Tunnel ICMP?

Hello all,

I have a slightly unusual problem where I need to tunnel ICMP traffic
over a WAN link.

A little background, ICMP is blocked in/out from all our sites, a
global policy I can't change.
I have a Windows 2000 server at site A that must be able to ping a PBX
at site B.

I have Linux boxes at each site, so what I'm thinking here is set
static route on the Windows box to the PBX to route via the Linux box
at site A.
Then set up a tunnel ( SSH maybe? ) from Linux box at site A to Linux
box B.

Then forward the traffic from the Linux box at site B to the PBX.

Thereby all the pings from the Windows at site A would go:
Windows[Site A] -> Linux[Site A] ->(Tunnelled over WAN)-> Linux[Site
B] -> PBX[Site B]

Is this an idea worth pursuing?
Anyone got an ideas, pointers to website to look at? any help at all
would be great!
Many Thanks,
Dave.

Davey SM4 wrote:

> I have Linux boxes at each site, so what I'm thinking here is set
> static route on the Windows box to the PBX to route via the Linux box
> at site A.
> Then set up a tunnel ( SSH maybe? ) from Linux box at site A to Linux
> box B.
>
> Then forward the traffic from the Linux box at site B to the PBX.
>
> Thereby all the pings from the Windows at site A would go:
> Windows[Site A] -> Linux[Site A] ->(Tunnelled over WAN)-> Linux[Site
> B] -> PBX[Site B]
>
>

What you're describing is a VPN. However, ssh isn't suitable, as it won't
carry ICMP. There are many other VPNs available, that will carry all IP
packets.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Davey SM4 wrote:

> A little background, ICMP is blocked in/out from all our sites, a
> global policy I can't change.
> I have a Windows 2000 server at site A that must be able to ping a PBX
> at site B.
>
> I have Linux boxes at each site, so what I'm thinking here is set
> static route on the Windows box to the PBX to route via the Linux box
> at site A.
> Then set up a tunnel ( SSH maybe? ) from Linux box at site A to Linux
> box B.
>
> Then forward the traffic from the Linux box at site B to the PBX.
>
> Thereby all the pings from the Windows at site A would go:
> Windows[Site A] -> Linux[Site A] ->(Tunnelled over WAN)-> Linux[Site
> B] -> PBX[Site B]

What about creating a Linux[Site A] <-> Linux[Site B] GRE tunnel, which then
can tunnel any needed IP-traffic. Of course your global policy need to
allow the GRE protocol. But they are quite easy to set up.

http://lartc.org/howto/lartc.tunnel.gre.html

And if that doesn't work, you should be able to use an openvpn-Tunnel.

http://www.openvpn.org

Hope that helps,
Axel

Axel Hinrichs,,, wrote:

> Davey SM4 wrote:
>
>> A little background, ICMP is blocked in/out from all our sites, a
>> global policy I can't change.
>> I have a Windows 2000 server at site A that must be able to ping a PBX
>> at site B.
>>
>> I have Linux boxes at each site, so what I'm thinking here is set
>> static route on the Windows box to the PBX to route via the Linux box
>> at site A.
>> Then set up a tunnel ( SSH maybe? ) from Linux box at site A to Linux
>> box B.
>>
>> Then forward the traffic from the Linux box at site B to the PBX.
>>
>> Thereby all the pings from the Windows at site A would go:
>> Windows[Site A] -> Linux[Site A] ->(Tunnelled over WAN)-> Linux[Site
>> B] -> PBX[Site B]
>
> What about creating a Linux[Site A] <-> Linux[Site B] GRE tunnel, which
> then can tunnel any needed IP-traffic. Of course your global policy need
> to allow the GRE protocol. But they are quite easy to set up.
>
> http://lartc.org/howto/lartc.tunnel.gre.html
>
> And if that doesn't work, you should be able to use an openvpn-Tunnel.
>
> http://www.openvpn.org

Uh, forget this link, I'm sorry!! Here's the right one:

http://openvpn.sourceforge.net/

"Axel Hinrichs,,," <(E-Mail Removed)> wrote in message news:<bvvvid$hsk$(E-Mail Removed)>...
>
> What about creating a Linux[Site A] <-> Linux[Site B] GRE tunnel, which then
> can tunnel any needed IP-traffic. Of course your global policy need to
> allow the GRE protocol. But they are quite easy to set up.
>
> http://lartc.org/howto/lartc.tunnel.gre.html
>
> And if that doesn't work, you should be able to use an openvpn-Tunnel.
>
> http://www.openvpn.org
>
> Hope that helps,
> Axel

Hi,
Thanks for the help, had a quick look at openvpn & looks ideal..I'll
have a play back at work on monday.
Cheers,
Dave

James Knott <(E-Mail Removed)> wrote in message news:<jiLUb.2512$(E-Mail Removed). rogers.com>...
>
> What you're describing is a VPN. However, ssh isn't suitable, as it won't
> carry ICMP. There are many other VPNs available, that will carry all IP
> packets.


That explains it! I found I was able to tunnel tcp ports but no IMCP,
now I know why...Thanks for the reply.

Dave.

Davey SM4 wrote:
> "Axel Hinrichs,,," <(E-Mail Removed)> wrote in message news:<bvvvid$hsk$(E-Mail Removed)>...
>
>>What about creating a Linux[Site A] <-> Linux[Site B] GRE tunnel, which then
>>can tunnel any needed IP-traffic. Of course your global policy need to
>>allow the GRE protocol. But they are quite easy to set up.
>>
>>http://lartc.org/howto/lartc.tunnel.gre.html
>>
>>And if that doesn't work, you should be able to use an openvpn-Tunnel.
>>
>>http://www.openvpn.org
>>
>>Hope that helps,
>>Axel
>
>
> Hi,
> Thanks for the help, had a quick look at openvpn & looks ideal..I'll
> have a play back at work on monday.
> Cheers,
> Dave

For a Linux - Linux tunnel, CIPE might be the lightest-weight
alternative <http://sites.inka.de/sites/bigred/devel/cipe.html>.

It's included in may distributions.

HTH

Tauno Voipio
tauno voipio @ iki fi