Re: [Openvpn-users] MULTI: bad source address from client, packet dropped

[Erich Titl <erich.titl@xxxxxxxx>]

Jason Burrell wrote:
> On 6/1/06, Erich Titl <erich.titl@xxxxxxxx> wrote:
>> Jason
>>
...
>> >
>> > I tried turning off masquerading on either side, to no avail. I set
>> > explicit routes, to no avail.
>>
>> What do you masquerade, where and why?
> 
> Both sides of the VPN tunnel are border routers for their respective
> networks. As such, both of those machines masquerade traffic from
> machines behind them that's heading out to the Internet. The exception
> is if the traffic comes from 192.168.0.0/16, at which point it isn't
> caught by the masquerading rule.

Make sure you don't masquerade the tunnel inside traffic, you will break
routing.

> 
> Since I stuck the VPN subnet in 10.3.0.0, my problem might be that the
> machines are masquerading the traffic over that subnet and confusing
> the issue. (KInd of nebulous that.)
> 
>>
>> >
>> > Any ping from any machine behind the client router, such as
>> > 192.168.0.130, gets dropped with the error message above, and drops
>> > off into a black hole.
>>
>> Where does it get dropped, on the client or the server? Try to use
>> tcpdump to determine which system does not want to play with you.
> 
> It obvious gets to the server because that's where the log message
> citing the remote IP comes up. I had assumed that the error was thus
> generated by the server, meaning that the server didn't have a route
> back to the client, not visa versa. (There's no message in the client
> logs.) I'll check with tcpdump.

Which interface does the server get that message from? Is it coming from
the tunnel interface? IIRC the server has a route to 192.168.0.0/24
through the tunnel.

cheers

Erich


_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users