can't ping to an internal IP through tinc's virtual interfaces

Discussion:

Roberto Meyer

2004-04-04 04:26:56 UTC

Hi.

As I wrote some days ago (It worked! [Was: my two hosts don't see each
other]) I succeeded at setting up a tinc VPN between two hosts
(isivirtual and pamvirtual)

I tried to ping from pamvirtual, the external machine, to an internal IP
of 'isivirtual' but it doesn't work. Neither 'traceroute'.
What's going on?

At 'isivirtual' routing (ip forwarding) is enabled and iptables is not
limiting traffic from virtual interfaces.

I'll begin reading about 'tcpdump' to find where packets don't flow, in
the meantime, does tinc limits somehow this kind of traffic?

TIA.

-
Roberto
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Guus Sliepen

2004-04-04 04:26:57 UTC

Permalink

Post by Roberto Meyer
I tried to ping from pamvirtual, the external machine, to an internal IP
of 'isivirtual' but it doesn't work. Neither 'traceroute'.
What's going on?
At 'isivirtual' routing (ip forwarding) is enabled and iptables is not
limiting traffic from virtual interfaces.

Probably wrong configuration of the virtual interface or wrong Subnets.
Send copies of tinc-up and the host config files so we can see!

Post by Roberto Meyer
I'll begin reading about 'tcpdump' to find where packets don't flow, in
the meantime, does tinc limits somehow this kind of traffic?

Tinc, in router mode, only routes packets whose destination address lies
within a Subnet of any of the nodes.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <***@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030730/4144b1ea/attachment.pgp

Roberto Meyer

2004-04-04 04:26:57 UTC

Permalink

Post by Guus Sliepen

Probably wrong configuration of the virtual interface or wrong Subnets.
Send copies of tinc-up and the host config files so we can see!

As I said, the VPN seems to work ok. I can ping from one machine to the
other one (only to their virtual interfaces). I even configured mail
relaying (exim listens on the virtual IP).

Post by Guus Sliepen

Post by Roberto Meyer
I'll begin reading about 'tcpdump' to find where packets don't flow, in
the meantime, does tinc limits somehow this kind of traffic?

Tinc, in router mode, only routes packets whose destination address lies
within a Subnet of any of the nodes.

I configured it in default mode (router), is this the problem? should I
use switch mode?.

ASCII art(?) follows:

pamvirtual isivirtual intranet server
10.10.10.1/32 --------- 10.10.10.2/32
200.80.x.x 192.168.144.1 -------- 192.168.144.5
connecto pamvirtual

Pings from 'pamvirtual' to 10.10.10.2 interface answers.
Pings from 'pamvirtual' to 192.168.144.1 don't, of course neither
192.168.144.5 even if I added a route for isivirtual as gateway.

TIA.

-
Roberto
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Guus Sliepen

2004-04-04 04:26:57 UTC

Permalink

Post by Roberto Meyer

Post by Guus Sliepen
Probably wrong configuration of the virtual interface or wrong Subnets.
Send copies of tinc-up and the host config files so we can see!

As I said, the VPN seems to work ok. I can ping from one machine to the
other one (only to their virtual interfaces). I even configured mail
relaying (exim listens on the virtual IP).

But I still can't diagnose your problem if I don't see your config
files.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <***@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030730/089c0d6c/attachment.pgp

tinc at nl.linux.org ()

2004-04-04 04:26:58 UTC

Permalink

Post by Guus Sliepen

Post by Roberto Meyer

Post by Guus Sliepen
Probably wrong configuration of the virtual interface or wrong Subnets.
Send copies of tinc-up and the host config files so we can see!

As I said, the VPN seems to work ok. I can ping from one machine to the
other one (only to their virtual interfaces). I even configured mail
relaying (exim listens on the virtual IP).

But I still can't diagnose your problem if I don't see your config
files.

Here they go:

*** pamvirtual config ***

/etc/tinc/vpn/tinc-up:
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
ifconfig $INTERFACE -arp

/etc/tinc/vpn/tinc.conf:
Name = pamvirtual
Device = /dev/tun
PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv

/etc/tinc/vpn/hosts/isivirtual:
Subnet = 10.10.10.2/32
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

Routing table:
200.80.x.0 * 255.255.255.128 U 0 0 0 eth0
192.168.144.0 isivirtual 255.255.255.0 UG 0 0 0 vpn
10.10.0.0 * 255.255.0.0 U 0 0 0 vpn
default host1.200.80.x 0.0.0.0 UG 0 0 0 eth0

*** isivirtual config ***

/etc/tinc/vpn/tinc-up:
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.10.10.2 netmask 255.255.0.0
ifconfig $INTERFACE -arp

/etc/tinc/vpn/tinc.conf:
Name = isivirtual
Device = /dev/tun
PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
ConnectTo = pamvirtual

/etc/tinc/vpn/hosts/pamvirtual:
Address = 200.80.x.x
Subnet = 10.10.10.1/32
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

Routing is enabled at both hosts. What I can't do is a ping or
traceroute from pamvirtual to any other interface than the virtual ones.

Another thing I couldn't work out is to configure addresses like
10.10.10.0/24 for subnets... I found broadcast addresses somewhat weird:
ifconfig vpn at isivirtual shows this:

vpn Link encap:Ethernet HWaddr FE:FD:00:00:00:00
inet addr:10.10.10.2 Bcast:10.255.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:725 errors:0 dropped:0 overruns:0 frame:0
TX packets:909 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:567953 (554.6 KiB) TX bytes:683323 (667.3 KiB)

Thank you very much for your help.

-
Roberto
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Guus Sliepen

2004-04-04 04:26:58 UTC

Permalink

Post by tinc at nl.linux.org ()

Post by Guus Sliepen

Post by Roberto Meyer
As I said, the VPN seems to work ok. I can ping from one machine to the
other one (only to their virtual interfaces). I even configured mail
relaying (exim listens on the virtual IP).

But I still can't diagnose your problem if I don't see your config
files.

[...]

Post by tinc at nl.linux.org ()
200.80.x.0 * 255.255.255.128 U 0 0 0 eth0
192.168.144.0 isivirtual 255.255.255.0 UG 0 0 0 vpn
10.10.0.0 * 255.255.0.0 U 0 0 0 vpn
default host1.200.80.x 0.0.0.0 UG 0 0 0 eth0

Hmkay... I see the problem. Gateway routes don't work with tinc in
router mode. You can do it with tinc in switch mode, but an easier
solution is given below.

Post by tinc at nl.linux.org ()
*** pamvirtual config ***
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
ifconfig $INTERFACE -arp

Forget about the gateway route. Just add this to tinc-up:

route add -net 192.168.144.0 netmask 255.255.255.0 dev $INTERFACE

Post by tinc at nl.linux.org ()
Subnet = 10.10.10.2/32
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

Add: Subnet = 192.168.144.0/24

Post by tinc at nl.linux.org ()
Another thing I couldn't work out is to configure addresses like

Don't bother with the broadcast address, it will never be used.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <***@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030730/110a757d/attachment.pgp

Roberto Meyer

2004-04-04 04:26:58 UTC

Permalink

Post by Guus Sliepen

Post by tinc at nl.linux.org ()

Post by Guus Sliepen

But I still can't diagnose your problem if I don't see your config
files.

[...]

Hmkay... I see the problem. Gateway routes don't work with tinc in
router mode. You can do it with tinc in switch mode, but an easier
solution is given below.

Post by tinc at nl.linux.org ()
*** pamvirtual config ***
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
ifconfig $INTERFACE -arp

route add -net 192.168.144.0 netmask 255.255.255.0 dev $INTERFACE

Post by tinc at nl.linux.org ()
Subnet = 10.10.10.2/32
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

Add: Subnet = 192.168.144.0/24

GREAT! It works 'ferpectly'! ;-)

The only issue I have to solve is that isivpn connects to pamvpn
through a dynamic IP address, so when e-mail arrives to pamvpn it don't
know how to deliver it to isivpn.

I'll test a script to run with openssh so I can update isivpn's IP at
pamvpn's host-file and reload tincd. This way, pamvpn will be able to
'connnectTo' isivpn anytime it wants.

Thanx a lot for your help.

-
Roberto
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Guus Sliepen

2004-04-04 04:26:58 UTC

Permalink

Post by Roberto Meyer
GREAT! It works 'ferpectly'! ;-)

Nice :)

Post by Roberto Meyer
The only issue I have to solve is that isivpn connects to pamvpn
through a dynamic IP address, so when e-mail arrives to pamvpn it don't
know how to deliver it to isivpn.
I'll test a script to run with openssh so I can update isivpn's IP at
pamvpn's host-file and reload tincd. This way, pamvpn will be able to
'connnectTo' isivpn anytime it wants.

Maybe this can help: you can make a hosts/isivirtual-up script that will
be executed by pamvpn when a connection with isivirtual is established.
You can use the environment variable $REMOTEADDRESS in this script,
which is the IP address of isivirtual. You can also make a
hosts/isivirtual-down script.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <***@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030730/073723d8/attachment.pgp

Jason

2004-04-04 04:26:59 UTC

Permalink

I'm a little confused about why you need the dynamic ip in the hosts file,
so forgive me if this is off base... but if one of the boxes has a static
ip/dns and the other is dynamic, tell the dynamic one to ConnectTo the
static one and then the vpn will always be up and available. Then all of
your apps can reach either box using the private VPN IPs which never change.
Then your mail will be encrypted thru the VPN too. remember if one of those
boxes talks to the other one using the public internet routable IP for the
destination address, the traffic doesn't go thru the VPN tunnel.

Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Roberto Meyer

2004-04-04 04:26:59 UTC

Permalink

Hi:

I've detected a problem: if I run 'ping' from pamvirtual (external host)
I don't reach isivirtual...

I increased tincd's log level and obtained the following:

Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: /dev/tun is a Linux tun/tap
device
Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Listening on 0.0.0.0 port 655
Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Ready
Jul 30 20:22:38 pamvirtual tinc.vpn[19629]: Trying to connect to isivirtual
(168.226.x.x port 655)
Jul 30 20:22:44 pamvirtual tinc.vpn[19629]: Connection from
168.226.x.x port 2281
Jul 30 20:22:44 pamvirtual tinc.vpn[19629]: Connection with isivirtual
(168.226.x.x port 2281) activated

Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Timeout from isivirtual
(168.226.x.x port 655) during authentication

Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Closing connection with
isivirtual (168.226.x.x port 655)
Jul 30 20:23:41 pamvirtual tinc.vpn[19629]: Trying to re-establish
outgoing connection in 5 seconds
Jul 30 20:23:57 pamvirtual tinc.vpn[19629]: Already connected to isivirtual

If I ping from isivirtual to pamvirtual, pings from pamvirtual respond
for a while. After some minutes every connection from pamvirtual gets
stucked again.

Any idea about this?

TIA.

-
Roberto

Post by Guus Sliepen

Post by tinc at nl.linux.org ()

Post by Guus Sliepen

Post by Roberto Meyer
As I said, the VPN seems to work ok. I can ping from one machine
to the
other one (only to their virtual interfaces). I even configured
mail
relaying (exim listens on the virtual IP).

But I still can't diagnose your problem if I don't see your config
files.

[...]

Hmkay... I see the problem. Gateway routes don't work with tinc in
router mode. You can do it with tinc in switch mode, but an easier
solution is given below.

Post by tinc at nl.linux.org ()
*** pamvirtual config ***
ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
ifconfig $INTERFACE -arp

route add -net 192.168.144.0 netmask 255.255.255.0 dev $INTERFACE

Post by tinc at nl.linux.org ()
Subnet = 10.10.10.2/32
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----

Add: Subnet = 192.168.144.0/24

Post by tinc at nl.linux.org ()
Another thing I couldn't work out is to configure addresses like
10.10.10.0/24 for subnets... I found broadcast addresses somewhat

Don't bother with the broadcast address, it will never be used.

Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/

Guus Sliepen

2004-04-04 04:26:59 UTC

Permalink

[...]
That's not all tinc is logging. Make sure your syslogd saves it all; add
something like this to /etc/syslogd.conf:

*.* -/var/log/all

Post by Roberto Meyer
If I ping from isivirtual to pamvirtual, pings from pamvirtual respond
for a while. After some minutes every connection from pamvirtual gets
stucked again.

Do you have a masquerading gateway somewhere? If so, try to add "TCPOnly = yes"
to hosts/isivirtual.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <***@sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030731/9f3defe2/attachment.pgp

Roberto Meyer

2004-04-04 04:27:05 UTC

Permalink

Post by Guus Sliepen
[...]
That's not all tinc is logging. Make sure your syslogd saves it all; add
*.* -/var/log/all

No, at log level 2 that's all it logs.

Post by Guus Sliepen

Post by Roberto Meyer
If I ping from isivirtual to pamvirtual, pings from pamvirtual respond
for a while. After some minutes every connection from pamvirtual gets
stucked again.

Do you have a masquerading gateway somewhere? If so, try to add "TCPOnly = yes"
to hosts/isivirtual.

Yes, isivirtual is our NAT/Firewall/&c.

It seems "TCPOnly = yes" definetly solved the problem of pamvirtual
loosing connection to isivirtual.

What I did: kept "ConnectTo" only at isivirtual, stopped and
started both tincds, cut connection (with poff), reconnected
isivirtual to internet (via DSL) and a few seconds later
pamvirtual could ping a machine in our 192.168.144.0 intranet.

Jason, about your question, it seemed isivirtual couldn't (until know)
mantain (refresh?) the connection, so after a few seconds pamvirtual
didn't reach isivirtual. I thought it could be solved if pamvirtual
knew isivirtual's IP and tried a "ConnectTo = isivirtual'. So both hosts
would be trying to connect each other. As I wrote above, everything is
working fine now (knock, knock :-)

Thanx a lot.

-
Roberto
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/