tinc - Nov 2004 - vpn with shortcuts?

Hi all,

There's long time I'm having problems with a vpn... I'd be glad
if somebody could check my current setup.

Our problem is we're having tinc-vpn shortcuts while we have no
bandwidth problem nither 'ssh' trouble.

I attached some log lines from both the "server" and the 
"client".

Some ASCII art...

    ___                  ___                ___
   |   |    tinc vpn    |   |              |   |
   | p |    over ADSL   | i |      LAN     | p |
   | a |    __________  | s |    ________  | a |
   | m |   /         /  | i |   /       /  | t |
   |   |__/         /___|   |__/       /___|   |
   -----                -----              -----
   pub:200.x.x.x        pub:dynamic
   vpn:10.10.10.1       vpn:10.10.10.2
                        pri:192.168.144.1  pri:192.168.144.1
 

Ok, let's see the configs of pam(perito) and isi(dorito). 
I named their virtual interfaces as 'pamvpn' and 'isivpn'.

a-'isidorito' (our gateway+firewall+proxy) with dynamic IP

  /etc/tinc/vpn/tinc.conf
    Name = isivpn
    Device = /dev/net/tun
    PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
    ConnectTo = pamvpn

  /etc/tinc/vpn/tinc-up
    ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
    ifconfig $INTERFACE 10.10.10.2 netmask 255.255.0.0
    ifconfig $INTERFACE -arp

  /etc/tinc/vpn/hosts/isivpn
    Subnet = 10.10.10.2/32
    Subnet = 192.168.144.0/24
    TCPOnly = yes
    -----BEGIN RSA PUBLIC KEY-----
    ...
    -----END RSA PUBLIC KEY-----

  /etc/tinc/vpn/hosts/pamvpn
    isidorito:/etc/tinc/vpn/hosts# cat /etc/tinc/vpn/hosts/
    isivpn  pamvpn  
    isidorito:/etc/tinc/vpn/hosts# cat /etc/tinc/vpn/hosts/pamvpn 
    Address = 200.x.x.x
    Subnet = 10.10.10.1/32
    -----BEGIN RSA PUBLIC KEY-----
    ...
    -----END RSA PUBLIC KEY-----


b-'pamperito' (it waits for isi's connections)

  /etc/tinc/vpn/tinc.conf
    Name = pamvpn
    Device = /dev/tun
    PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv

  /etc/tinc/vpn/tinc-up
    ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
    ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
    ifconfig $INTERFACE -arp
    route add -net 192.168.144.0 netmask 255.255.255.0 gw isivpn
    dev vpn

  pamvpn and isivpn are setup as in 'isidorito'


Is everything ok here?

In isidorito's syslog I even found:

nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with
pamvpn (200.x.x.x port 655)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with
isivpn (MYSELF)
^^^^^^^^^^^^^^^

I remember I added the subnet 192.168.144.0/24 because 'pat' 
is our internal smtp server... so 'pam' needs to reach 'pat'
for mail delivery and viceversa.

I suspect I'm making a setup mistake, any clue will be very
appreciated. 

TIA,

-
Roberto
------------ próxima parte ------------
nov 11 16:12:29 pamperito tinc.vpn[17311]: Metadata socket error for isivpn
(168.226.139.225 port 1871): Conexi?n reinicializada por la m?quina remota
nov 11 16:14:54 pamperito tinc.vpn[17311]: Metadata socket error for isivpn
(168.226.139.225 port 2341): Conexi?n reinicializada por la m?quina remota
nov 11 16:16:21 pamperito tinc.vpn[17311]: Bogus data received from isivpn
(168.226.139.225 port 2381)
nov 11 16:17:08 pamperito tinc.vpn[17311]: Bogus data received from isivpn
(168.226.139.225 port 2386)
Nov 11 16:49:02 pamperito exiscanv2[31949]: 1CSKwD-0000SI-00
F:<tinc-bounces@tinc-vpn.org> T:rmeyer@idr.org.ar R:clean, marked for
dequeue
nov 11 17:05:41 pamperito tinc.vpn[17311]: Bogus data received from isivpn
(168.226.140.12 port 3110)

------------ próxima parte ------------
nov 11 16:12:38 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x
port 655) failed: Recurso no disponible temporalmente
nov 11 16:12:38 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 16:12:38 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 5 seconds
nov 11 16:12:45 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 16:12:46 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 16:12:47 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated
nov 11 16:15:02 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x
port 655) failed: Recurso no disponible temporalmente
nov 11 16:15:02 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 16:15:02 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 10 seconds
nov 11 16:15:18 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 16:15:19 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 16:15:20 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated
nov 11 16:16:31 isidorito tinc.vpn[5841]: Metadata socket error for pamvpn
(200.x.x.x port 655): Conexi?n reinicializada por la m?quina remota
nov 11 16:16:31 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 16:16:31 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 15 seconds
nov 11 16:16:52 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 16:16:53 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 16:16:54 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated
nov 11 16:17:17 isidorito tinc.vpn[5841]: Metadata socket error for pamvpn
(200.x.x.x port 655): Conexi?n reinicializada por la m?quina remota
nov 11 16:17:17 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 16:17:17 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 20 seconds
nov 11 16:17:40 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 16:17:41 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 16:17:42 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated
nov 11 16:43:24 isidorito tinc.vpn[5841]: Regenerating symmetric key
nov 11 17:05:29 isidorito tinc.vpn[5841]: Got HUP signal
nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with isivpn
(MYSELF)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Rereading configuration file and
restarting in 5 seconds...
nov 11 17:05:40 isidorito tinc.vpn[5841]: /dev/net/tun is a Linux tun/tap device
nov 11 17:05:40 isidorito tinc.vpn[5841]: Executing script tinc-up
nov 11 17:05:41 isidorito tinc.vpn[5841]: Listening on 0.0.0.0 port 655
nov 11 17:05:41 isidorito tinc.vpn[5841]: Ready
nov 11 17:05:41 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 17:05:41 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 17:05:42 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated
nov 11 17:05:50 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x
port 655) failed: Recurso no disponible temporalmente
nov 11 17:05:50 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
nov 11 17:05:50 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 5 seconds
nov 11 17:06:04 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x
port 655)
nov 11 17:06:05 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port
655)
nov 11 17:06:06 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port
655) activated

On Thu, Nov 11, 2004 at 06:05:18PM -0300, Roberto Meyer wrote:
>   /etc/tinc/vpn/hosts/isivpn
>     Subnet = 10.10.10.2/32
>     Subnet = 192.168.144.0/24
>     TCPOnly = yes
>     -----BEGIN RSA PUBLIC KEY-----
>     ...
>     -----END RSA PUBLIC KEY-----
Is there a reason for using TCPOnly? If not, try removing that option.
> In isidorito's syslog I even found:
> 
> nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with
> pamvpn (200.x.x.x port 655)
> nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with
> isivpn (MYSELF)
> ^^^^^^^^^^^^^^^
When tinc shuts down, it always closes "itself", this is normal.
> I suspect I'm making a setup mistake, any clue will be very
> appreciated. 
Your configuration files do not contain any errors as far as I can see,
however:

[...]
> nov 11 16:17:17 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
> nov 11 16:17:17 isidorito tinc.vpn[5841]: Trying to re-establish outgoing
connection in 20 seconds
> nov 11 16:17:40 isidorito tinc.vpn[5841]: Trying to connect to pamvpn
(200.x.x.x port 655)
> nov 11 16:17:41 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x
port 655)
> nov 11 16:17:42 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x
port 655) activated
> nov 11 16:43:24 isidorito tinc.vpn[5841]: Regenerating symmetric key
> nov 11 17:05:29 isidorito tinc.vpn[5841]: Got HUP signal
> nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with pamvpn
(200.x.x.x port 655)
> nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with isivpn
(MYSELF)
> nov 11 17:05:35 isidorito tinc.vpn[5841]: Rereading configuration file and
restarting in 5 seconds...
[...]

That suggests that you are using an old version of tinc. Please try out
1.0.3, which has been released today.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://brouwer.uvt.nl/pipermail/tinc/attachments/20041111/ebf75963/attachment.pgp