[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] OpenVPN: ICMP and routing working from a side only



Hi there,
i'm using OpenVPN 1.3.2 built from source, connecting two subnets.
I read older messages but didn't found any similar problem, so decided
to write directly to this list :)

In fact I'm having a trouble now, in fact from side A i can ping any host on the
subnet B, but not the same from the side B (can't ping any host on the
subnet A).
The strange thing is that again that from side A i can reach (tcp or udp
connection) any host on the side B, but not the same from side B.

Let's follow a more detailed explain (both host Linux 2.4.18bf2.4, Debian):

=> host A <========
Started with:
openvpn --cd /etc/openvpn/ --daemon --config static-home.conf  --remote
hostB --ping 15 --verb 7 --float

logfiles from syslog hostA:

openvpn[7654]: Current Parameter Settings:
openvpn[7654]:   persist_config = DISABLED
openvpn[7654]:   persist_mode = 1
openvpn[7654]:   show_ciphers = DISABLED
openvpn[7654]:   show_digests = DISABLED
openvpn[7654]:   genkey = DISABLED
openvpn[7654]:   askpass = DISABLED
openvpn[7654]:   show_tls_ciphers = DISABLED
openvpn[7654]:   local = '[UNDEF]'
openvpn[7654]:   remote = 'hostB'
openvpn[7654]:   local_port = 50000
openvpn[7654]:   remote_port = 50000
openvpn[7654]:   remote_float = ENABLED
openvpn[7654]:   ipchange = '[UNDEF]'
openvpn[7654]:   bind_local = ENABLED
openvpn[7654]:   dev = 'tun'
openvpn[7654]:   dev_type = '[UNDEF]'
openvpn[7654]:   dev_node = '[UNDEF]'
openvpn[7654]:   tun_ipv6 = DISABLED
openvpn[7654]:   ifconfig_local = '192.168.200.240'
openvpn[7654]:   ifconfig_remote = '192.168.200.241'
openvpn[7654]:   shaper = 0
openvpn[7654]:   tun_mtu = 1300
openvpn[7654]:   tun_mtu_defined = DISABLED
openvpn[7654]:   udp_mtu = 1300
openvpn[7654]:   udp_mtu_defined = ENABLED
openvpn[7654]:   mlock = DISABLED
openvpn[7654]:   inactivity_timeout = 0
openvpn[7654]:   ping_send_timeout = 15
openvpn[7654]:   ping_rec_timeout = 0
openvpn[7654]:   ping_rec_timeout_action = 0
openvpn[7654]:   ping_timer_remote = DISABLED
openvpn[7654]:   pe
n = DISABLED
openvpn[7654]:   persist_local_ip = DISABLED
openvpn[7654]:   persist_remote_ip = DISABLED
openvpn[7654]:   persist_key = DISABLED
openvpn[7654]:   resolve_retry_seconds = 0
openvpn[7654]:   username = '[UNDEF]'
openvpn[7654]:   groupname = '[UNDEF]'
openvpn[7654]:   chroot_dir = '[UNDEF]'
openvpn[7654]:   cd_dir = '/etc/openvpn/'
openvpn[7654]:   writepid = '[UNDEF]'
openvpn[7654]:   up_script = './home.up'
openvpn[7654]:   down_script = '[UNDEF]'
openvpn[7654]:   daemon = ENABLED
openvpn[7654]:   inetd = DISABLED
openvpn[7654]:   nice = 0
openvpn[7654]:   verbosity = 7
openvpn[7654]:   mute = 0
openvpn[7654]:   gremlin = DISABLED
openvpn[7654]:   comp_lzo = DISABLED
openvpn[7654]:   comp_lzo_adaptive = ENABLED
openvpn[7654]:   shared_secret_file = 'static.key'
openvpn[7654]:   ciphername_defined = ENABLED
openvpn[7654]:   ciphername = 'BF-CBC'
openvpn[7654]:   authname_defined = ENABLED
openvpn[7654]:   authname = 'SHA1'
openvpn[7654]:   keysize = 0
openvpn[7654]:   packet_id = ENABLED
openvpn[7654]:   iv = ENABLED
openvpn[7654]:   test_crypto = DISABLED
openvpn[7654]:   tls_server = DISABLED
openvpn[7654]:   tls_client = DISABLED
openvpn[7654]:   ca_file = '[UNDEF]'
openvpn[7654]:   dh_file = '[UNDEF]'
openvpn[7654]:   cert_file = '[UNDEF]'
openvpn[7654]:   priv_key_file = '[UNDEF]'
openvpn[7654]:   cipher_list = '[UNDEF]'
openvpn[7654]:   tls_verify = '[UNDEF]'
openvpn[7654]:   tls_timeout = 5
openvpn[7654]:   renegotiate_bytes = 0
openvpn[7654]:   renegotiate_packets = 0
openvpn[7654]:   renegotiate_seconds = 3600
openvpn[7654]:   handshake_window = 60
openvpn[7654]:   transition_window = 3600
openvpn[7654]:   single_session = DISABLED
openvpn[7654]:   disable_occ = DISABLED
openvpn[7654]:   tls_auth_file = '[UNDEF]'
openvpn[7654]: tun/tap device tun0 opened
openvpn[7654]: /sbin/ifconfig tun0 192.168.200.240 point
[...]
openvpn[7654]: ./home.up tun0 1256 1300 192.168.200.240 192.168.200.241
openvpn[7654]: Peer Connection Initiated with hostB:5000
  HWaddr 00:00:B4:5D:2F:51
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
         [interface to the internet connection router]
eth1      Link encap:Ethernet  HWaddr 00:01:02:EB:E5:DB
          inet addr:192.168.130.208  Bcast:192.168.0.255 Mask:255.255.255.0
         [interface to the local net]
tun0      Link encap:Point-to-Point Protocol
          inet addr:192.168.200.240  P-t-P:192.168.200.241 Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1256  Metric:1
          RX packets:46 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:3864 (3.7 KiB)  TX bytes:672 (672.0 b)

Kernel IP routing table:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.200.241 0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.130.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     192.168.200.241 255.255.255.0   UG    0      0        0 tun0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth0

Test:
- from host A (192.168.200.240) ping other tunnel endpoint -> OK
64 bytes from 192.168.200.241: icmp_seq=0 ttl=255 time=129.0 ms

- from host A ping other tunnel lan interface -> OK
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=131.1 ms

- from host A ping a host inside other subnet -> OK
64 bytes from 192.168.1.100: icmp_seq=0 ttl=127 time=131.0 ms
(telnet to a open port also work)

=> host B <========
Started with:
openvpn --cd /etc/openvpn/ --daemon --config static-office.conf --remote
hostB --ping 15 --verb 7 --float

logfiles from syslog hostA: the same data with some IP changed.

ifconfig relevant infos:
eth0      Link encap:Ethernet  HWaddr 00:60:08:54:F6:20
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
         [to the local n
h1      Link encap:Ethernet  HWaddr 00:A0:24:C5:90:FC
         [for using pppoe]
ppp0      Link encap:Point-to-Point Protocol
          inet addr:80.117.X.X  P-t-P:192.168.100.1 Mask:255.255.255.255
         [internet connection pppoe modem]
tun0      Link encap:Point-to-Point Protocol
          inet addr:192.168.200.241  P-t-P:192.168.200.240 Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1256  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:672 (672.0 b)  TX bytes:3864 (3.7 KiB)

Kernel IP routing table:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.200.240 0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.130.0   192.168.200.240 255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 ppp0

Test:
- from host B (192.168.200.241) ping other tunnel endpoint -> OK
64 bytes from 192.168.200.240: icmp_seq=0 ttl=255 time=127.7 ms

- from host B ping other tunnel lan interface -> OK
64 bytes from 192.168.130.208: icmp_seq=0 ttl=255 time=133.8 ms

- from host B ping a host inside other subnet -> NO!!
PING 192.168.130.101 (192.168.130.101): 56 data bytes
no response (of course this host is up and running, i can check trought
a ping from host A).

Let's show some tcpdump infos:

hostB:~# tcpdump -i tun0
tcpdump: listening on tun0
10:12:55.410967 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
10:12:57.964992 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)

hostA:~# tcpdump -i tun0
tcpdump: listening on tun0
10:13:24.906798 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
10:13:25.903610 192.168.200.241 > 192.168.130.10

hostA:~# tcpdump -i eth1
tcpdump: listening on eth1
tcpdump: listening on eth1
10:15:22.993260 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
10:15:23.992017 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)

NB
- both host /proc/sys/net/ipv4/ip_forward to 1
- IPtables trust tun+ interfaces and doesn't report blocked/dropped
  packets

Hope it can help to help me :)
Thanks in advance for any suggestion how to debug!




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users