[Openswan Users] VPN on UML

Michael Richardson mcr at sandelman.ottawa.on.ca
Sat Jul 3 16:31:28 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Simon" == Simon Matthews <simon at paxonet.com> writes:
    >> In other words, you haven't got a proper network between the host
    >> and the UMLs.
    >> 
    >> If you don't want to to networking, then don't.  If you do, then
    >> do it properly. Don't play games.

    Simon> With respect, please don't comment if you don't understand
    Simon> what is going on.

  I certainly can't understand until you tell me.

    Simon> I have a working UML machine, provided by a commercial

  I claim that you have a hack that appears to work, but really doesn't.
  As someone who hacks on UML networking regularly, what you have seems
very daft.

    Simon> virtual host provider. I don't have control over the network
    Simon> configuration (well, I can change it, but the machine
    Simon> probably won't work if I do), but I do have working
    Simon> networking. Heck, I don't even know where the machine is
    Simon> hosted, I only access it via the Internet.

    Simon> Now maybe there is some better way the UML networking could
    Simon> be configured -- such that Free/OpenS/WAN would work --
    Simon> answers to solve that problem would be welcome.

  Yes, I'm sure that there is a better way.
  And, I'm sure that your UML virtual hosting provider wants to make
this work as well.

    Simon> Note that in my original email, I changed the first 3 octets
    Simon> of my real IP address to 1.2.3.

  There are several ways in which you can connect a virtual host to the
Internet:
  1) connect a UML eth0 in ethertap mode to a /dev/tun/tapX device.
    1a) bridge tapX and host-eth0, so that you appear to be on the Internet.
	In that case, you would have a proper network route for the
	physical network you are connected to. You would use the real
	physical default route.

    1b) proxy-arp for tapX, and route between tapX and host-eth0.
	In that case, you should have a route to the host, and the host
	has a host route for you. It proxy-ARPs for you.
	
	Since the tapX and UML-eth0 are really now on a virtual network
	segment you should still have a network route. The tapX likely is
	numbered in private network address space, and if you configure
	an appropriate alias on your eth0, then you can add a default 
	route via the tapX address.

  2) connect a UML-switch process to /dev/tun/tap0, and use daemon mode
     to connect to the UMLs. This scales much better.
     It has the disadvantage that there really is a network with
     multiple hosts on it. You really should have a network route.

  My guess is that your provider is doing 1b or (2), but hasn't told you
what the virtual network subnet is.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

	
	
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQOcJjYqHRg3pndX9AQHcbAQAkIesVdJOV+oHU+HE1Mr/DuO3Rnm5WhlF
lma3zVeM2FbxVu1KCo0rRgjsxAXOpxzF9gWnlkYo3KWoGxfwTYa2vnLhgHUaiR1/
BEKEXbIDpnJKCdsy4AygGmhlfXVGoIbTXKd7ENw++ngFex9fkMXzjs8pYYnOxIrn
fsyl6b+QOoo=
=xE3F
-----END PGP SIGNATURE-----

More information about the Users mailing list