Hello, I successfully built a vpn between two hosts ("main" and
"iquique") (and its SubNets), but I have problems
when I want to add another host ("valparaiso"): I get a lot of
Duplicates packets everywhere and a very slow
vpn. I guess that is a routing problem, but I have try with a lot of
alternatives without result. I have try with "switch", "hub"
and "router" modes, too. If I turn off one of the clients
("iquique" or "valparaiso") the vpn return to
the normality. I have RH 9.0 and tinc-1.0CVS (The only version that run on RH
9.0) of one week ago. Someone
has an idea or solution for this?
Thanks for any little or big help.
Andres Sommerhoff
#############################################################
THE DETAILS
#############################################################
********************************************************
THE EVIDENCE (It is the same for any host on my VPN)
********************************************************
[root@iquique /]# ping 10.0.1.10 (with other clients runing)
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=127 time=233 ms
64 bytes from 10.0.1.10: icmp_seq=1 ttl=126 time=244 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=125 time=250 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=127 time=255 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=124 time=261 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=123 time=267 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=126 time=273 ms (DUP!)
64 bytes from 10.0.1.10: icmp_seq=1 ttl=125 time=279 ms (DUP!)
[root@iquique /]# ping 10.0.1.10 (without other clients runings only one
tunnel, I get a normal answer)
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=127 time=81.5 ms
64 bytes from 10.0.1.10: icmp_seq=2 ttl=127 time=23.1 ms
64 bytes from 10.0.1.10: icmp_seq=3 ttl=127 time=23.8 ms
64 bytes from 10.0.1.10: icmp_seq=4 ttl=127 time=23.6 ms
64 bytes from 10.0.1.10: icmp_seq=5 ttl=127 time=21.6 ms
64 bytes from 10.0.1.10: icmp_seq=6 ttl=127 time=47.5 ms
*******************************************************
STRUCTURE
*******************************************************
|---> (Valparaiso IP:any) (Client)
| Internal IP: 10.0.2.1
(main IP:200.1.2.111) <--| Subnet: 10.0.2.0/24
Internal IP: 10.0.1.1 |
Subnet: 10.0.1.0/24 |
|---> (Iquique IP:any) (Client)
Internal IP: 10.0.5.1
Subnet: 10.0.5.0/24
VPN Subnet: 10.0.0.0/16
******************************************************************
MAIN
******************************************************************
[root@main /etc/tinc/vpn]# cat tinc.conf
Name = main
Mode = switch
Device=/dev/net/tun
PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
[root@main /etc/tinc/vpn]# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.250.1 netmask 255.255.0.0
# ifconfig $INTERFACE -arp
[root@main /etc/tinc/vpn/hosts]# ls
arica iquique main sanantonio valparaiso
[root@main /etc/tinc/vpn/hosts]# cat main
Address = 200.1.2.111
Subnet = 10.0.1.0/24
Compress = 9
-----BEGIN RSA PUBLIC KEY-----
MIG....MA//8 -----END RSA PUBLIC KEY-----
[root@main /etc/tinc/vpn/hosts]# cat iquique
Subnet = 10.0.5.0/24
# Address = 192.168.254.250
Compress = 9
-----BEGIN RSA PUBLIC KEY-----
MIGJ...MA//8 -----END RSA PUBLIC KEY-----
[root@main /etc/tinc/vpn/hosts]# cat valparaiso
Subnet = 10.0.2.0/24
Compress = 9
-----BEGIN RSA PUBLIC KEY-----
MIG....MA//8 -----END RSA PUBLIC KEY-----
[root@main /etc/tinc/vpn]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:05:5D:7A:2A:37
inet addr:200.1.2.111 Bcast:200.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7768075 errors:0 dropped:0 overruns:0 frame:0
TX packets:8145489 errors:0 dropped:0 overruns:0 carrier:0
collisions:182886 txqueuelen:100
RX bytes:3346245933 (3191.2 Mb) TX bytes:2556181698 (2437.7 Mb)
Interrupt:10 Base address:0xd400
eth1 Link encap:Ethernet HWaddr 00:40:F4:7B:43:FE
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:688682 errors:0 dropped:0 overruns:0 frame:0
TX packets:685544 errors:0 dropped:0 overruns:0 carrier:0
collisions:28 txqueuelen:100
RX bytes:112166115 (106.9 Mb) TX bytes:474882762 (452.8 Mb)
Interrupt:10 Base address:0x9e00
vpn Link encap:Point-to-Point Protocol
inet addr:10.0.250.1 P-t-P:10.0.250.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:4531 (4.4 Kb) TX bytes:4246 (4.1 Kb)
[root@main /etc/tinc/vpn]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.0 * 255.255.255.0 U 0 0 0 eth1
200.1.2.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 * 255.255.0.0 U 0 0 0 vpn
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 200.1.2.3 0.0.0.0 UG 0 0 0 eth0
******************************************************************
IQUIQUE (A client of "main")
******************************************************************
("valparaiso" is very similar, but with other Subnet, tunc-up and
key.
[root@iquique /etc/tinc/vpn]# cat tinc.conf
Name = main
Mode = switch
Device=/dev/net/tun
PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
[root@iquique /etc/tinc/vpn]# cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.0.255.1 netmask 255.255.0.0
# ifconfig $INTERFACE -arp
[root@iquique /etc/tinc/vpn/hosts]# ls
iquique main
[root@iquique /etc/tinc/vpn/hosts]# cat main
Address = 200.1.2.111
Subnet = 10.0.1.0/24
Compress = 9
-----BEGIN RSA PUBLIC KEY-----
MIG....MA//8 -----END RSA PUBLIC KEY-----
[root@iquique /etc/tinc/vpn/hosts]# cat iquique
Subnet = 10.0.5.0/24
# Address = 192.168.254.250
Compress = 9
-----BEGIN RSA PUBLIC KEY-----
MIGJ...MA//8 -----END RSA PUBLIC KEY-----
[root@iquique /]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.52.20.3 * 255.255.255.255 UH 0 0 0 ppp0
10.0.4.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 * 255.255.0.0 U 0 0 0 vpn
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.52.20.3 0.0.0.0 UG 0 0 0 ppp0
*************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://brouwer.uvt.nl/pipermail/tinc/attachments/20030718/3d5e7240/attachment.html
On Fri, Jul 18, 2003 at 10:59:23PM -0400, Andres Sommerhoff wrote:> Hello, I successfully built a vpn between two hosts ("main" and > "iquique") (and its SubNets), but I have problems when I want to add > another host ("valparaiso"): I get a lot of Duplicates packets > everywhere and a very slow vpn. I guess that is a routing problem, but > I have try with a lot of alternatives without result. I have try with > "switch", "hub" and "router" modes, too. If I turn off one of the > clients ("iquique" or "valparaiso") the vpn return to the normality. I > have RH 9.0 and tinc-1.0CVS (The only version that run on RH 9.0) of > one week ago. Someone has an idea or solution for this?You must make sure that all tinc daemons are configured to use the same mode. The information you sent is a bit contradictory, for instance:> [root@main /etc/tinc/vpn]# cat tinc.conf > Name = main > Mode = switch > Device=/dev/net/tun > PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv[...]> [root@main /etc/tinc/vpn]# ifconfig[...]> vpn Link encap:Point-to-Point Protocol > inet addr:10.0.250.1 P-t-P:10.0.250.1 Mask:255.255.0.0 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:35 errors:0 dropped:0 overruns:0 frame:0 > TX packets:36 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:10 > RX bytes:4531 (4.4 Kb) TX bytes:4246 (4.1 Kb)If tinc were in switch mode, the vpn interface would never be Point-to-Point, but Ethernet. Looking at the setup of your network I'd say you should stick to router mode. However, all of this doesn't explain why you see duplicate packets. The packets are not duplicated by tinc, because the TTL is different, and tinc doesn't alter packets in any way. Could you try to use tcpdump on various interfaces to look where the duplicates are created? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030719/978f75b8/attachment.pgp
On Fri, Jul 18, 2003 at 10:59:23PM -0400, Andres Sommerhoff wrote:> the normality. I have RH 9.0 and tinc-1.0CVS (The only version that run on RH 9.0) of one week ago. SomeoneWhen exactly did you check out the CVS version? There've been many changes lately, so it might be that you checked it out when the version in CVS wasn't working properly! -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030722/61f9ea60/attachment.pgp
On Fri, Jul 18, 2003 at 10:59:23PM -0400, Andres Sommerhoff wrote:> the normality. I have RH 9.0 and tinc-1.0CVS (The only version that run on RH 9.0) of one week ago. SomeoneWhen exactly did you check out the CVS version? There've been many changes lately, so it might be that you checked it out when the version in CVS wasn't working properly! -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> Dear Guus,We downloaded CVS on July 6th, and with switch mode the vpn works as P-t-P, whereas with router mode we are unable to brig up the vpn. Would a tcpdump report be useful to you?thank you,R. Schwarzenberg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://brouwer.uvt.nl/pipermail/tinc/attachments/20030722/7599f681/attachment.htm
On Tue, Jul 22, 2003 at 03:02:24PM -0400, CFS - Claudio Flores wrote:> Dear Guus,We downloaded CVS on July 6th, and with switch mode the vpn > works as P-t-P, whereas with router mode we are unable to brig up the > vpn. Would a tcpdump report be useful to you?thank you,R. > SchwarzenbergTry the current CVS version, it contains a fix so it will configure the interface as Ethernet when in switch or hub mode. The tcpdump report when in router mode would be very useful. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030722/8801fdb2/attachment.pgp
Hi, How do i make tinc daemon transparently pass the packets (without encryption/authentication) to the peer. I tried using the bypass-security option, but when i capture the packets on the ethernet inetrface (using tcpdump), I do not see the plaintext version. At first I thought that maybe, tinc was trying to compress the packet. So i used "Compression = 0", but still this is not working.. Do i need to set something else?? Any help is appreciated. Shashank Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
Thanks Guus, I will try with the current CVS version. I will tell you the
results.
regards,
Andres Sommerhoff
----- Original Message -----
From: "Guus Sliepen" <guus@sliepen.eu.org>
To: <tinc@nl.linux.org>
Cc: "Andres Sommerhoff" <asommerh@chilesat.net>; "Rodolfo
Schwarzenberg K."
<rschwarzenberg@logikchile.com>
Sent: Tuesday, July 22, 2003 5:18 PM
Subject: Re: Problem with more than two Subnets!
On Tue, Jul 22, 2003 at 03:02:24PM -0400, CFS - Claudio Flores wrote:
> Dear Guus,We downloaded CVS on July 6th, and with switch mode the vpn
> works as P-t-P, whereas with router mode we are unable to brig up the
> vpn. Would a tcpdump report be useful to you?thank you,R.
> Schwarzenberg
Try the current CVS version, it contains a fix so it will configure the
interface as Ethernet when in switch or hub mode. The tcpdump report
when in router mode would be very useful.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@sliepen.eu.org>
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
On Tue, Jul 22, 2003 at 05:25:37PM -0500, Shashank Khanvilkar wrote:> How do i make tinc daemon transparently pass the packets (without > encryption/authentication) to the peer. I tried using the > bypass-security option, but when i capture the packets on the ethernet > inetrface (using tcpdump), I do not see the plaintext version.The tincd manpage is not clear about this, but --bypass-security only disables authentication and encryption of the TCP connections. To prevent encryption of the rest add this to the host config files: Cipher = none Digest = none -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030723/130bdfa8/attachment.pgp
Thanks Guus, the vpn works fine since three day ago with the new CVS version!
Now I don't have duplicated packets! (Only the router works, but it works
fine!). Please see the PENDING QUESTIONS on the bottom, but first the final part
of this story (only for reference: this means that is not necessary to read it).
Thanks for all,
Andres Sommerhoff
THE STORY: FINAL PART
The vpn didn't work the first time later the new compilation of the CVS. The
vpn device was set right depending on the mode I choused (router ->
pointtopoint, switch -> ethernet), but I couldn't establish even a
two-hosts VPN. In this case, duplicated packets were better than nothing.
In switch mode, I could ping only other host, but not the subnet behind. I used
tcpdump, like Guus had recommended, but the packets for the subnet didn't
appear in no device.
In router mode was easy to follow the packets. The tcpdump showed that the ping
packet pass-through the internet, reached a computer on the subnet, but its
answers did find the path for the return to the source. I was closer. Then I
found the problem. I must put the same IP on the pointToPoint device that the
internal device! I corrected this on every host (in the "tinc-up"
file) and I got a working VPN without duplicated packets!
You can see in the tinc info:
"Note that the IP addresses of eth0 and tap0 are the same. This is
quite possible, if you make sure that the netmasks of the interfaces
are different."
but I have learned by the hard way!
The End.
-------------
PENDING QUESTIONS
Finally, when I had brought up the VPN in router mode I tried to use the switch
mode. It didn't work. It is not critical, because I can use the router mode,
but I want to know if I'm missing something? What should I do to pass from a
working VPN in router mode to a VPN in switch mode? Do I need something special
in the config? Do you guess that the problem is in the CVS version?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://brouwer.uvt.nl/pipermail/tinc/attachments/20030727/f07d87ce/attachment.htm