TINC 1.0pre2: unable to access one private network (fwd)

Guus Sliepen guus at sliepen.warande.net
Mon Jun 12 15:45:14 CEST 2000


Voor de duidelijkheid...

---------- Forwarded message ----------
Date: Sun, 11 Jun 2000 16:14:37 -0500
From: gbarnett <gbarnett at satx.rr.com>
To: guus at sliepen.warande.net
Subject: TINC 1.0pre2: unable to access one private network

Guus... I couldn't seem to get this to the mail list... could you post it
and/or answer it for me?

Thx.


I have been having problems configuring TINC properly.

SCENARIO:
--------------
I have two linux boxes (A and B), each with one private network and one
routable IP address (2 NICs).  They are both running ipchains and
masquarading very stable.  I start tincd on A with no ConnectTo variable
set.  I start tincd on B with a ConnectTo of the routable IP
address of A.
A review of the var/log/messages shows the connection come up on both
systems.  Now, B can ping A's tap address, and the private
network behind A.
:-)  But A can only ping B's tap address, NOT the private
network behind B.
:-(  When the roles of server A and B are reversed, the same thing
happens... A can get to the private network behind B, but B
cannot get to
the private network behind A.


CONFIGURATION:
----------------------
For server A:
ifconfig :
	eth0 1.2.3.4/24
	eth1 10.69.69.69/29 broadcast 10.69.69.71
	tap0 10.69.69.69/24 broadcast 10.69.69.255 HWaddr
fe:fd:0a:45:45:45

route:
	10.69.69.64	*	255.255.255.248	eth1
	10.69.69.0	*	255.255.255.0		tap0
	1.2.3.0		*	255.255.255.0		eth0

2.3.4.5/tinc.conf
	MyVirtualIP = 10.69.69.69/32
	TapDevice = /dev/tap0
	VPNMask = 255.255.255.0

For server B:
ifconfig :
	eth0 2.3.4.5/24
	eth1 10.69.69.73/29 broadcast 10.69.69.79
	tap0 10.69.69.73/24 broadcast 10.69.69.255 HWaddr
fe:fd:0a:45:45:49

route:
	10.69.69.72	*	255.255.255.248	eth1
	10.69.69.0	*	255.255.255.0		tap0
	2.3.4.0		*	255.255.255.0		eth0

1.2.3.4/tinc.conf
	ConnectTo = 1.2.3.4
	MyVirtualIP = 10.69.69.73/32
	TapDevice = /dev/tap0
	VPNMask = 255.255.255.0


TROUBLESHOOTING:
--------------------------
Ping from B to 10.69.69.69: (A's internal IP address)
	Packet Log on B:
		output	ACCEPT	tap0	PROTO=1	10.69.69.73:8
10.69.69.69:0
		output	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		input	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.69:0
10.69.69.73:0
		output	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655
	Packet Log on A
		input	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.73:8
10.69.69.69:0
		output	ACCEPT	tap0	PROTO=1	10.69.69.69:0
10.69.69.73:0
		output	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655

Ping from B to 10.69.69.70: (a computer on A's private network)
	Packet Log on B:
		output	ACCEPT	tap0	PROTO=1	10.69.69.73:8
10.69.69.70:0
		output	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		input	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.70:0
10.69.69.73:0
		output	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655
	Packet Log on A
		input	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.73:8
10.69.69.70:0
		forward	ACCEPT	eth1	PROTO=1	10.69.69.73:8
10.69.69.70:0
		forward	ACCEPT	tap0	PROTO=1	10.69.69.70:0
10.69.69.73:0
		output	ACCEPT	tap0	PROTO=1	10.69.69.70:0
10.69.69.73:0
		output	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655

Ping from A to 10.69.69.73: (B's internal IP address)
	Packet Log on A:
		output	ACCEPT	tap0	PROTO=1	10.69.69.69:8
10.69.69.73:0
		output	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.73:0
10.69.69.69:0
		input	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655
		input	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655
	Packet Log on B
		input	ACCEPT	eth0	PROTO=17
1.2.3.4:1054	2.3.4.5:655
		input	ACCEPT	tap0	PROTO=1	10.69.69.69:8
10.69.69.73:0
		output	ACCEPT	tap0	PROTO=1	10.69.69.73:0
10.69.69.69:0
		output	ACCEPT	eth0	PROTO=17
2.3.4.5:1100	1.2.3.4:655
		output	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655
		output	ACCEPT	eth0	PROTO=6	2.3.4.5:2614
1.2.3.4:655

Ping from A to 10.69.69.74: (a computer on B's private network)
	Packet log on A:
		output	ACCEPT	tap0	PROTO=1	10.69.69.69:8
10.69.69.74:0
	Packet Log on B
		<nothing>

NOTES:
---------
 - When B is set to wait for a connection, and A is set to
ConnectTo B, B
cannot ping a computer on A's private network.
 - My ipchains is set up to log every denied/rejected packet, along with
several accepted packets (as shown above), and I haven't seen any denied
packets to indicate a problem with the firewall.
 - It doesn't appear that the packet in "ping from A to
10.69.69.74" above
is ever encapsulated into UDP, since it is never sent to eth0.


Thanks in advance for any help you have for me.  (I'm sure I probably
overlooked the most obvious thing... :)  )

Greg Barnett

-
Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://ftp.nl.linux.org/pub/linux/tinc/



More information about the Tinc mailing list