[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN: ICMP and routing working from a side only


  • Subject: Re: [Openvpn-users] OpenVPN: ICMP and routing working from a side only
  • From: Ketil Froyn <lists@xxxxxxxxxxxxxxxx>
  • Date: Wed, 7 May 2003 11:31:38 +0200 (CEST)

Hi.

You didn't show us the routing tables on the boxes on the 192.168.1.0 and
192.168.130.0 networks. On all the boxes that should be able to talk on
the VPN, you need to do something to tell them how to be able to
communicate across it. In addition, when you ping from hostB to a box on
the other network, notice that the ping request is sent from
192.168.200.241, so the boxes on that side need to be able to route
packets back to the 192.168.200.240 and 192.168.200.241 hosts as well.

Since some of this stuff already works on one end, I am going to assume
that hostB (192.168.1.1) is already a default gateway on all the
192.168.1.0 boxes (plausible, since it is connected to the internet). If
that is the case, the VPN packets get routed there because the boxes don't
know any better place to send them, and by chance, that was right!

All the boxes on the 192.168.1.0 network will need to know that routing
should be done something like this (like they do today, so these are not
strictly necessary):

# This one for the routing between nets
route -net 192.168.130.0/24 gw 192.168.1.1
# This one is a special case for the vpn-hosts directly if you want that
route -net 192.168.200.0/24 gw 192.168.1.1

and all the boxes on the 192.168.130.0 network need to know that routing
should be done something like this:

# This one is for routing between nets
route -net 192.168.1.0/24 gw 192.168.130.208
# and again, this to communicate with the vpn-hosts directly from that net
route -host 192.168.200.0/24 gw 192.168.130.208

NB! This is completely untested, but if my guess is right, it should give
a general idea of how to fix your problem. If my guess was wrong, my tip
for further debugging is to use tcpdump on as many host/interfaces on the
vpn link as possible, and then try to communicate across it, and see where
it stops. Always keep an eye on source and destination IP addresses, and
double check these with routing tables and firewall rules. It's also easy
to forget to set up routing "back", ie. you set up routing one way but not
the other. I've done that loads of times. :o)

Good luck!

Ketil Froyn
ketil@xxxxxxxxxx
http://ketil.froyn.name/

On Wed, 7 May 2003, mattia.ci@xxxxxxxxx wrote:

> Hi there,
> i'm using OpenVPN 1.3.2 built from source, connecting two subnets.
> I read older messages but didn't found any similar problem, so decided
> to write directly to this list :)
> 
> In fact I'm having a trouble now, in fact from side A i can ping any host on the
> subnet B, but not the same from the side B (can't ping any host on the
> subnet A).
> The strange thing is that again that from side A i can reach (tcp or udp
> connection) any host on the side B, but not the same from side B.
> 
> Let's follow a more detailed explain (both host Linux 2.4.18bf2.4, Debian):
> 
> => host A <========
> Started with:
> openvpn --cd /etc/openvpn/ --daemon --config static-home.conf  --remote
> hostB --ping 15 --verb 7 --float
> 
> logfiles from syslog hostA:
> 
> openvpn[7654]: Current Parameter Settings:
> openvpn[7654]:   persist_config = DISABLED
> openvpn[7654]:   persist_mode = 1
> openvpn[7654]:   show_ciphers = DISABLED
> openvpn[7654]:   show_digests = DISABLED
> openvpn[7654]:   genkey = DISABLED
> openvpn[7654]:   askpass = DISABLED
> openvpn[7654]:   show_tls_ciphers = DISABLED
> openvpn[7654]:   local = '[UNDEF]'
> openvpn[7654]:   remote = 'hostB'
> openvpn[7654]:   local_port = 50000
> openvpn[7654]:   remote_port = 50000
> openvpn[7654]:   remote_float = ENABLED
> openvpn[7654]:   ipchange = '[UNDEF]'
> openvpn[7654]:   bind_local = ENABLED
> openvpn[7654]:   dev = 'tun'
> openvpn[7654]:   dev_type = '[UNDEF]'
> openvpn[7654]:   dev_node = '[UNDEF]'
> openvpn[7654]:   tun_ipv6 = DISABLED
> openvpn[7654]:   ifconfig_local = '192.168.200.240'
> openvpn[7654]:   ifconfig_remote = '192.168.200.241'
> openvpn[7654]:   shaper = 0
> openvpn[7654]:   tun_mtu = 1300
> openvpn[7654]:   tun_mtu_defined = DISABLED
> openvpn[7654]:   udp_mtu = 1300
> openvpn[7654]:   udp_mtu_defined = ENABLED
> openvpn[7654]:   mlock = DISABLED
> openvpn[7654]:   inactivity_timeout = 0
> openvpn[7654]:   ping_send_timeout = 15
> openvpn[7654]:   ping_rec_timeout = 0
> openvpn[7654]:   ping_rec_timeout_action = 0
> openvpn[7654]:   ping_timer_remote = DISABLED
> openvpn[7654]:   persist_tun = DISABLED
> openvpn[7654]:   persist_local_ip = DISABLED
> openvpn[7654]:   persist_remote_ip = DISABLED
> openvpn[7654]:   persist_key = DISABLED
> openvpn[7654]:   resolve_retry_seconds = 0
> openvpn[7654]:   username = '[UNDEF]'
> openvpn[7654]:   groupname = '[UNDEF]'
> openvpn[7654]:   chroot_dir = '[UNDEF]'
> openvpn[7654]:   cd_dir = '/etc/openvpn/'
> openvpn[7654]:   writepid = '[UNDEF]'
> openvpn[7654]:   up_script = './home.up'
> openvpn[7654]:   down_script = '[UNDEF]'
> openvpn[7654]:   daemon = ENABLED
> openvpn[7654]:   inetd = DISABLED
> openvpn[7654]:   nice = 0
> openvpn[7654]:   verbosity = 7
> openvpn[7654]:   mute = 0
> openvpn[7654]:   gremlin = DISABLED
> openvpn[7654]:   comp_lzo = DISABLED
> openvpn[7654]:   comp_lzo_adaptive = ENABLED
> openvpn[7654]:   shared_secret_file = 'static.key'
> openvpn[7654]:   ciphername_defined = ENABLED
> openvpn[7654]:   ciphername = 'BF-CBC'
> openvpn[7654]:   authname_defined = ENABLED
> openvpn[7654]:   authname = 'SHA1'
> openvpn[7654]:   keysize = 0
> openvpn[7654]:   packet_id = ENABLED
> openvpn[7654]:   iv = ENABLED
> openvpn[7654]:   test_crypto = DISABLED
> openvpn[7654]:   tls_server = DISABLED
> openvpn[7654]:   tls_client = DISABLED
> openvpn[7654]:   ca_file = '[UNDEF]'
> openvpn[7654]:   dh_file = '[UNDEF]'
> openvpn[7654]:   cert_file = '[UNDEF]'
> openvpn[7654]:   priv_key_file = '[UNDEF]'
> openvpn[7654]:   cipher_list = '[UNDEF]'
> openvpn[7654]:   tls_verify = '[UNDEF]'
> openvpn[7654]:   tls_timeout = 5
> openvpn[7654]:   renegotiate_bytes = 0
> openvpn[7654]:   renegotiate_packets = 0
> openvpn[7654]:   renegotiate_seconds = 3600
> openvpn[7654]:   handshake_window = 60
> openvpn[7654]:   transition_window = 3600
> openvpn[7654]:   single_session = DISABLED
> openvpn[7654]:   disable_occ = DISABLED
> openvpn[7654]:   tls_auth_file = '[UNDEF]'
> openvpn[7654]: tun/tap device tun0 opened
> openvpn[7654]: /sbin/ifconfig tun0 192.168.200.240 point
> [...]
> openvpn[7654]: ./home.up tun0 1256 1300 192.168.200.240 192.168.200.241
> openvpn[7654]: Peer Connection Initiated with hostB:50000
> 
> ifconfig relevant infos:
> eth0      Link encap:Ethernet  HWaddr 00:00:B4:5D:2F:51
>           inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
>          [interface to the internet connection router]
> eth1      Link encap:Ethernet  HWaddr 00:01:02:EB:E5:DB
>           inet addr:192.168.130.208  Bcast:192.168.0.255 Mask:255.255.255.0
>          [interface to the local net]
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.200.240  P-t-P:192.168.200.241 Mask:255.255.255.255
>           UP POINTOPOINT RUNNING MULTICAST  MTU:1256  Metric:1
>           RX packets:46 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:10
>           RX bytes:3864 (3.7 KiB)  TX bytes:672 (672.0 b)
> 
> Kernel IP routing table:
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.200.241 0.0.0.0         255.255.255.255 UH    0      0        0 tun0
> 192.168.130.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.1.0     192.168.200.241 255.255.255.0   UG    0      0        0 tun0
> 0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
> 
> Test:
> - from host A (192.168.200.240) ping other tunnel endpoint -> OK
> 64 bytes from 192.168.200.241: icmp_seq=0 ttl=255 time=129.0 ms
> 
> - from host A ping other tunnel lan interface -> OK
> 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=131.1 ms
> 
> - from host A ping a host inside other subnet -> OK
> 64 bytes from 192.168.1.100: icmp_seq=0 ttl=127 time=131.0 ms
> (telnet to a open port also work)
> 
> => host B <========
> Started with:
> openvpn --cd /etc/openvpn/ --daemon --config static-office.conf --remote
> hostB --ping 15 --verb 7 --float
> 
> logfiles from syslog hostA: the same data with some IP changed.
> 
> ifconfig relevant infos:
> eth0      Link encap:Ethernet  HWaddr 00:60:08:54:F6:20
>           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
>          [to the local net]
> eth1      Link encap:Ethernet  HWaddr 00:A0:24:C5:90:FC
>          [for using pppoe]
> ppp0      Link encap:Point-to-Point Protocol
>           inet addr:80.117.X.X  P-t-P:192.168.100.1 Mask:255.255.255.255
>          [internet connection pppoe modem]
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.200.241  P-t-P:192.168.200.240 Mask:255.255.255.255
>           UP POINTOPOINT RUNNING MULTICAST  MTU:1256  Metric:1
>           RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:10
>           RX bytes:672 (672.0 b)  TX bytes:3864 (3.7 KiB)
> 
> Kernel IP routing table:
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.100.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
> 192.168.200.240 0.0.0.0         255.255.255.255 UH    0      0        0 tun0
> 192.168.130.0   192.168.200.240 255.255.255.0   UG    0      0        0 tun0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 ppp0
> 
> Test:
> - from host B (192.168.200.241) ping other tunnel endpoint -> OK
> 64 bytes from 192.168.200.240: icmp_seq=0 ttl=255 time=127.7 ms
> 
> - from host B ping other tunnel lan interface -> OK
> 64 bytes from 192.168.130.208: icmp_seq=0 ttl=255 time=133.8 ms
> 
> - from host B ping a host inside other subnet -> NO!!
> PING 192.168.130.101 (192.168.130.101): 56 data bytes
> no response (of course this host is up and running, i can check trought
> a ping from host A).
> 
> Let's show some tcpdump infos:
> 
> hostB:~# tcpdump -i tun0
> tcpdump: listening on tun0
> 10:12:55.410967 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 10:12:57.964992 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 
> hostA:~# tcpdump -i tun0
> tcpdump: listening on tun0
> 10:13:24.906798 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 10:13:25.903610 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 
> hostA:~# tcpdump -i eth1
> tcpdump: listening on eth1
> tcpdump: listening on eth1
> 10:15:22.993260 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 10:15:23.992017 192.168.200.241 > 192.168.130.101: icmp: echo request (DF)
> 
> NB
> - both host /proc/sys/net/ipv4/ip_forward to 1
> - IPtables trust tun+ interfaces and doesn't report blocked/dropped
>   packets
> 
> Hope it can help to help me :)
> Thanks in advance for any suggestion how to debug!
> 
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
> 
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users