Change local Address of ppp link

Hello, all!

We are using a ppp link to the internet over the gsm/gprs network. This
network assigns a IP Address from the 10.0.0.0/8 subnet and gives
access to the internet using NAT.

Over this link we build a VPN connection which assigns a address from
the same subnet to our device.

Since there is a certain risk to get the same address from the network
we want to assgn a fixed address to the local ppp-device in a way that
the peer still believes to talk to the address it assigned. As far as I
understand the ppp protocol this should be possible, but how?

Any help is very welcome!

With kind regards

Stephan Hoffmann

On 30 Jun 2005 00:44:32 -0700, "Stephan" <(E-Mail Removed)> wrote:

>Since there is a certain risk to get the same address from the network
>we want to assgn a fixed address to the local ppp-device in a way that
>the peer still believes to talk to the address it assigned. As far as I
>understand the ppp protocol this should be possible, but how?
>

man pppd

OPTIONS
<local_IP_address>:<remote_IP_address>
Set the local and/or remote interface IP addresses.
Either one may be omitted. The IP addresses can be
specified with a host name or in decimal dot nota-
tion (e.g. 150.234.56.78). The default local
address is the (first) IP address of the system
(unless the noipdefault option is given). The
remote address will be obtained from the peer if
not specified in any option. Thus, in simple
cases, this option is not required. If a local
and/or remote IP address is specified with this
option, pppd will not accept a different value from
the peer in the IPCP negotiation, unless the ipcp-
accept-local and/or ipcp-accept-remote options are
given, respectively.

Dan

Stephan <(E-Mail Removed)> wrote:
> Hello, all!

> We are using a ppp link to the internet over the gsm/gprs network. This
> network assigns a IP Address from the 10.0.0.0/8 subnet and gives
> access to the internet using NAT.

> Over this link we build a VPN connection which assigns a address from
> the same subnet to our device.

> Since there is a certain risk to get the same address from the network
> we want to assgn a fixed address to the local ppp-device in a way that
> the peer still believes to talk to the address it assigned. As far as I
> understand the ppp protocol this should be possible, but how?

If you mean change the local IP address of the PPP link's interface then
the answer is no. The "gsm/gprs network" expects the local IP address
to be the one it provides, and changing it unilaterally just won't work.
I also rather doubt that any local IP address configured for use in IPCP
negotiation would be accepted by the provider.

OTOH, GSM/GPRS PPP can be rather strange...

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

Hi, Dan and Clifford,

thanx for your reply. In fact, I read the man page and lots of other
documents ans googled for a answer, too.

Unfortunatelly, this option does only work if the peer accepts the
given local address. Our peer doesn't.

That's the reason that we need to translate the address somehow. Could
that possible be done with iptables?

Regards

Stephan

On 30 Jun 2005 23:55:58 -0700, "Stephan" <(E-Mail Removed)> wrote:

Are you forced to use the same subnet for the VPN? If not, then
create the VPN connection on a different subnet and set the associated
ip address as the default route using the ppp defaultroute option.

Dan

>Hi, Dan and Clifford,
>
>thanx for your reply. In fact, I read the man page and lots of other
>documents ans googled for a answer, too.
>
>Unfortunatelly, this option does only work if the peer accepts the
>given local address. Our peer doesn't.
>
>That's the reason that we need to translate the address somehow. Could
>that possible be done with iptables?
>
>Regards
>
>Stephan

Stephan <(E-Mail Removed)> wrote:
> Hi, Dan and Clifford,

> thanx for your reply. In fact, I read the man page and lots of other
> documents ans googled for a answer, too.

> Unfortunatelly, this option does only work if the peer accepts the
> given local address. Our peer doesn't.

> That's the reason that we need to translate the address somehow. Could
> that possible be done with iptables?

I only learned enough about iptables to modify a firewall for my needs
and don't have a good answer to that question. There may be a simple
way, a horrible way, or no way (suitable for your purpose) to "translate
the address." Perhaps someone else will volunteer...

Stephan's suggestion about using a different subnet for the VPN seems
reasonable.

The easiest thing would be to use a subnet of 168.192.0.0-168.192.255.0
or 172.16.0.0-172.31.0.0 for the VPN. Or if there is a compelling reason
to use a subnet of 10.0.0.0-255.255.255 for the VPN then try to find out
whether the provider uses a smaller, and fixed, subnet (i.e., not /8)
of that range to provide service for you and assign a different subnet
to the VPN.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

Clifford Kite <(E-Mail Removed)> writes:

>Stephan <(E-Mail Removed)> wrote:
>> Hi, Dan and Clifford,

>> thanx for your reply. In fact, I read the man page and lots of other
>> documents ans googled for a answer, too.

>> Unfortunatelly, this option does only work if the peer accepts the
>> given local address. Our peer doesn't.

>> That's the reason that we need to translate the address somehow. Could
>> that possible be done with iptables?

>I only learned enough about iptables to modify a firewall for my needs
>and don't have a good answer to that question. There may be a simple
>way, a horrible way, or no way (suitable for your purpose) to "translate
>the address." Perhaps someone else will volunteer...

>Stephan's suggestion about using a different subnet for the VPN seems
>reasonable.

>The easiest thing would be to use a subnet of 168.192.0.0-168.192.255.0

Other way around 192.168.x.x Yours is a valid range of IP addresses owned
by Sprint.

>or 172.16.0.0-172.31.0.0 for the VPN. Or if there is a compelling reason
>to use a subnet of 10.0.0.0-255.255.255 for the VPN then try to find out
>whether the provider uses a smaller, and fixed, subnet (i.e., not /8)
>of that range to provide service for you and assign a different subnet
>to the VPN.

>--
>Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

Unruh <unruh-(E-Mail Removed)> wrote:
> Clifford Kite <(E-Mail Removed)> writes:

>>The easiest thing would be to use a subnet of 168.192.0.0-168.192.255.0

> Other way around 192.168.x.x Yours is a valid range of IP addresses owned
> by Sprint.

Thanks for correcting my dsylexia. Just in case someone doesn't
understand yet, it should be 192.168.0.0-192.168.255.0, a private IP
address range, not 168.192.0.0-168.192.255.0.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

Hi, All!

I already thought of assigning another subnet, but the System is not
fixed to a given GSM-network. So I must be aware that another network
will give other addresses.

I took the big 10.0.0.0/8 net because we probably will have to connect
lots of devices each with an own local subnet behind.

Another solution I thought of is to reconnect if the network gives the
already predefined address.

In fact, the address translation would be the cleanest aolution.

Regards

Stephan