Connection Problem
Daniel Holden
dholden at idsb.net
Thu Nov 22 03:54:45 CET 2001
Guus Sliepen wrote:
> On Mon, Nov 19, 2001 at 07:57:46PM -0800, Daniel Holden wrote:
>
> > I have set up a test vpn between two masquerading firewalls. I
> > don't really see any way to test it so I've been pinging. When I ping
> > serverA from serverB (or vicea-versa) I can see that the pings reach the
> > intended target but the pingee does not recieve the replys. Is this a
> > firewall issue? Forwarding? I'm using RedHat 7.2, kernel 2.4.7-10smp.
> > Any help or suggestions would be appreciated.
>
> It can depend on a lot of things. Could you send us:
>
> - Output of "ifconfig -a" when tinc runs,
> - Output of "route",
> - tinc.conf and all files in hosts/ from both firewalls,
> - Output of "iptables -L -v",
> - Output of "iptables -t nat -L -v"
>
> > The email link at http://tinc.nl.linux.org/mail.html doesn't seem
> > to work. In Netscape it wants to send to 3 users (tinc, at,
> > nl.linux.org). Looking at the html source shows mailto:tinc at
> > nl.linux.org. Of course I figured it out but thought you might like to
> > know.
>
> It was intentionally, it prevents spammers from harvesting email
> addresses. It's common practice.
>
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at sliepen.warande.net>
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
Sorry for screwing up and emailing this the first time instead of doing a
reply all.
Thank you for the response. I finally got some time to work on this
problem. Following is the info you requested. Hope it's not too much
but I didn't want to leave out anything that may have been of
importance.
ServerA:
###/tinc/office_vpn/tinc.conf
Name = ServerA
TapDevice = /dev/tun
PrivateKeyFile = /usr/local/etc/tinc/office_vpn/rsa_key.priv
###/tinc/office_vpn/hosts/ServerA
Address = 209.1.1.1
Subnet = 192.168.255.0/24
-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
###/tinc/office_vpn/hosts/ServerB
Address = 209.1.1.2
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
............................................................
ServerB:
###/tinc/office_vpn/tinc.conf
Name = ServerB
ConnectTo = ServerA
TapDevice = /dev/tun
PrivateKeyFile = /usr/local/etc/tinc/office_vpn/rsa_key.priv
###/tinc/office_vpn/hosts/ServerA
Address = 209.1.1.1
Subnet = 192.168.255.0/24
-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
###/tinc/office_vpn/hosts/ServerB
Address = 209.1.1.2
Subnet = 192.168.1.0/24
-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
...................................................
Result of "ifconfig -a" on ServerB:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:DB:F2:57
inet addr:209.1.1.1 Bcast:209.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:A0:CC:DB:FB:2C
inet addr:209.1.2.1 Bcast:209.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr 00:A0:CC:DB:DC:55
inet addr:192.168.1.253 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
office_vp Link encap:Ethernet HWaddr FE:FD:00:00:00:00
inet addr:192.168.1.253 Bcast:192.168.1.255 Mask:255.255.0.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
................................................................................
Result of "route" on ServerB:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 209-1-2-1 255.255.255.0 UG 0 0 0 eth1
office_vpn * 255.255.255.0 U 0 0 0 eth2
209.1.2.0 * 255.255.255.0 U 0 0 0 eth1
209.1.39.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0
office_vpn
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 209-1-1-10 0.0.0.0 UG 0 0 0 eth0
...................................................................................
Result of "iptables -t nat -L -v" on ServerB:
Chain PREROUTING (policy ACCEPT 4075 packets, 823K bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- any any anywhere
209.1.1.0/24 tcp dpt:tinc to:192.168.1.253:655
Chain POSTROUTING (policy ACCEPT 664 packets, 158K bytes)
pkts bytes target prot opt in out source
destination
348 24626 MASQUERADE all -- any eth0 anywhere anywhere
0 0 ACCEPT all -- any any 209.1.1.0/24 anywhere
Chain OUTPUT (policy ACCEPT 2578 packets, 332K bytes)
pkts bytes target prot opt in out source
destination
...................................................................................
Result of "iptables -L -v" on ServerB:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2 118 ACCEPT all -- any any mail.idsb.net anywhere
0 0 ACCEPT all -- any any 209-1-20-1 anywhere
0 0 ACCEPT all -- any any 209-1-20-1 anywhere
0 0 ACCEPT all -- any any 192.168.255.1 anywhere
0 0 ACCEPT all -- any any 192.168.0.0/16 anywhere
0 0 ACCEPT tcp -- any any mail.idsb.net
209.1.1.0/24 tcp dpt:tinc
0 0 ACCEPT udp -- any any mail.idsb.net
209.1.1.0/24 udp dpt:tinc
0 0 ACCEPT tcp -- any any anywhere
209.1.1.0/24 tcp dpt:domain
0 0 ACCEPT udp -- any any anywhere
209.1.1.0/24 udp dpt:domain
5 468 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp echo-request limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp echo-reply limit: avg 1/sec burst 5
0 0 ACCEPT udp -- any any anywhere
209.1.1.0/24 udp dpt:traceroute
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp host-unreachable
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp timestamp-request
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp timestamp-reply
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp address-mask-request
0 0 ACCEPT icmp -- any any anywhere
209.1.1.0/24 icmp address-mask-reply
0 0 LD icmp -- any any anywhere
209.1.1.0/24 icmp redirect
0 0 LD icmp -- any any anywhere
209.1.1.0/24 icmp source-quench
0 0 ACCEPT all -- any any office_vpn/24 anywhere
0 0 LD all -- eth0 any 1.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 2.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 7.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 23.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 27.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 31.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 41.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 45.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 60.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 68.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 69.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 70.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 71.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 80.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 88.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 90.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 91.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 92.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 100.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 111.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 112.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 127.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 127.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 128.66.0.0/16
209.1.1.0/24
0 0 LD all -- eth0 any 172.16.0.0/12
209.1.1.0/24
0 0 LD all -- eth0 any 192.168.0.0/16
209.1.1.0/24
0 0 LD all -- eth0 any 197.0.0.0/16
209.1.1.0/24
0 0 LD all -- eth0 any 201.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 220.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 222.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 240.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 242.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 244.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 251.0.0.0/8
209.1.1.0/24
0 0 LD all -- eth0 any 254.0.0.0/8
209.1.1.0/24
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- any any anywhere
209.1.1.0/24 udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- any any anywhere
209.1.1.0/24 udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- any any anywhere
209.1.1.0/24 udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:ingreslock limit: avg 2/min burst 5
0 0 LD tcp -- any any anywhere
209.1.1.0/24 tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- any any anywhere
209.1.1.0/24 udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- any any anywhere
209.1.1.0/24 udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- any any BASE-ADDRESS.MCAST.NET/8
anywhere
0 0 LD all -- any any anywhere
BASE-ADDRESS.MCAST.NET/8
0 0 LD all -- any any 255.255.255.255 anywhere
0 0 LD all -- any any anywhere 0.0.0.0
0 0 LD all -f any any anywhere
anywhere limit: avg 10/min burst 5
0 0 ACCEPT ipv6-auth-- any any anywhere
anywhere
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp spt:ssh dpts:login:65535 flags:!SYN,RST,ACK/SYN state
RELATED
0 0 ACCEPT tcp -- any any anywhere
anywhere tcp spt:ftp-data dpts:1023:65535 flags:!SYN,RST,ACK/SYN
state RELATED
86 61322 ACCEPT tcp -- any any anywhere
anywhere state ESTABLISHED
5 1602 ACCEPT udp -- any any anywhere
209.1.1.0/24 udp dpts:1023:65535
0 0 LD all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any eth0 office_vpn/24 anywhere
0 0 ACCEPT all -- any any anywhere
office_vpn/24
Chain OUTPUT (policy ACCEPT 113 packets, 11937 bytes)
pkts bytes target prot opt in out source
destination
5 468 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT all -- any any office_vpn/24 anywhere
0 0 ACCEPT icmp -- any any office_vpn/24 anywhere
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:31337 limit: avg 2/min burst 5
0 0 LD udp -- any any 209.1.1.0/24
anywhere udp dpt:31337 limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:33270 limit: avg 2/min burst 5
0 0 LD udp -- any any 209.1.1.0/24
anywhere udp dpt:33270 limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:1234 limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:6711 limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst
5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst
5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD udp -- any any 209.1.1.0/24
anywhere udp dpts:12345:12346 limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:ingreslock limit: avg 2/min burst 5
0 0 LD tcp -- any any 209.1.1.0/24
anywhere tcp dpt:27665 limit: avg 2/min burst 5
0 0 LD udp -- any any 209.1.1.0/24
anywhere udp dpt:27444 limit: avg 2/min burst 5
0 0 LD udp -- any any 209.1.1.0/24
anywhere udp dpt:31335 limit: avg 2/min burst 5
0 0 LD all -- any any BASE-ADDRESS.MCAST.NET/8
anywhere
0 0 LD all -- any any anywhere
BASE-ADDRESS.MCAST.NET/8
0 0 LD all -- any any 255.255.255.255 anywhere
0 0 LD all -- any any anywhere 0.0.0.0
0 0 ACCEPT icmp -- any any 209.1.1.0/24 anywhere
0 0 ACCEPT tcp -- any any 209.1.1.0/24
anywhere tcp dpts:1023:65535
0 0 ACCEPT udp -- any any 209.1.1.0/24
anywhere udp dpts:1023:65535
Chain LD (77 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere LOG level warning
0 0 DROP all -- any any anywhere anywhere
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list