Hello, I'm having some routing issue with my tinc setup. I'm running a fairly basic VPN configuration between two networks: ------- Site A: ------- --- tinc-up --- #!/bin/sh /sbin/ifconfig tap0 hs ether fe:fd:00:00:00:00 /sbin/ifconfig tap0 10.11.1.2 netmask 255.0.0.0 /sbin/ifconfig tap0 -arp ---- tinc.conf --- Name = orca Hostnames = no InterfaceIP = 63.108.71.7 KeyExpire = 30000000 PrivateKeyFile = /etc/tinc/.rsa-private TapDevice = /dev/tap0 ------- Site B: ------- ---- tinc-up ---- #!/bin/sh /sbin/ifconfig $NETNAME hs ether fe:fd:00:00:00:00 /sbin/ifconfig $NETNAME 10.11.15.1 netmask 255.0.0.0 /sbin/ifconfig $NETNAME -arp ----- tinc.conf ---- ConnectTo = orca Name = pax Hostnames = no InterfaceIP = 24.176.163.186 KeyExpire = 30000000 PrivateKeyFile = /etc/tinc/.rsa-private TapDevice = /dev/tun ------------------ Shared Hosts Files ------------------ --- pax --- Address = x.x.x.x Subnet = 10.11.15.0/24 PublicKeyFile=/etc/tinc/hosts/.pax-rsa-public --- orca --- Address = y.y.y.y Subnet = 10.11.1.0/24 PublicKeyFile=/etc/tinc/hosts/.orca-rsa-public ####################################################### I get a succesfull connection and everything looks to be okay, however, I am unable to ping anything from either side. I ran a few tcpdumps and found believe that I have found where the problem lies, but I don't know exactly what the problem is.>From a second machine sitting in network B (10.11.15.11), I triedpinging a machine on network A (10.11.15.1). I had a tcpdump running on 3 different interfaces: eth0 on orca: (tcpdump -i eth0 icmp) -------------- 17:59:45.212188 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 17:59:45.213943 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF) 17:59:46.207298 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 17:59:46.208155 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF) ethertap interface on pax: (tcpdump -i tap0 icmp) --------------------------- 00:07:14.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 00:07:14.820000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF) 00:07:15.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 00:07:15.840000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF) eth1 on pax: (tcpdump -i $NETNAME icmp) ------------- 00:07:39.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 00:07:40.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) 00:07:41.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF) My interpritation of the above tcpdumps is: -- ICMP echo request -- 1) Leave its source (10.11.15.11) 2) Enter eth0 on pax 3) Enter ethertap on pax 4) tunnel to ethertap orca 5) forwrad to eth0 on orca 6) reach it's destination succesfully -- ICMP echo reply -- 1) Leave it's source (10.11.1.1) 2) Enter eth0 on orca 3) forward to ethertap on orca 4) tunnel to ethertap on pax 5) !!Packet appears to be dropped here!!! I have tried both: /sbin/iptables -F & /sbin/iptables -t nat -F Anybody have any ideas? I'm pretty stumped here. I also DO see the following in syslog on pax: No valid key known yet for orca (63.108.71.7), queueing packet pax is running linux 2.4.2 oraca is running linux 2.2.16 tincd is: 1.0pre4 - Allen Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
On Thu, Nov 08, 2001 at 12:26:41AM -0700, Allen Bettilyon wrote:> /sbin/ifconfig tap0 hs ether fe:fd:00:00:00:00^^ That should be hw instead of hs.> -- ICMP echo reply -- > 1) Leave it's source (10.11.1.1) > 2) Enter eth0 on orca > 3) forward to ethertap on orca > 4) tunnel to ethertap on pax > 5) !!Packet appears to be dropped here!!!The packet might be dropped for several reasons. For instance, the typo mentioned above, but maybe also because of your routing table and forwarding rules. Make sure a packet arriving at pax can actually be forwarded to the real ethernet segment.> I also DO see the following in syslog on pax: > > No valid key known yet for orca (63.108.71.7), queueing packetYou should only see this once in a while (and only if you turned on debugging messages). It is normal. If you see it for every packet you send, then something is wrong :). -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.warande.net> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20011108/b79f7f13/attachment.pgp
Reasonably Related Threads
- Rsyslog and "Error while reading from Linux ethertap device /dev/net/tun: File descriptor in bad state"
- [Bridge] Bridging with ethertap causing kernel oops
- ethertap device: File descriptor in bad state
- Problem withs hosts/ -files & Ethertap with 2.4.x
- tinc running openwrt (mikrotik metarouter mips)