Roberto Meyer
2003-Jul-29 23:45 UTC
can't ping to an internal IP through tinc's virtual interfaces
Hi. As I wrote some days ago (It worked! [Was: my two hosts don't see each other]) I succeeded at setting up a tinc VPN between two hosts (isivirtual and pamvirtual) I tried to ping from pamvirtual, the external machine, to an internal IP of 'isivirtual' but it doesn't work. Neither 'traceroute'. What's going on? At 'isivirtual' routing (ip forwarding) is enabled and iptables is not limiting traffic from virtual interfaces. I'll begin reading about 'tcpdump' to find where packets don't flow, in the meantime, does tinc limits somehow this kind of traffic? TIA. - Roberto Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
Guus Sliepen
2003-Jul-30 00:35 UTC
can't ping to an internal IP through tinc's virtual interfaces
On Tue, Jul 29, 2003 at 06:45:13PM -0300, Roberto Meyer wrote:> I tried to ping from pamvirtual, the external machine, to an internal IP > of 'isivirtual' but it doesn't work. Neither 'traceroute'. > What's going on? > > At 'isivirtual' routing (ip forwarding) is enabled and iptables is not > limiting traffic from virtual interfaces.Probably wrong configuration of the virtual interface or wrong Subnets. Send copies of tinc-up and the host config files so we can see!> I'll begin reading about 'tcpdump' to find where packets don't flow, in > the meantime, does tinc limits somehow this kind of traffic?Tinc, in router mode, only routes packets whose destination address lies within a Subnet of any of the nodes. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030730/4144b1ea/attachment.pgp
Roberto Meyer
2003-Jul-31 01:42 UTC
can't ping to an internal IP through tinc's virtual interfaces
Hi: I've detected a problem: if I run 'ping' from pamvirtual (external host) I don't reach isivirtual... I increased tincd's log level and obtained the following: Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: /dev/tun is a Linux tun/tap device Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Listening on 0.0.0.0 port 655 Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Ready Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Trying to connect to isivirtual (168.226.x.x port 655) Jul 30 20:22:44 pamvirtual tinc.vpn[19629]: Connection from 168.226.x.x port 2281 Jul 30 20:22:44 pamvirtual tinc.vpn[19629]: Connection with isivirtual (168.226.x.x port 2281) activated Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Timeout from isivirtual (168.226.x.x port 655) during authentication Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Closing connection with isivirtual (168.226.x.x port 655) Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Trying to re-establish outgoing connection in 5 seconds Jul 30 20:23:57 pamvirtual tinc.vpn[19629]: Already connected to isivirtual If I ping from isivirtual to pamvirtual, pings from pamvirtual respond for a while. After some minutes every connection from pamvirtual gets stucked again. Any idea about this? TIA. - Roberto> On Wed, Jul 30, 2003 at 10:56:34AM -0300, Roberto Meyer wrote: > > > > > As I said, the VPN seems to work ok. I can ping from one machine > > > > to the > > > > other one (only to their virtual interfaces). I even configured > > > > mail > > > > relaying (exim listens on the virtual IP). > > > > > > But I still can't diagnose your problem if I don't see your config > > > files. > > [...] > > > Routing table: > > 200.80.x.0 * 255.255.255.128 U 0 0 0 eth0 > > 192.168.144.0 isivirtual 255.255.255.0 UG 0 0 0 vpn > > 10.10.0.0 * 255.255.0.0 U 0 0 0 vpn > > default host1.200.80.x 0.0.0.0 UG 0 0 0 eth0 > > Hmkay... I see the problem. Gateway routes don't work with tinc in > router mode. You can do it with tinc in switch mode, but an easier > solution is given below. > > > *** pamvirtual config *** > > > > /etc/tinc/vpn/tinc-up: > > ifconfig $INTERFACE hw ether fe:fd:0:0:0:0 > > ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0 > > ifconfig $INTERFACE -arp > > Forget about the gateway route. Just add this to tinc-up: > route add -net 192.168.144.0 netmask 255.255.255.0 dev $INTERFACE > > > /etc/tinc/vpn/hosts/isivirtual: > > Subnet = 10.10.10.2/32 > > -----BEGIN RSA PUBLIC KEY----- > > -----END RSA PUBLIC KEY----- > > Add: Subnet = 192.168.144.0/24 > > > Another thing I couldn't work out is to configure addresses like > > 10.10.10.0/24 for subnets... I found broadcast addresses somewhat > > weird: > > ifconfig vpn at isivirtual shows this: > > Don't bother with the broadcast address, it will never be used.Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/