Hi Guus and List,
Since the CVE-2013-1428 was announced, I followed the recommendation to
update my windows machines to tinc1.1pre7.
I've had connectivity issues since upgrading. I've done some debugging
but I can't figure out when or why its happening.
All machines on the network are running Windows 7 or Windows 2008R2
Enterprise server and tinc 1.1pre7.
I've got one master node, which all machines connect to. Everything is
running in router mode.
All machines (apart from MIKEIPHONE and MIKEIPAD are connected to the
network and authenticated)
I've also recently changed the Forwarding variable on the master node
to: Forwarding = off, but I cannot remember how long ago this was, and
I'm not sure if this is what is causing the issue.
I don't want VPS01PP to route any VPN traffic, I only want it to be used
for establishing the connection between other nodes.
Example:
When trying to connect MIKEHOMEPC to MIKEDEV02, i get a destination
unreachable message.
VPN addresses: MIKEHOMEPC = 192.168.69.5/32, MIKEDEV02 = 192.168.69.3/32
Pinging 192.168.69.3 with 32 bytes of data:
Reply from 192.168.69.3: Destination net unreachable.
Reply from 192.168.69.3: Destination net unreachable.
Ping statistics for 192.168.69.3:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Control-C
^C
MIKEDEV02 is on, and is connected to the vpn.
--:MIKEDEV02:--
I can do a tincctl top, and I can see the following:
Tinc vpn Nodes: 8 Sort: name Current
Node IN pkts IN bytes OUT pkts OUT bytes
MIKEHOMEPC 0 0 0 0
MIKEIPAD 0 0 0 0
MIKEIPHONE 0 0 0 0
MIKELAPTOP 0 0 0 0
MIKEWORKPC 0 0 0 0
MIKEDEV01 0 0 0 0
MIKEDEV02 0 0 1 208
VPS01PP 1 208 0 0
I have been watching this top screen for about 2 minutes, and the in out
bytes flash between this screen and all 0's.
It's constant and does not vary.
tinc.vpn> dump edges
MIKEHOMEPC to VPS01PP at x.232.112.61 port 655 options c weight 115
MIKELAPTOP to VPS01PP at x.232.112.61 port 655 options c weight 343
MIKEWORKPC to VPS01PP at x.232.112.61 port 655 options c weight 46
MIKEDEV01 to VPS01PP at x.232.112.61 port 655 options c weight 76
MIKEDEV02 to VPS01PP at x.232.112.61 port 655 options c weight 87
VPS01PP to MIKEHOMEPC at x.241.100.155 port 655 options c weight 115
VPS01PP to MIKELAPTOP at x.241.100.155 port 655 options c weight 343
VPS01PP to MIKEWORKPC at x.62.187.113 port 655 options c weight 46
VPS01PP to MIKEDEV01 at x.62.187.113 port 655 options c weight 76
VPS01PP to MIKEDEV02 at x.62.187.113 port 655 options c weight 87
tinc.rgdevvpn>
From this screen, it seems that MIKEHOMEPC is only accessible via VPS01PP?
tinc.rgdevvpn> dump reachable nodes
MIKEHOMEPC at x.241.100.155 port 655 cipher 91 digest 64 maclength 4
compression 0 options c status 0018 nexthop VPS01PP via MIKEHOMEPC
distance 2 pmtu 1451 (min 0 max 1518)
MIKELAPTOP at x.241.100.155 port 655 cipher 91 digest 64 maclength 4
compression 0 options c status 0018 nexthop VPS01PP via MIKELAPTOP
distance 2 pmtu 1459 (min 0 max 1518)
MIKEWORKPC at x.62.187.113 port 655 cipher 91 digest 64 maclength 4
compression 0 options c status 0018 nexthop VPS01PP via MIKEWORKPC
distance 2 pmtu 1459 (min 0 max 1518)
MIKEDEV01 at x.62.187.113 port 655 cipher 0 digest 0 maclength 0
compression 0 options c status 0018 nexthop VPS01PP via MIKEDEV01
distance 2 pmtu 1518 (min 0 max 1518)
MIKEDEV02 at MYSELF port 655 cipher 0 digest 0 maclength 0 compression 0
options 200000c status 0018 nexthop MIKEDEV02 via MIKEDEV02 distance 0
pmtu 1518 (min 0 max 1518)
VPS01PP at x.232.112.61 port 655 cipher 91 digest 64 maclength 4
compression 0 options c status 009a nexthop VPS01PP via VPS01PP distance
1 pmtu 1459 (min 1459 max 1459)
tinc.rgdevvpn>
When I disconnect MIKEDEV02 from the VPN, and reconnect (restarting the
windows service), it works as expected until I've logged off and
finished what I was doing. Log back on, and I can't connect. I can
probably provide some debugging output and config shortly, if the reason
isn't obvious.
Any thoughts?
Thanks.
Mike
On Sun, May 12, 2013 at 11:49:24AM +1000, Mike Bentzen wrote:> Since the CVE-2013-1428 was announced, I followed the recommendation > to update my windows machines to tinc1.1pre7. > I've had connectivity issues since upgrading. I've done some > debugging but I can't figure out when or why its happening. > > All machines on the network are running Windows 7 or Windows 2008R2 > Enterprise server and tinc 1.1pre7. > I've got one master node, which all machines connect to. Everything > is running in router mode. > All machines (apart from MIKEIPHONE and MIKEIPAD are connected to > the network and authenticated)> I've also recently changed the Forwarding variable on the master > node to: Forwarding = off, but I cannot remember how long ago this > was, and I'm not sure if this is what is causing the issue. > I don't want VPS01PP to route any VPN traffic, I only want it to be > used for establishing the connection between other nodes.Try it without "Forwarding = off" in any case.> When trying to connect MIKEHOMEPC to MIKEDEV02, i get a destination > unreachable message. > VPN addresses: MIKEHOMEPC = 192.168.69.5/32, MIKEDEV02 = 192.168.69.3/32 > > Pinging 192.168.69.3 with 32 bytes of data: > Reply from 192.168.69.3: Destination net unreachable.That reply is generated by tinc and means that it thinks it knows the 192.168.69.3 address, but that the node it belongs to is offline.> --:MIKEDEV02:-- > I can do a tincctl top, and I can see the following: > > Tinc vpn Nodes: 8 Sort: name Current > > Node IN pkts IN bytes OUT pkts OUT bytes > MIKEHOMEPC 0 0 0 0[...]> MIKEDEV02 0 0 1 208 > VPS01PP 1 208 0 0That means MIKEDEV02 is receiving approxmitely 1 packet from VPS01PP and sending it to the virtual network interface.> tinc.vpn> dump edges > MIKEHOMEPC to VPS01PP at x.232.112.61 port 655 options c weight 115 > MIKEDEV02 to VPS01PP at x.232.112.61 port 655 options c weight 87[...]> VPS01PP to MIKEHOMEPC at x.241.100.155 port 655 options c weight 115 > VPS01PP to MIKEDEV02 at x.62.187.113 port 655 options c weight 87> From this screen, it seems that MIKEHOMEPC is only accessible via VPS01PP?Not necessarily, the "edges" are only the meta connections between the nodes. To check whether MIKEHOMEPC is reachable, you should give the command: tinc -n vpn info MIKEHOMEPC> tinc.rgdevvpn> dump reachable nodes > MIKEHOMEPC at x.241.100.155 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 0018 nexthop VPS01PP via MIKEHOMEPC distance 2 pmtu 1451 (min 0 max 1518)[...]> MIKEDEV02 at MYSELF port 655 cipher 0 digest 0 maclength 0 compression 0 options 200000c status 0018 nexthop MIKEDEV02 via MIKEDEV02 distance 0 pmtu 1518 (min 0 max 1518) > VPS01PP at x.232.112.61 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 009a nexthop VPS01PP via VPS01PP distance 1 pmtu 1459 (min 1459 max 1459)Hm, that looks like it has a direct connection to MIKEHOMEPC, so it shouldn't give Destination net unreachable replies.> When I disconnect MIKEDEV02 from the VPN, and reconnect (restarting > the windows service), it works as expected until I've logged off and > finished what I was doing. Log back on, and I can't connect. I can > probably provide some debugging output and config shortly, if the > reason isn't obvious.Look at the output of "tinc -n vpn info MIKEHOMEPC" when pings are not working. You can also get detailed log output at any time by running "tinc -n vpn log 5". -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130512/7f7a58e7/attachment.pgp>