Hey,
(Apologies for the massive post)
My problem is that pings are getting through the tunnel but the target lan
clients are not responding. An ARP request is failing for some reason for
pings that originate from the open vpn tunnel - like so:
this is a ping from the remote lan (10.0.100.254) through to the target lan
(10.0.0.3).
21:13:16.706406 arp who-has 10.0.0.251 tell 10.0.0.3
21:13:16.816595 10.0.0.251 > 10.0.0.3: icmp: echo request (DF)
21:13:17.706721 10.0.0.251 > 10.0.0.3: icmp: echo request (DF)
21:13:17.816995 10.0.0.251 > 10.0.0.3: icmp: echo request (DF)
21:13:17.817176 arp who-has 10.0.0.251 tell 10.0.0.3
21:13:18.709395 10.0.0.251 > 10.0.0.3: icmp: echo request (DF)
21:13:18.814944 10.0.0.251 > 10.0.0.3: icmp: echo request (DF)
digging through the docs I believe I have done everything right with this
shorewall + openvpn setup. It seems like a routing problem.
anyway - I have a remote office(home) connecting into the office (bungan)
and I believe I have some sort of shorewall/openvpn routing problem.
Here is my output from ifconfig on the office firewall:
bungan:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:80:C8:CF:DF:7D
inet addr:203.x6x.136.130 Bcast:203.63.136.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:840064 errors:1 dropped:0 overruns:0 frame:0
TX packets:594513 errors:11 dropped:0 overruns:1 carrier:10
collisions:0 txqueuelen:100
RX bytes:671216389 (640.1 MiB) TX bytes:166223955 (158.5 MiB)
Interrupt:11 Base address:0xf000
eth1 Link encap:Ethernet HWaddr 00:80:C8:CF:DF:7E
inet addr:10.0.0.252 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:199606 errors:0 dropped:0 overruns:0 frame:0
TX packets:196154 errors:0 dropped:0 overruns:0 carrier:0
collisions:2511 txqueuelen:100
RX bytes:30233112 (28.8 MiB) TX bytes:165499352 (157.8 MiB)
Interrupt:10 Base address:0x1000
eth2 Link encap:Ethernet HWaddr 00:80:C8:CF:DF:7F
inet addr:10.0.1.252 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:263117 errors:1 dropped:0 overruns:0 frame:0
TX packets:365767 errors:34 dropped:0 overruns:0 carrier:17
collisions:18842 txqueuelen:100
RX bytes:112328065 (107.1 MiB) TX bytes:425234464 (405.5 MiB)
Interrupt:4 Base address:0x3000
eth3 Link encap:Ethernet HWaddr 00:80:C8:CF:DF:80
inet addr:10.0.2.252 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88094 errors:1 dropped:0 overruns:0 frame:0
TX packets:95808 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:18723059 (17.8 MiB) TX bytes:55502521 (52.9 MiB)
Interrupt:3 Base address:0x5000
eth5 Link encap:Ethernet HWaddr 00:05:5D:64:C0:2F
inet addr:10.0.3.252 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15643 errors:0 dropped:0 overruns:0 frame:0
TX packets:14160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5101255 (4.8 MiB) TX bytes:10193315 (9.7 MiB)
Interrupt:11 Base address:0x6400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8137 errors:0 dropped:0 overruns:0 frame:0
TX packets:8137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29814515 (28.4 MiB) TX bytes:29814515 (28.4 MiB)
tun0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.252 P-t-P:10.0.0.251 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:12532 errors:0 dropped:0 overruns:0 frame:0
TX packets:9559 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:1488242 (1.4 MiB) TX bytes:1001096 (977.6 KiB)
so as you can see there are a few interfaces.
The output of route -n on bungan:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.251 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
203.x6x.136.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.100.0 10.0.0.251 255.255.255.0 UG 0 0 0 tun0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5
0.0.0.0 203.x6x.136.252 0.0.0.0 UG 0 0 0
eth0
Very strangely, pings from bungan to the other side of the VPN ie, hosts on
the remote lan work fine and traffic gets through and everything. Why would
the traffic work fine in one direction, ie from one lan to another, but
traffic in the other direction fails with this failed arp request?
I can ping the target 10.0.0.3 from bungan.
I just can''t ping it from the remote firewall - so the ping packet
travels
through the tunnel ok, gets to the shorewall bit on bungan and just dies
with a failed arp request. This setup used to work with the debian package
ipmasq. The remote end of the tunnel is using ipmasq.
my tunnels file on bungan looks like this:
---
openvpn net 0.0.0.0/0
----
my policy:
-----
#Everyone, inc bungan has outbound access
all net ACCEPT
# internal people can access bungan
mvc fw ACCEPT
fw mvc ACCEPT
delmege fw ACCEPT
fw delmege ACCEPT
muir fw ACCEPT
fw muir ACCEPT
fiji fw ACCEPT
fw fiji ACCEPT
hbtun fw ACCEPT
fw hbtun ACCEPT
****this is the tunnel in question******
# HB Tunnel <-> MVC
mvc hbtun ACCEPT
hbtun mvc ACCEPT
# MVC -> everyone else
mvc all ACCEPT
#Default bottom policy
net all DROP info
all all REJECT info
----
interfaces:
----------
net eth0
mvc eth1
delmege eth2
fiji eth3
muir eth5
hbtun tun0
---------
I don''t think i need to post details of my openvpn setup as the traffic
does
get through the tunnel. Indeed is gets through from bungan to the remote
lan.....
Nothing is logged in /var/log/messages so shorewall is definitely not
denying anything.
any poor soul want to wade through my mess?
thanks
Dave