[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] unwanted change to reply port causing "Incoming packet rejected" error

  • Subject: [Openvpn-users] unwanted change to reply port causing "Incoming packet rejected" error
  • From: James Hammer <jhammer@xxxxxxxxxxx>
  • Date: Tue, 25 Jan 2005 16:08:05 -0600

We have openvpn setup on a linux router with 2 external interfaces (a T1 and a DSL line for failover) and 1 internal interface. iproute2 and iptables are used to force the vpn traffic over the T1. Openvpn is configured using the 'remote xxx.xxx.xxx.xxx' option in the config file to establish a p-to-p connection with a remote site. The remote site is running the same version of openvpn on a linux server. If I unplug the DSL line then everything works great. Traffic flows without problems over the tunnel between the two openvpn servers. If I have both the T1 and the DSL line plugged in then I have a problem. Everything works great for awhile, just the same as it did when only the T1 was plugged in. However, after a random period of time I cannot ping the remote site and the remote site cannot ping me over the tunnel. A tcpdump shows that VPN traffic is still flowing between the local and remote vpn servers. However, at the point in time where things stopped working I noticed that the replies from my local vpn server are now going out with a different port. All the vpn traffic had been using port 5000. Now the replies are using port 1025 (or sometimes 1026). After a few minutes the vpn connection fixes itself and the traffic starts going out on port 5000 again. Also, I can restart the openvpn service which usually causes the traffic to immediately start going out again on port 5000, but not always.

Looking at the log file on the remote openvpn server I see the following:

Jan 12 15:40:30 [openvpn] NOTE: Incoming packet rejected from xxx.xxx.xxx.xxx:1025[2], expected peer address: xxx.xxx.xxx.xxx:5000 (allow this incoming source address/port by removing --remote or adding --float)

I don't want the traffic to be sent on port 1025. I want everything to use port 5000. Why is the port changing? What can I do to keep that from happening?

Here is some information on the machine that is having this problem:
OS: Gentoo Linux
Kernel: 2.6.8-gentoo-r10
openvpn version: 1.5.0-r1
Just in case, I am also running keepalived 1.1.7 (http://www.keepalived.org/index.html)in conjunction with Julian Anastasov's Dead-Gateway-Detection kernel patch (http://www.ssi.bg/~ja/) on the local openvpn server which seems it may be related somehow. I am not using LVS.

Here are some of the configs on the two openvpn servers:

Local (the one with the problem):

dev tun
remote yyy.yyy.yyy.yyy
up ./rem_network.up #route add -net netmask gw $5
secret static.key
#port 5000
lport 5000
rport 5000
verb 9


dev tun
remote xxx.xxx.xxx.xxx
up ./rem_network.up #route add -net netmask gw $5
secret static.key
port 5000
verb 3

Thanks for any help you can give!

James Hammer

Openvpn-users mailing list