tinc - Jun 2000 - TINC 1.0pre2 problem

On Sun, 11 Jun 2000, David Summers wrote:
> Thanks for the great software package!  The question I have is this:
Thank you :)
> My goal is to set up a triangle topology VPN between three sites and run
> OSPF routing on all the sites so that if a link goes down between any two
> sites the OSPF routing will reroute the packets that used to go between
> the sites A <-> B to A <-> C <-> B and still remain
connected.
Hopefully that functionality will be included in the final 1.0 version of
tinc.
> Here is my setup (I turned off Masquerading for these tests to make sure
> that it wasn't something silly like that).
> Network A = 192.168.1.0/24
You are using 192.168.x.y addresses for your internal network, but
10.x.y.z addresses for tinc! Why is that? Tinc does not need it's own
IP's, you just have to put the ones you are already using in the
configuration file.
> ==== Router A tinc.conf ===> TapDevice = /dev/tap0
> ConnectTo = 216.63.158.19
> MyVirtualIP = 10.0.0.1/8
> VpnMask = 255.0.0.0
> AllowConnect = no
> ===========================
Your MyVirtualIP should be 10.0.0.1/24, not /8. The subnet the tincd on
router A represents is a class C subnet. However, the VpnMask is different
- it is used to tell the startup script what the scope of the ENTIRE
private network is.
> Router A "netstat -rn | grep tap0":
> 192.168.254.0      10.0.0.2      255.255.255.0   UG     0 0      0 tap0
> 10.0.0.0           0.0.0.0       255.0.0.0       U      0 0      0 tap0
Tinc will only correctly transfer packets with 10.x.y.z IP's. Your routing
table suggests you think you have to send all 192.168.254.x packets to the
gateway you think the daemon on the other side is.
> It is possible that my question boils down to this:
> Is the VPN link between networks a Point to Point Link or is it a regular
> network?  I think the configuration would be different in both of those
> cases.
It's not point-to-point :). Try this:

Router A tinc.conf:
==================TapDevice = /dev/tap0
ConnectTo = 216.63.158.19
MyVirtualIP = 192.168.254.0/24
VpnMask = 255.255.0.0
==================
Routing table:
--------------
192.168.0.0	0.0.0.0		255.255.0.0	U	0 0	0 tap0

Router B likewise.

I hope this will help! We are not bothered at all by your questions, so if
you have more of them, please ask! And we'd also be happy to hear your
comments.

Met vriendelijke groet,
Guus Sliepen.

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/

Thanks for the quick reply!  I tried what you suggested (I think :-) and
I still have the same results.

I'm seeing the icmp echo reply being sent from the router B tap0 interface
but they never show up on the router A tap0 interface.  However the icmp
echo requests are being sent from the machine on network A through router
A to router B and on to the machine on network B which is returning the
replies to router B and (apparently) through the tap0 interface and at
that point the mystery begins...why don't those replies show up on the
tap0 interface on router A?

Here is my current config (maybe I mis-interpreted something you said???):

==== Router A tinc.conf ===TapDevice = /dev/tap0
ConnectTo = 216.63.158.19
MyVirtualIP = 192.168.254.0/24
VpnMask = 255.255.0.0
AllowConnect = no
===========================
Router A "netstat -rn | grep -i tap0":
192.168.0.0     0.0.0.0       255.255.0.0     U       0 0       0 tap0

==== Router B tinc.conf ===TapDevice = /dev/tap0
MyVirtualIP = 192.168.1.0/24
VpnMask = 255.255.0.0
AllowConnect = yes
==========================
Router B "netstat -rn | grep -i tap0":
192.168.0.0    0.0.0.0     255.255.0.0        U       0 0       0 tap0

Probably I'm doing something silly (first time is always hardest to do,
but I've been working on this for several weeks and can't think of what
it
is).

Is it possible that I should have an "AllowConnect = yes" on Router A?

I guess the reason I had an extra network in there is because I'm used to
dealing with what I consider "normal" routers where each network
interface
is on a different network...that's why I stuck the extra 10.0.0.1 <->
10.0.0.2 network in my original configuration.  I guess in the current
configuration it deals with that with the "wider" 255.255.0.0
netmask???

   Thanks!
   - David Summers


On Sun, 11 Jun 2000, Guus Sliepen wrote:
> Date: Sun, 11 Jun 2000 19:11:44 +0200 (CEST)
> From: Guus Sliepen <guus@sliepen.warande.net>
> To: David Summers <david@summersoft.fay.ar.us>
> Cc: tinc@nl.linux.org
> Subject: Re: TINC 1.0pre2 problem
> 
> On Sun, 11 Jun 2000, David Summers wrote:
> 
> > Thanks for the great software package!  The question I have is this:
> 
> Thank you :)
> 
> > My goal is to set up a triangle topology VPN between three sites and
run
> > OSPF routing on all the sites so that if a link goes down between any
two
> > sites the OSPF routing will reroute the packets that used to go
between
> > the sites A <-> B to A <-> C <-> B and still remain
connected.
> 
> Hopefully that functionality will be included in the final 1.0 version of
> tinc.
> 
> > Here is my setup (I turned off Masquerading for these tests to make
sure
> > that it wasn't something silly like that).
> 
> > Network A = 192.168.1.0/24
> 
> You are using 192.168.x.y addresses for your internal network, but
> 10.x.y.z addresses for tinc! Why is that? Tinc does not need it's own
> IP's, you just have to put the ones you are already using in the
> configuration file.
> 
> > ==== Router A tinc.conf ===> > TapDevice = /dev/tap0
> > ConnectTo = 216.63.158.19
> > MyVirtualIP = 10.0.0.1/8
> > VpnMask = 255.0.0.0
> > AllowConnect = no
> > ===========================> 
> Your MyVirtualIP should be 10.0.0.1/24, not /8. The subnet the tincd on
> router A represents is a class C subnet. However, the VpnMask is different
> - it is used to tell the startup script what the scope of the ENTIRE
> private network is.
> 
> > Router A "netstat -rn | grep tap0":
> > 192.168.254.0      10.0.0.2      255.255.255.0   UG     0 0      0
tap0
> > 10.0.0.0           0.0.0.0       255.0.0.0       U      0 0      0
tap0
> 
> Tinc will only correctly transfer packets with 10.x.y.z IP's. Your
routing
> table suggests you think you have to send all 192.168.254.x packets to the
> gateway you think the daemon on the other side is.
> 
> > It is possible that my question boils down to this:
> > Is the VPN link between networks a Point to Point Link or is it a
regular
> > network?  I think the configuration would be different in both of
those
> > cases.
> 
> It's not point-to-point :). Try this:
> 
> Router A tinc.conf:
> ==================> TapDevice = /dev/tap0
> ConnectTo = 216.63.158.19
> MyVirtualIP = 192.168.254.0/24
> VpnMask = 255.255.0.0
> ==================> 
> Routing table:
> --------------
> 192.168.0.0	0.0.0.0		255.255.0.0	U	0 0	0 tap0
> 
> Router B likewise.
> 
> I hope this will help! We are not bothered at all by your questions, so if
> you have more of them, please ask! And we'd also be happy to hear your
> comments.
> 
> Met vriendelijke groet,
> Guus Sliepen.
> 
> 
David Wayne Summers          "Linux: Because reboots are for
upgrades!"
david@summersoft.fay.ar.us   PGP Key: http://summersoft.fay.ar.us/~david/pgp.txt
PGP Key fingerprint =  C0 E0 4F 50 DD A9 B6 2B  60 A1 31 7E D2 28 6D A8 

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/

Hmmm.  One more thing; I noticed here and in your documentation you talk
about the meta protocol dealing with routing issues.  Does that mean I
don't have to run a routing protocol on all the connected VPNs that I
establish?  Does/Would your protocol tell my router A that a route between
VPN networks B and C has been established?

   Thanks!
   - David Summers

On Sun, 11 Jun 2000, Guus Sliepen wrote:
> Date: Sun, 11 Jun 2000 19:11:44 +0200 (CEST)
> From: Guus Sliepen <guus@sliepen.warande.net>
> To: David Summers <david@summersoft.fay.ar.us>
> Cc: tinc@nl.linux.org
> Subject: Re: TINC 1.0pre2 problem
> 
> On Sun, 11 Jun 2000, David Summers wrote:
> 
> > Thanks for the great software package!  The question I have is this:
> 
> Thank you :)
> 
> > My goal is to set up a triangle topology VPN between three sites and
run
> > OSPF routing on all the sites so that if a link goes down between any
two
> > sites the OSPF routing will reroute the packets that used to go
between
> > the sites A <-> B to A <-> C <-> B and still remain
connected.
> 
> Hopefully that functionality will be included in the final 1.0 version of
> tinc.
> 
> > Here is my setup (I turned off Masquerading for these tests to make
sure
> > that it wasn't something silly like that).
> 
> > Network A = 192.168.1.0/24
> 
> You are using 192.168.x.y addresses for your internal network, but
> 10.x.y.z addresses for tinc! Why is that? Tinc does not need it's own
> IP's, you just have to put the ones you are already using in the
> configuration file.
> 
> > ==== Router A tinc.conf ===> > TapDevice = /dev/tap0
> > ConnectTo = 216.63.158.19
> > MyVirtualIP = 10.0.0.1/8
> > VpnMask = 255.0.0.0
> > AllowConnect = no
> > ===========================> 
> Your MyVirtualIP should be 10.0.0.1/24, not /8. The subnet the tincd on
> router A represents is a class C subnet. However, the VpnMask is different
> - it is used to tell the startup script what the scope of the ENTIRE
> private network is.
> 
> > Router A "netstat -rn | grep tap0":
> > 192.168.254.0      10.0.0.2      255.255.255.0   UG     0 0      0
tap0
> > 10.0.0.0           0.0.0.0       255.0.0.0       U      0 0      0
tap0
> 
> Tinc will only correctly transfer packets with 10.x.y.z IP's. Your
routing
> table suggests you think you have to send all 192.168.254.x packets to the
> gateway you think the daemon on the other side is.
> 
> > It is possible that my question boils down to this:
> > Is the VPN link between networks a Point to Point Link or is it a
regular
> > network?  I think the configuration would be different in both of
those
> > cases.
> 
> It's not point-to-point :). Try this:
> 
> Router A tinc.conf:
> ==================> TapDevice = /dev/tap0
> ConnectTo = 216.63.158.19
> MyVirtualIP = 192.168.254.0/24
> VpnMask = 255.255.0.0
> ==================> 
> Routing table:
> --------------
> 192.168.0.0	0.0.0.0		255.255.0.0	U	0 0	0 tap0
> 
> Router B likewise.
> 
> I hope this will help! We are not bothered at all by your questions, so if
> you have more of them, please ask! And we'd also be happy to hear your
> comments.
> 
> Met vriendelijke groet,
> Guus Sliepen.
> 
> 
David Wayne Summers          "Linux: Because reboots are for
upgrades!"
david@summersoft.fay.ar.us   PGP Key: http://summersoft.fay.ar.us/~david/pgp.txt
PGP Key fingerprint =  C0 E0 4F 50 DD A9 B6 2B  60 A1 31 7E D2 28 6D A8 

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/

OK, I got it.  What I did was put the interface IP on Router A to
192.168.1.1/24 (network A) and made the VPN mask 255.255.0.0 (the
"wider"
network).

Vice-versa on the other router B.

(If you try enough combinations then sooner or later you are bound to hit
it with pure luck if you are methodical about it! :-)

I did have the interface for network B on the network A router and
vice-versa on the other one.

Interesting.  Not what I expected, but hey, if it works, then awesome!

If I understand correctly then what it is saying is that this IP address
on my current network is a gateway to a bigger network that can pass the
traffic on to the other network.

I'm still interested in hearing about the possible routing protocol built
in to the meta protocol of TINC.

Thanks for your help!

   - David Summers

On Sun, 11 Jun 2000, Guus Sliepen wrote:
> Date: Sun, 11 Jun 2000 19:11:44 +0200 (CEST)
> From: Guus Sliepen <guus@sliepen.warande.net>
> To: David Summers <david@summersoft.fay.ar.us>
> Cc: tinc@nl.linux.org
> Subject: Re: TINC 1.0pre2 problem
> 
> On Sun, 11 Jun 2000, David Summers wrote:
> 
> > Thanks for the great software package!  The question I have is this:
> 
> Thank you :)
> 
> > My goal is to set up a triangle topology VPN between three sites and
run
> > OSPF routing on all the sites so that if a link goes down between any
two
> > sites the OSPF routing will reroute the packets that used to go
between
> > the sites A <-> B to A <-> C <-> B and still remain
connected.
> 
> Hopefully that functionality will be included in the final 1.0 version of
> tinc.
> 
> > Here is my setup (I turned off Masquerading for these tests to make
sure
> > that it wasn't something silly like that).
> 
> > Network A = 192.168.1.0/24
> 
> You are using 192.168.x.y addresses for your internal network, but
> 10.x.y.z addresses for tinc! Why is that? Tinc does not need it's own
> IP's, you just have to put the ones you are already using in the
> configuration file.
> 
> > ==== Router A tinc.conf ===> > TapDevice = /dev/tap0
> > ConnectTo = 216.63.158.19
> > MyVirtualIP = 10.0.0.1/8
> > VpnMask = 255.0.0.0
> > AllowConnect = no
> > ===========================> 
> Your MyVirtualIP should be 10.0.0.1/24, not /8. The subnet the tincd on
> router A represents is a class C subnet. However, the VpnMask is different
> - it is used to tell the startup script what the scope of the ENTIRE
> private network is.
> 
> > Router A "netstat -rn | grep tap0":
> > 192.168.254.0      10.0.0.2      255.255.255.0   UG     0 0      0
tap0
> > 10.0.0.0           0.0.0.0       255.0.0.0       U      0 0      0
tap0
> 
> Tinc will only correctly transfer packets with 10.x.y.z IP's. Your
routing
> table suggests you think you have to send all 192.168.254.x packets to the
> gateway you think the daemon on the other side is.
> 
> > It is possible that my question boils down to this:
> > Is the VPN link between networks a Point to Point Link or is it a
regular
> > network?  I think the configuration would be different in both of
those
> > cases.
> 
> It's not point-to-point :). Try this:
> 
> Router A tinc.conf:
> ==================> TapDevice = /dev/tap0
> ConnectTo = 216.63.158.19
> MyVirtualIP = 192.168.254.0/24
> VpnMask = 255.255.0.0
> ==================> 
> Routing table:
> --------------
> 192.168.0.0	0.0.0.0		255.255.0.0	U	0 0	0 tap0
> 
> Router B likewise.
> 
> I hope this will help! We are not bothered at all by your questions, so if
> you have more of them, please ask! And we'd also be happy to hear your
> comments.
> 
> Met vriendelijke groet,
> Guus Sliepen.
> 
> 
David Wayne Summers          "Linux: Because reboots are for
upgrades!"
david@summersoft.fay.ar.us   PGP Key: http://summersoft.fay.ar.us/~david/pgp.txt
PGP Key fingerprint =  C0 E0 4F 50 DD A9 B6 2B  60 A1 31 7E D2 28 6D A8 

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/