Unable to Pass Traffic to Internal Subnet
Kismet Agbasi
kagbasi at centraltruck.net
Fri Oct 31 00:03:10 CET 2014
Thanks for your response. You're right in your assumptions. I followed
your suggestion and added a static route to my Tinc VPN subnet (10.9.0.0).
It worked partially. Here's the explanation: it appears that I can ping
the daemon who's host IP I specify in the route statement (hope that's
clear?).
Below are the command line results from what I tested on my Windows 7
workstation. Also, as requested, I've attached all the config files for the
three machines I've got setup right now. Currently they can all talk to
each other via the 10.9.0.0/32 IP block.
*************
Scenario #1:
*************
C:\Windows\System32>route add -p 10.9.0.0 mask 255.255.255.0 172.23.6.149
OK!
C:\Windows\System32>ping 10.9.0.1
Pinging 10.9.0.1 with 32 bytes of data:
Reply from 10.9.0.1: bytes=32 time=1ms TTL=64
Reply from 10.9.0.1: bytes=32 time=1ms TTL=64
Reply from 10.9.0.1: bytes=32 time<1ms TTL=64
Reply from 10.9.0.1: bytes=32 time<1ms TTL=64
Ping statistics for 10.9.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\Windows\System32>tracert -d 10.9.0.1
Tracing route to 10.9.0.1 over a maximum of 30 hops
1 <1 ms 1 ms <1 ms 10.9.0.1
Trace complete.
C:\Windows\System32>ping 10.9.0.2
Pinging 10.9.0.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.9.0.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\System32>ping 10.9.0.3
Pinging 10.9.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.9.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
............................................................................
..........
************
SCENARIO #2
************
C:\Windows\System32>route delete -p 10.9.0.0 mask 255.255.255.0 172.23.6.149
OK!
C:\Windows\System32>ping 10.9.0.1
Pinging 10.9.0.1 with 32 bytes of data:
Control-C
^C
C:\Windows\System32>route add -p 10.9.0.0 mask 255.255.255.0 172.23.6.148
OK!
C:\Windows\System32>ping 10.9.0.1
Pinging 10.9.0.1 with 32 bytes of data:
Request timed out.
Ping statistics for 10.9.0.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Windows\System32>ping 10.9.0.2
Pinging 10.9.0.2 with 32 bytes of data:
Reply from 10.9.0.2: bytes=32 time<1ms TTL=64
Reply from 10.9.0.2: bytes=32 time<1ms TTL=64
Reply from 10.9.0.2: bytes=32 time<1ms TTL=64
Reply from 10.9.0.2: bytes=32 time<1ms TTL=64
Ping statistics for 10.9.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Windows\System32>ping 10.9.0.3
Pinging 10.9.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.9.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\System32>
Very Respectfully,
Kismet-Gerald Agbasi
IT/Systems Administrator
Central Truck Center, Inc.
Office: 240-487-3315
Toll Free: 1-800-492-0709
Fax: 240-487-3399
3839 Ironwood Place
Landover, MD 20785
This message may contain confidential and/or proprietary information, and is
intended for the person or entity to which it is addressed.
Any use by others for all other purposes is strictly prohibited.
____________________________________________________________________________
_____________________________
3839 Ironwood Place | Landover, MD | 20785
-----Original Message-----
From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen
Sent: Monday, October 27, 2014 5:57 PM
To: tinc at tinc-vpn.org
Subject: Re: Unable to Pass Traffic to Internal Subnet
On Mon, Oct 27, 2014 at 04:50:13PM -0400, Kismet Agbasi wrote:
> Thank you guys for a great product. I have successfully setup a VPN
> between a cloud server and an internal one (details below). However,
> I am unable to pass traffic from the cloud to the internal machines behind
the tunnel.
>
> Internal subnet: 172.23.6.0/24
> Host Public IP: 50.242.184.132
> Host LAN IP: 172.23.6.148
> Host VPN IP: 10.9.0.2
>
> Cloud Server IP: 107.170.55.181
> Cloud Server VPN IP: 10.9.0.3
>
> I have control of the firewall - it's a Cisco PIX 506E. What else do
> you need me to provide in order for you to be able to assist me?
Looking at the host LAN IP, I assume it's not the router of the LAN.
Therefore, even if tinc would succesfully route packets from the cloud
server to the LAN, the LAN hosts would send return packets to the gateway of
the LAN, your Cisco I assume. You should add an entry to the routing table
of the Cisco that sends packets for 10.9.0.3 to 172.23.6.148.
An alternative solution is to forget about the 10.9.0.0/24 subnet, and to
give the cloud server an IP address from the 172.23.6.0/24 range.
Either by bridging[1] or using proxy ARP[2]. This can be configured from the
LAN host running tinc without requiring any configuration of the router.
If it still doesn't work, please send a copy of the tinc.conf, tinc-up and
host config files from both the VPN host on the LAN and the cloud server.
[1] http://www.tinc-vpn.org/examples/bridging/
[2] http://www.tinc-vpn.org/examples/proxy-arp/
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DOServer1
Type: application/octet-stream
Size: 796 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HostUbuntu1
Type: application/octet-stream
Size: 796 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HostUbuntu2 (on DOServer1)
Type: application/octet-stream
Size: 823 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HostUbuntu2 (on HostUbuntu1)
Type: application/octet-stream
Size: 821 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc.conf (from DOServer1)
Type: application/octet-stream
Size: 80 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc.conf (from HostUbuntu1)
Type: application/octet-stream
Size: 82 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc.conf (from HostUbuntu2)
Type: application/octet-stream
Size: 58 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc-up (from DOServer1)
Type: application/octet-stream
Size: 60 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc-up (from HostUbuntu1)
Type: application/octet-stream
Size: 60 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinc-up (from HostUbuntu2)
Type: application/octet-stream
Size: 60 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141030/b247b5a1/attachment-0009.obj>
More information about the tinc
mailing list