Connection Problem

Daniel Holden dholden at idsb.net
Thu Nov 22 03:54:45 CET 2001


Guus Sliepen wrote:

> On Mon, Nov 19, 2001 at 07:57:46PM -0800, Daniel Holden wrote:
>
> >     I have set up a test vpn between two masquerading firewalls.  I
> > don't really see any way to test it so I've been pinging.  When I ping
> > serverA from serverB (or vicea-versa) I can see that the pings reach the
> > intended target but the pingee does not recieve the replys.  Is this a
> > firewall issue?  Forwarding?  I'm using RedHat 7.2, kernel 2.4.7-10smp.
> > Any help or suggestions would be appreciated.
>
> It can depend on a lot of things. Could you send us:
>
> - Output of "ifconfig -a" when tinc runs,
> - Output of "route",
> - tinc.conf and all files in hosts/ from both firewalls,
> - Output of "iptables -L -v",
> - Output of "iptables -t nat -L -v"
>
> >     The email link at http://tinc.nl.linux.org/mail.html  doesn't seem
> > to work.  In Netscape it wants to send to 3 users (tinc, at,
> > nl.linux.org).  Looking at the html source shows mailto:tinc at
> > nl.linux.org.  Of course I figured it out but thought you might like to
> > know.
>
> It was intentionally, it prevents spammers from harvesting email
> addresses. It's common practice.
>
> --
> Met vriendelijke groet / with kind regards,
>   Guus Sliepen <guus at sliepen.warande.net>
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

Sorry for screwing up and emailing this the first time instead of doing a
reply all.
Thank you for the response.  I finally got some time to work on this
problem.  Following is the info you requested.  Hope it's not too much
but I didn't want to leave out anything that may have been of
importance.


ServerA:

###/tinc/office_vpn/tinc.conf
  Name = ServerA
  TapDevice = /dev/tun
  PrivateKeyFile = /usr/local/etc/tinc/office_vpn/rsa_key.priv


###/tinc/office_vpn/hosts/ServerA
   Address = 209.1.1.1
   Subnet = 192.168.255.0/24

-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----


###/tinc/office_vpn/hosts/ServerB
   Address = 209.1.1.2
   Subnet = 192.168.1.0/24

-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
............................................................

ServerB:

###/tinc/office_vpn/tinc.conf
   Name = ServerB
   ConnectTo = ServerA
   TapDevice = /dev/tun
   PrivateKeyFile = /usr/local/etc/tinc/office_vpn/rsa_key.priv

###/tinc/office_vpn/hosts/ServerA
   Address = 209.1.1.1
   Subnet = 192.168.255.0/24

-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----


###/tinc/office_vpn/hosts/ServerB
   Address = 209.1.1.2
   Subnet = 192.168.1.0/24

-----BEGIN RSA PUBLIC KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END RSA PUBLIC KEY-----
...................................................

Result of "ifconfig -a" on ServerB:

eth0      Link encap:Ethernet  HWaddr 00:A0:CC:DB:F2:57
          inet addr:209.1.1.1  Bcast:209.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


eth1      Link encap:Ethernet  HWaddr 00:A0:CC:DB:FB:2C
          inet addr:209.1.2.1  Bcast:209.1.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


eth2      Link encap:Ethernet  HWaddr 00:A0:CC:DB:DC:55
          inet addr:192.168.1.253  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1


office_vp Link encap:Ethernet  HWaddr FE:FD:00:00:00:00
          inet addr:192.168.1.253  Bcast:192.168.1.255  Mask:255.255.0.0
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
................................................................................

Result of "route" on ServerB:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.2.0     209-1-2-1       255.255.255.0   UG    0      0        0 eth1
office_vpn      *               255.255.255.0   U     0      0        0 eth2
209.1.2.0       *               255.255.255.0   U     0      0        0 eth1
209.1.39.0      *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.0.0     U     0      0        0
office_vpn
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         209-1-1-10      0.0.0.0         UG    0      0        0 eth0
...................................................................................

Result of "iptables -t nat -L -v" on ServerB:

Chain PREROUTING (policy ACCEPT 4075 packets, 823K bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:tinc to:192.168.1.253:655

Chain POSTROUTING (policy ACCEPT 664 packets, 158K bytes)
 pkts bytes target     prot opt in     out     source
destination
  348 24626 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 ACCEPT     all  --  any    any     209.1.1.0/24      anywhere

Chain OUTPUT (policy ACCEPT 2578 packets, 332K bytes)
 pkts bytes target     prot opt in     out     source
destination
...................................................................................

Result of "iptables -L -v" on ServerB:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   118 ACCEPT     all  --  any    any     mail.idsb.net        anywhere
    0     0 ACCEPT     all  --  any    any     209-1-20-1           anywhere
    0     0 ACCEPT     all  --  any    any     209-1-20-1           anywhere
    0     0 ACCEPT     all  --  any    any     192.168.255.1        anywhere
    0     0 ACCEPT     all  --  any    any     192.168.0.0/16       anywhere
    0     0 ACCEPT     tcp  --  any    any     mail.idsb.net
209.1.1.0/24    tcp dpt:tinc
    0     0 ACCEPT     udp  --  any    any     mail.idsb.net
209.1.1.0/24    udp dpt:tinc
    0     0 ACCEPT     tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:domain
    5   468 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp echo-request limit: avg 1/sec burst 5
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp echo-reply limit: avg 1/sec burst 5
    0     0 ACCEPT     udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:traceroute
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp host-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp timestamp-request
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp timestamp-reply
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp address-mask-request
    0     0 ACCEPT     icmp --  any    any     anywhere
209.1.1.0/24    icmp address-mask-reply
    0     0 LD         icmp --  any    any     anywhere
209.1.1.0/24    icmp redirect
    0     0 LD         icmp --  any    any     anywhere
209.1.1.0/24    icmp source-quench
    0     0 ACCEPT     all  --  any    any     office_vpn/24        anywhere
    0     0 LD         all  --  eth0   any     1.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     2.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     7.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     23.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     27.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     31.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     41.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     45.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     60.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     68.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     69.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     70.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     71.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     80.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     88.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     90.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     91.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     92.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     100.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     111.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     112.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     127.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     127.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     128.66.0.0/16
209.1.1.0/24
    0     0 LD         all  --  eth0   any     172.16.0.0/12
209.1.1.0/24
    0     0 LD         all  --  eth0   any     192.168.0.0/16
209.1.1.0/24
    0     0 LD         all  --  eth0   any     197.0.0.0/16
209.1.1.0/24
    0     0 LD         all  --  eth0   any     201.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     220.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     222.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     240.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     242.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     244.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     251.0.0.0/8
209.1.1.0/24
    0     0 LD         all  --  eth0   any     254.0.0.0/8
209.1.1.0/24
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:31337 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:31337 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:33270 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:33270 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:1234 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:6711 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpts:12345:12346 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     anywhere
209.1.1.0/24    udp dpts:12345:12346 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:ingreslock limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     anywhere
209.1.1.0/24    tcp dpt:27665 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:27444 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     anywhere
209.1.1.0/24    udp dpt:31335 limit: avg 2/min burst 5
    0     0 LD         all  --  any    any     BASE-ADDRESS.MCAST.NET/8
anywhere
    0     0 LD         all  --  any    any     anywhere
BASE-ADDRESS.MCAST.NET/8
    0     0 LD         all  --  any    any     255.255.255.255      anywhere
    0     0 LD         all  --  any    any     anywhere             0.0.0.0
    0     0 LD         all  -f  any    any     anywhere
anywhere           limit: avg 10/min burst 5
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere
anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere           tcp spt:ssh dpts:login:65535 flags:!SYN,RST,ACK/SYN state
RELATED
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere           tcp spt:ftp-data dpts:1023:65535 flags:!SYN,RST,ACK/SYN
state RELATED
   86 61322 ACCEPT     tcp  --  any    any     anywhere
anywhere           state ESTABLISHED
    5  1602 ACCEPT     udp  --  any    any     anywhere
209.1.1.0/24    udp dpts:1023:65535
    0     0 LD         all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  any    eth0    office_vpn/24        anywhere
    0     0 ACCEPT     all  --  any    any     anywhere
office_vpn/24

Chain OUTPUT (policy ACCEPT 113 packets, 11937 bytes)
 pkts bytes target     prot opt in     out     source
destination
    5   468 ACCEPT     all  --  any    lo      anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     office_vpn/24        anywhere
    0     0 ACCEPT     icmp --  any    any     office_vpn/24        anywhere
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:31337 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     209.1.1.0/24
anywhere           udp dpt:31337 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:33270 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     209.1.1.0/24
anywhere           udp dpt:33270 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:1234 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:6711 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst
5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst
5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpts:12345:12346 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     209.1.1.0/24
anywhere           udp dpts:12345:12346 limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:ingreslock limit: avg 2/min burst 5
    0     0 LD         tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpt:27665 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     209.1.1.0/24
anywhere           udp dpt:27444 limit: avg 2/min burst 5
    0     0 LD         udp  --  any    any     209.1.1.0/24
anywhere           udp dpt:31335 limit: avg 2/min burst 5
    0     0 LD         all  --  any    any     BASE-ADDRESS.MCAST.NET/8
anywhere
    0     0 LD         all  --  any    any     anywhere
BASE-ADDRESS.MCAST.NET/8
    0     0 LD         all  --  any    any     255.255.255.255      anywhere
    0     0 LD         all  --  any    any     anywhere             0.0.0.0
    0     0 ACCEPT     icmp --  any    any     209.1.1.0/24      anywhere
    0     0 ACCEPT     tcp  --  any    any     209.1.1.0/24
anywhere           tcp dpts:1023:65535
    0     0 ACCEPT     udp  --  any    any     209.1.1.0/24
anywhere           udp dpts:1023:65535

Chain LD (77 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 LOG        all  --  any    any     anywhere
anywhere           LOG level warning
    0     0 DROP       all  --  any    any     anywhere             anywhere


Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/




More information about the Tinc mailing list