[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] unwanted change to reply port causing "Incoming packet rejected" error

  • Subject: Re: [Openvpn-users] unwanted change to reply port causing "Incoming packet rejected" error
  • From: "Aaron P. Martinez" <ml@xxxxxxxxxxxxxx>
  • Date: Wed, 26 Jan 2005 19:14:18 -0600

On Tue, 2005-01-25 at 16:08, James Hammer wrote:
> We have openvpn setup on a linux router with 2 external interfaces (a T1 
> and a DSL line for failover) 

What are you using to do the load balancing?  creating a virtual device
w/teql or some other method, specifics?

> and 1 internal interface.  iproute2 and 
> iptables are used to force the vpn traffic over the T1.

These configs might help.  Do you have anything in your iptables either
in the filtering or in the nat (post or prerouting) tables that uses
port 1025? specifically snats

>   Openvpn is 
> configured using the 'remote xxx.xxx.xxx.xxx' option in the config file 
> to establish a p-to-p connection with a remote site.  The remote site is 
> running the same version of openvpn on a linux server.  If I unplug the 
> DSL line then everything works great.  Traffic flows without problems 
> over the tunnel between the two openvpn servers.  If I have both the T1 
> and the DSL line plugged in then I have a problem.  Everything works 
> great for awhile, just the same as it did when only the T1 was plugged 
> in.  However, after a random period of time I cannot ping the remote 
> site and the remote site cannot ping me over the tunnel.  A tcpdump 
> shows that VPN traffic is still flowing between the local and remote vpn 
> servers.  However, at the point in time where things stopped working I 
> noticed that the replies from my local vpn server are now going out with 
> a different port.  All the vpn traffic had been using port 5000.  Now 
> the replies are using port 1025 (or sometimes 1026).  After a few 
> minutes the vpn connection fixes itself and the traffic starts going out 
> on port 5000 again.  Also, I can restart the openvpn service which 
> usually causes the traffic to immediately start going out again on port 
> 5000, but not always.
> Looking at the log file on the remote openvpn server I see the following:
> <snip>
> Jan 12 15:40:30 [openvpn] NOTE: Incoming packet rejected from 
> xxx.xxx.xxx.xxx:1025[2], expected peer address: xxx.xxx.xxx.xxx:5000 

are the xxx addresses the same in the rejected from and the expected
from error?

> (allow this incoming source address/port by removing --remote or adding 
> --float)
> <snip>
> I don't want the traffic to be sent on port 1025.  I want everything to 
> use port 5000. Why is the port changing?  What can I do to keep that 
> from happening?  
> Here is some information on the machine that is having this problem:
> OS: Gentoo Linux
> Kernel: 2.6.8-gentoo-r10
> openvpn version: 1.5.0-r1

Have you thought about using a current version, even to the current
stable of 1.6.  Testing with the 2.0 branch? you could  run them
simultaneously to see if it happens to both at the same time.

> Just in case, I am also running keepalived 1.1.7 
> (http://www.keepalived.org/index.html)in conjunction with Julian 
> Anastasov's Dead-Gateway-Detection kernel patch (http://www.ssi.bg/~ja/) 
> on the local openvpn server which seems it may be related somehow.  I am 
> not using LVS.
> Here are some of the configs on the two openvpn servers:
> Local (the one with the problem):
> dev tun
> remote yyy.yyy.yyy.yyy
> ifconfig
> up ./rem_network.up #route add -net netmask gw $5
> secret static.key
> #port 5000
> lport 5000
> rport 5000

why not use standard port or leave it commented out here as 5000 is
default for this version and you're using the same for both incoming and

> comp-lzo
> verb 9
> Remote:
> dev tun
> remote xxx.xxx.xxx.xxx
> ifconfig
> up ./rem_network.up #route add -net netmask gw $5
> secret static.key
> port 5000
> comp-lzo
> verb 3
> Thanks for any help you can give!
> --
> James Hammer
> openvpn@xxxxxxxxxxx
Aaron Martinez
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Openvpn-users mailing list