TINC 1.0pre2: unable to access one private network (fwd)
Guus Sliepen
guus at sliepen.warande.net
Mon Jun 12 15:45:14 CEST 2000
Voor de duidelijkheid...
---------- Forwarded message ----------
Date: Sun, 11 Jun 2000 16:14:37 -0500
From: gbarnett <gbarnett at satx.rr.com>
To: guus at sliepen.warande.net
Subject: TINC 1.0pre2: unable to access one private network
Guus... I couldn't seem to get this to the mail list... could you post it
and/or answer it for me?
Thx.
I have been having problems configuring TINC properly.
SCENARIO:
--------------
I have two linux boxes (A and B), each with one private network and one
routable IP address (2 NICs). They are both running ipchains and
masquarading very stable. I start tincd on A with no ConnectTo variable
set. I start tincd on B with a ConnectTo of the routable IP
address of A.
A review of the var/log/messages shows the connection come up on both
systems. Now, B can ping A's tap address, and the private
network behind A.
:-) But A can only ping B's tap address, NOT the private
network behind B.
:-( When the roles of server A and B are reversed, the same thing
happens... A can get to the private network behind B, but B
cannot get to
the private network behind A.
CONFIGURATION:
----------------------
For server A:
ifconfig :
eth0 1.2.3.4/24
eth1 10.69.69.69/29 broadcast 10.69.69.71
tap0 10.69.69.69/24 broadcast 10.69.69.255 HWaddr
fe:fd:0a:45:45:45
route:
10.69.69.64 * 255.255.255.248 eth1
10.69.69.0 * 255.255.255.0 tap0
1.2.3.0 * 255.255.255.0 eth0
2.3.4.5/tinc.conf
MyVirtualIP = 10.69.69.69/32
TapDevice = /dev/tap0
VPNMask = 255.255.255.0
For server B:
ifconfig :
eth0 2.3.4.5/24
eth1 10.69.69.73/29 broadcast 10.69.69.79
tap0 10.69.69.73/24 broadcast 10.69.69.255 HWaddr
fe:fd:0a:45:45:49
route:
10.69.69.72 * 255.255.255.248 eth1
10.69.69.0 * 255.255.255.0 tap0
2.3.4.0 * 255.255.255.0 eth0
1.2.3.4/tinc.conf
ConnectTo = 1.2.3.4
MyVirtualIP = 10.69.69.73/32
TapDevice = /dev/tap0
VPNMask = 255.255.255.0
TROUBLESHOOTING:
--------------------------
Ping from B to 10.69.69.69: (A's internal IP address)
Packet Log on B:
output ACCEPT tap0 PROTO=1 10.69.69.73:8
10.69.69.69:0
output ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
input ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT tap0 PROTO=1 10.69.69.69:0
10.69.69.73:0
output ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Packet Log on A
input ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
input ACCEPT tap0 PROTO=1 10.69.69.73:8
10.69.69.69:0
output ACCEPT tap0 PROTO=1 10.69.69.69:0
10.69.69.73:0
output ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Ping from B to 10.69.69.70: (a computer on A's private network)
Packet Log on B:
output ACCEPT tap0 PROTO=1 10.69.69.73:8
10.69.69.70:0
output ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
input ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT tap0 PROTO=1 10.69.69.70:0
10.69.69.73:0
output ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Packet Log on A
input ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
input ACCEPT tap0 PROTO=1 10.69.69.73:8
10.69.69.70:0
forward ACCEPT eth1 PROTO=1 10.69.69.73:8
10.69.69.70:0
forward ACCEPT tap0 PROTO=1 10.69.69.70:0
10.69.69.73:0
output ACCEPT tap0 PROTO=1 10.69.69.70:0
10.69.69.73:0
output ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Ping from A to 10.69.69.73: (B's internal IP address)
Packet Log on A:
output ACCEPT tap0 PROTO=1 10.69.69.69:8
10.69.69.73:0
output ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
input ACCEPT tap0 PROTO=1 10.69.69.73:0
10.69.69.69:0
input ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
input ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Packet Log on B
input ACCEPT eth0 PROTO=17
1.2.3.4:1054 2.3.4.5:655
input ACCEPT tap0 PROTO=1 10.69.69.69:8
10.69.69.73:0
output ACCEPT tap0 PROTO=1 10.69.69.73:0
10.69.69.69:0
output ACCEPT eth0 PROTO=17
2.3.4.5:1100 1.2.3.4:655
output ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
output ACCEPT eth0 PROTO=6 2.3.4.5:2614
1.2.3.4:655
Ping from A to 10.69.69.74: (a computer on B's private network)
Packet log on A:
output ACCEPT tap0 PROTO=1 10.69.69.69:8
10.69.69.74:0
Packet Log on B
<nothing>
NOTES:
---------
- When B is set to wait for a connection, and A is set to
ConnectTo B, B
cannot ping a computer on A's private network.
- My ipchains is set up to log every denied/rejected packet, along with
several accepted packets (as shown above), and I haven't seen any denied
packets to indicate a problem with the firewall.
- It doesn't appear that the packet in "ping from A to
10.69.69.74" above
is ever encapsulated into UDP, since it is never sent to eth0.
Thanks in advance for any help you have for me. (I'm sure I probably
overlooked the most obvious thing... :) )
Greg Barnett
-
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
More information about the Tinc
mailing list