ethertap dropping packets?
Allen Bettilyon
allen at about-inc.com
Thu Nov 8 08:26:41 CET 2001
Hello,
I'm having some routing issue with my tinc setup. I'm running a fairly
basic VPN configuration between two networks:
-------
Site A:
-------
--- tinc-up ---
#!/bin/sh
/sbin/ifconfig tap0 hs ether fe:fd:00:00:00:00
/sbin/ifconfig tap0 10.11.1.2 netmask 255.0.0.0
/sbin/ifconfig tap0 -arp
---- tinc.conf ---
Name = orca
Hostnames = no
InterfaceIP = 63.108.71.7
KeyExpire = 30000000
PrivateKeyFile = /etc/tinc/.rsa-private
TapDevice = /dev/tap0
-------
Site B:
-------
---- tinc-up ----
#!/bin/sh
/sbin/ifconfig $NETNAME hs ether fe:fd:00:00:00:00
/sbin/ifconfig $NETNAME 10.11.15.1 netmask 255.0.0.0
/sbin/ifconfig $NETNAME -arp
----- tinc.conf ----
ConnectTo = orca
Name = pax
Hostnames = no
InterfaceIP = 24.176.163.186
KeyExpire = 30000000
PrivateKeyFile = /etc/tinc/.rsa-private
TapDevice = /dev/tun
------------------
Shared Hosts Files
------------------
--- pax ---
Address = x.x.x.x
Subnet = 10.11.15.0/24
PublicKeyFile=/etc/tinc/hosts/.pax-rsa-public
--- orca ---
Address = y.y.y.y
Subnet = 10.11.1.0/24
PublicKeyFile=/etc/tinc/hosts/.orca-rsa-public
#######################################################
I get a succesfull connection and everything looks to be okay, however,
I am unable to ping anything from either side.
I ran a few tcpdumps and found believe that I have found where the
problem lies, but I don't know exactly what the problem is.
>From a second machine sitting in network B (10.11.15.11), I tried
pinging a machine on network A (10.11.15.1). I had a tcpdump running on
3 different interfaces:
eth0 on orca: (tcpdump -i eth0 icmp)
--------------
17:59:45.212188 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
17:59:45.213943 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
17:59:46.207298 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
17:59:46.208155 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
ethertap interface on pax: (tcpdump -i tap0 icmp)
---------------------------
00:07:14.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:14.820000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
00:07:15.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:15.840000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
eth1 on pax: (tcpdump -i $NETNAME icmp)
-------------
00:07:39.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:40.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:41.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
My interpritation of the above tcpdumps is:
-- ICMP echo request --
1) Leave its source (10.11.15.11)
2) Enter eth0 on pax
3) Enter ethertap on pax
4) tunnel to ethertap orca
5) forwrad to eth0 on orca
6) reach it's destination succesfully
-- ICMP echo reply --
1) Leave it's source (10.11.1.1)
2) Enter eth0 on orca
3) forward to ethertap on orca
4) tunnel to ethertap on pax
5) !!Packet appears to be dropped here!!!
I have tried both:
/sbin/iptables -F
& /sbin/iptables -t nat -F
Anybody have any ideas? I'm pretty stumped here.
I also DO see the following in syslog on pax:
No valid key known yet for orca (63.108.71.7), queueing packet
pax is running linux 2.4.2
oraca is running linux 2.2.16
tincd is: 1.0pre4
- Allen
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list