Hi there
I have the following setup
Home - Main Tinc server with public IP running on PfSense
work - tinc client running behind a CISCO ASA firewall with public IP
running on Windows 10
offsite - tinc client running on tomato router behind a double NAT
Home & offsite connect & i can see all PCs & devices & connect
to them
easily, on either side
work to Home or offsite connects (see log below) but i'm unable to connect
or ping any of the PCs or devices on either side.
port 655 is open on the CISCO ASA for TCP & UDP Traffic
My work tinc.conf
Name = work
Interface = tinc
ConnectTo = home
ExperimentalProtocol=no
Cipher=aes-256-cbc
Digest=sha256
PingInterval = 30
LocalDiscovery = yes
work host
Subnet = 192.168.1.66/32
-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----
home config on host
Address = 47.20.123.2
Subnet = 192.168.11.0/24
-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PUBLIC KEY-----
HOME SERVER CONFIG
tinc.conf
name=home
AddressFamily=any
ConnectTo=offsite
ConnectTo=work
ExperimentalProtocol=no
Cipher=aes-256-cbc
Digest=sha256
work host
Address=75.99.126.132
Subnet=192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
XXXXXXXXX
-----END RSA PUBLIC KEY-----
what am i missing
tincd 1.1pre14 (May 1 2016 20:42:24) starting, debug level 4
TAP-Windows driver version: 9.8
{9FDFB8A7-9014-475B-B6DD-514C8D297106} (tinc) is a Windows tap device
Listening on :: port 655
Listening on 0.0.0.0 port 655
Enabling Windows tap device
Ready
Trying to connect to home (47.20.123.2 port 655)
Connected to home (47.20.123.2 port 655)
Sending ID to home (47.20.123.2 port 655): 0 work 17.0
Sending 18 bytes of metadata to home (47.20.123.2 port 655)
Got ID from home (47.20.123.2 port 655): 0 home 17
Sending METAKEY to home (47.20.123.2 port 655): 1 94 64 0 0
3D55F0A80956F2A4EE34E6B8F82E7B30F97C819F3FD8B1D71E4EA0ADFF2CFA3BA8FDE4E403C85B0AA0BC65B1A9A889225390A4940844715603370B421CA9FFBF688462EC149E9384A5E3A4ED486AD7957F241D3C7F9A291A47D474CD6AB84E11A079A0573ECEE23F4D01E672BA1148B3FE51C14DE2B457000806FB03F1B2D41FFB4AA1131B535FBAC066DDB023C6C6DF7E5318BFEF967AE8FB3D1549C9E9A0E94394BEB4846D73A3D3E071D6BB1D4F1F7193C78A796B92F2B9051BDF7C3E242D900227E99382994B3929951DC3A8804B97C5CCC0846E2A1C7D4BE78B4EBBD393B5904323CADF5A718398DB3C66CBA2E2CA8CD37356035ECC5E67DB5CC83CD75E
Sending 525 bytes of metadata to home (47.20.123.2 port 655)
Got METAKEY from home (47.20.123.2 port 655): 1 94 64 0 0
3722145202FF6A214EAB195019BFFD40465DEFD6C2D70758F015A900EB38EB63B1935FC89BC12EAF3B1BE7DAD891E54CBC43D1EF84D0A4547C2CDC8B216F5AE28379C47B59778C57F75CF7C725D2E30602A531E3112DF2772D9D6D0FE6B70297841DE6C904B34B68066859ABFB62D6CFBDB5005ADDF9DEC3B854D1ED47483F77C7DC2AC5297685A370B295113189AC2F5BFB173302CB2ABF2B7FCB1552E80E508A4A7AE29B6503C843EE3D9AED70DC5E6F7B0B2A749EDF249972AB77B89FC86235C3EF77696C54EF2CC463BA2CF01738C055A434C76BA49A02335899FF0E9BE63C60D36072B5B209C1044425751AC4D673DA7E93089DCCC128C709F23A920F4A
Sending CHALLENGE to home (47.20.123.2 port 655): 2
2B383DF8D617E9D5307F101D06AB11F8C5AA760C5816939D2EA9E26512B2D620C1AAAD2BB4F154A7BC86C23BACC40C0220639CF8EBCD724781425C6E25E0932368C452F0B47E59C1B296F3759448D6BCA81C1CBCBE3B339C4C7E9E2EF0B268600DD45D1558A4377BB8FF3C1D014F4B1127B45B838B90B6C1F6AA16EC23C77752068D09F7782160BE56AA13EBA80BD1224294741D352546034FDA645A3BF10804A90431CBBE23672187F9C782484CA5EEE1DA161EF4428388BAFD4BB2F41B38CFEC7FC6C4168D6342ACFE22BD2061A6DE678ADDFEFA0DCF91578AC30AF094ACEBA2C54637F1D004B4E913B808E485E4A5730F3E7AE1D003F82CD94D89E599ECBB
Sending 515 bytes of metadata to home (47.20.123.2 port 655)
Got CHALLENGE from home (47.20.123.2 port 655): 2
3156DFF4BCA83E5131BB932668FDFEB74129DD4554AE870C59EC31E37375246809F5D783490B8C388C68DA5E3679886249F6840D72CD7781F1A391224CDCE2123433EC5C0BCC94D53D455A4169FE3C9479E918B6B38A5C60E7B4E931696E8F05E758EA3EAFBD601D3AC072BDEAC19F8C88832830DBBFD5C1326F27B83F5FF8145BC438249DA8DD903CDB75C7C8D0B3BDF758F97F3E13BF7381737161C9DB31B85CA6709E67582346720DB3BD176AD4C82BA952F4CC7936DDD6059CF05F35F8179686850BDB60C26CAE8AEA1E68DD148A75AB66747DB90646DE892DDB002B66EC1523C3E3ABEB34151DB77C1D60683295F9F82364432626D37C328AAB9B84CCEB
Sending CHAL_REPLY to home (47.20.123.2 port 655): 3
F5A0A3BFB309BFE71A626D0A01A5066F18236F87
Sending 43 bytes of metadata to home (47.20.123.2 port 655)
Got CHAL_REPLY from home (47.20.123.2 port 655): 3
6B31B74C0CF8033918C28FA2524E9DC6C66AAA8E
Sending ACK to home (47.20.123.2 port 655): 4 655 98 c
Sending 11 bytes of metadata to home (47.20.123.2 port 655)
Got ACK from home (47.20.123.2 port 655): 4 655 78 c
Connection with home (47.20.123.2 port 655) activated
Sending ADD_SUBNET to home (47.20.123.2 port 655): 10 7cad work 192.168.1.66
Sending 32 bytes of metadata to home (47.20.123.2 port 655)
Sending ADD_EDGE to everyone (BROADCAST): 12 4672 work home 47.20.123.2 655
c 88 192.168.1.117 655
Sending 65 bytes of metadata to home (47.20.123.2 port 655)
Got ADD_SUBNET from home (47.20.123.2 port 655): 10 3684e9eb home
192.168.11.0/24#10
Forwarding ADD_SUBNET from home (47.20.123.2 port 655): 10 3684e9eb home
192.168.11.0/24#10
Got ADD_EDGE from home (47.20.123.2 port 655): 12 5019a0e9 home offsite
49.206.123.244 655 c 524
Forwarding ADD_EDGE from home (47.20.123.2 port 655): 12 5019a0e9 home
offsite 49.206.123.244 655 c 524
Got ADD_SUBNET from home (47.20.123.2 port 655): 10 42938bba offsite
192.168.3.0/24#10
Forwarding ADD_SUBNET from home (47.20.123.2 port 655): 10 42938bba offsite
192.168.3.0/24#10
Got ADD_EDGE from home (47.20.123.2 port 655): 12 64bac421 offsite home
47.20.123.2 655 c 524
Forwarding ADD_EDGE from home (47.20.123.2 port 655): 12 64bac421 offsite
home 47.20.123.2 655 c 524
Got ADD_SUBNET from home (47.20.123.2 port 655): 10 21a2c7d7 work
192.168.1.66/32#10
Got ADD_EDGE from home (47.20.123.2 port 655): 12 45ee4727 home work
75.99.126.132 655 c 88
Forwarding ADD_EDGE from home (47.20.123.2 port 655): 12 45ee4727 home work
75.99.126.132 655 c 88
UDP address of home set to 47.20.123.2 port 655
UDP address of offsite set to 49.206.123.244 port 655
Sending ANS_KEY to home (47.20.123.2 port 655): 16 work home
77C094ECC557602BFE34B13EBD0C8A52F9C1ACE136242F1FD3858CE8D7AF137456507C6C30D73AC76DB32AEED9F487CE
427 672 4 0
Sending 130 bytes of metadata to home (47.20.123.2 port 655)
Got ANS_KEY from home (47.20.123.2 port 655): 16 home work
0873EB66B3E93BB3CDAD332536C96835ED134D6304F5EF62E568C62B96E89BF62493F418F19B647B9624DFE3701BF2CC
427 672 4 0
Sending PACKET to home (47.20.123.2 port 655): 17 54
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 54 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 54
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 54 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 54
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 54 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 54
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 54 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 1122
Sending 8 bytes of metadata to home (47.20.123.2 port 655)
Sending 1122 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 54
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 54 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 71
Sending 6 bytes of metadata to home (47.20.123.2 port 655)
Sending 71 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 1122
Sending 8 bytes of metadata to home (47.20.123.2 port 655)
Sending 1122 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 179
Sending 7 bytes of metadata to home (47.20.123.2 port 655)
Sending 179 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 1122
Sending 8 bytes of metadata to home (47.20.123.2 port 655)
Sending 1122 bytes of metadata to home (47.20.123.2 port 655)
Sending PACKET to home (47.20.123.2 port 655): 17 167
Sending 7 bytes of metadata to home (47.20.123.2 port 655)
Sending 167 bytes of metadata to home (47.20.123.2 port 655)
Sending PING to home (47.20.123.2 port 655): 8
Sending 2 bytes of metadata to home (47.20.123.2 port 655)
Got PONG from home (47.20.123.2 port 655): 9
Sending PING to home (47.20.123.2 port 655): 8
Sending 2 bytes of metadata to home (47.20.123.2 port 655)
Got PONG from home (47.20.123.2 port 655): 9
Got PING from home (47.20.123.2 port 655): 8
Sending PONG to home (47.20.123.2 port 655): 9
Sending 2 bytes of metadata to home (47.20.123.2 port 655)
Sending PING to home (47.20.123.2 port 655): 8
Sending 2 bytes of metadata to home (47.20.123.2 port 655)
Got PONG from home (47.20.123.2 port 655): 9
Got console shutdown request
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170112/4f784ea5/attachment.html>
On Thu, Jan 12, 2017 at 09:27:45PM -0500, Ramesh wrote:> I have the following setup > > Home - Main Tinc server with public IP running on PfSense > work - tinc client running behind a CISCO ASA firewall with public IP running on Windows 10 > offsite - tinc client running on tomato router behind a double NAT > > Home & offsite connect & i can see all PCs & devices & connect to them > easily, on either side > > work to Home or offsite connects (see log below) but i'm unable to connect > or ping any of the PCs or devices on either side.The main issue is how packets are routed. What I'm missing is your tinc-up scripts and for the Windows node, how the VPN interface is configured.> work host > Subnet = 192.168.1.66/32[...]> home config on host > Subnet = 192.168.11.0/24It looks like you have different subnets at work and home. You have to configure your home server to send packets for 192.168.1.66/32 to the VPN interface, and your work computer to send packets for 192.168.11.0/24 to its VPN interface. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/006de189/attachment.sig>
when you say "home server" you want me to do this in tinc "histup" or somewhere else OR on the firewall? similarly do i have to add route on the PC that runs the tinc daemon? Regards Ramesh On Sun, Jan 15, 2017 at 8:57 AM, Guus Sliepen <guus at tinc-vpn.org> wrote:> On Thu, Jan 12, 2017 at 09:27:45PM -0500, Ramesh wrote: > > > I have the following setup > > > > Home - Main Tinc server with public IP running on PfSense > > work - tinc client running behind a CISCO ASA firewall with public IP > running on Windows 10 > > offsite - tinc client running on tomato router behind a double NAT > > > > Home & offsite connect & i can see all PCs & devices & connect to them > > easily, on either side > > > > work to Home or offsite connects (see log below) but i'm unable to > connect > > or ping any of the PCs or devices on either side. > > The main issue is how packets are routed. What I'm missing is your > tinc-up scripts and for the Windows node, how the VPN interface is > configured. > > > work host > > Subnet = 192.168.1.66/32 > [...] > > home config on host > > Subnet = 192.168.11.0/24 > > It looks like you have different subnets at work and home. You have to > configure your home server to send packets for 192.168.1.66/32 to the > VPN interface, and your work computer to send packets for > 192.168.11.0/24 to its VPN interface. > > -- > Met vriendelijke groet / with kind regards, > Guus Sliepen <guus at tinc-vpn.org> > > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170115/75dd1b1b/attachment.html>