ppp or some other)
sessions on any tunnels, just want multiple tunnels.
Whenever I create the tunnel to br0:0 of host2 from
host1 with the following command:
l2tp-control start-session 192.168.5.23
I see that the host2 reveives the packets from the br0
(rather than br0:0) of host1
(i.e. 192.168.11.22) and then responds to it also via the
br0 ie 192.168.5.22 and not
the br0:0 (i.e. 192.168.5.23) as required.
The source address of br0:0 on host1 is not being
utilized as a source address.
So the issues are as follows:
How do I specify the source address (br0:0) of the
host1 to establist the tunnel to br0:0 on host2?
How do I create more than one tunnel between these
hosts? Currently the same socket is used only for
sessions.
My presumption is that I need to modify the code to
create additional sockets on both hosts
to create additional tunnel end points. And then
somehow bind each client socket to an interface. Is this
possible? How?
Thanks
Shirish Sandesara
shirish@talarinetworks.com
Logged In: YES
user_id=847188
First, I think some clarification of terminology is needed.
The situation you describe is where each host has multiple
IP addresses on a single interface. From the perspective of
the L2TP protocol, each address will look like a separate
peer (LAC or LNS).
So what you want is to establish multiple control
connections (using different endpoint addresses), each of
which has one tunnel carrying one session. You may know
this, but just to make it clear, you are not trying to
create two tunnels within the same control connection (peer
association).
The problem you describe is inherent to how this L2TP
implementation is designed, and is actually quite common
among UDP applications that are not specifically coded to
handle secondary interface addresses. Many implementations
of the RPC portmapper for example also have this same
problem. Unless the code says otherwise, by default all
outbound UDP packets will have their source address set to
the *primary* address of the interface. TCP applications
don't have these issues since the kernel can associate the
incoming and outgoing packets as part of the same flow.
Without code modifications I can think of two ways to solve
this:
1. Run separate instances of the l2tpd daemon, each bound to
a specific listening address (the "listen-addr" parameter in
the global section). --- (I think this may work, but I'm not
totally sure)
2. If you're on Linux, take advantage of the capability of
iptables to do NAT (SNAT and DNAT). Basically you tell the
kernel to correct the source address on outbound UDP packets
based upon the destination address. In your example, you'd
need to create a rule something like,
On host 1 (192.168.11.2x):
iptables -t nat -A POSTROUTING \ -p udp --dport 1701 \ -d 192.168.5.23 \ -j SNAT --to-source 192.168.11.23
On host 2 (192.168.5.2x):
iptables -t nat -A POSTROUTING \ -p udp --dport 1701 \ -d 192.168.11.23 \ -j SNAT --to-source 192.168.5.23
Hope that works... Deron Meranda