[gentoo-user] Routing problem

[gentoo-user] Routing problem

[Patrick Marquetecken]

Hi,

I have connected two sites with openVPN, this works fine all traffic goes
trought the tunnels, and i can ping machines from one site to another.
But, i can't ping a machine from siteA from openVPN from siteB. to make it
compleet bizar the machine on siteA can ping the openVPN on siteB.

If i do a ping -R on the machine at siteA i see this:
RR:     10.32.3.172 <- machine siteA
        10.32.101.3 <- tunnel
        10.32.16.52 <- openVPN siteB
        10.32.16.52
        10.32.3.51 <- must be 10.32.101.3 (openVPN siteA)
        10.32.3.172
It seems that the answer goes direct between the two openVPN machines and
not the tunnel (10.32.101.x)
There is a route  10.32.0.0 netmask 255.255.252.0 gw 10.32.101.3 dev tun1.

A ping from openVPN siteB to openVPN siteA
RR:     10.32.101.4
        10.32.3.51
        10.32.3.51
        10.32.101.4

My main portage server is in siteA and i would like to update my remore
openVPN machines.
This behaviour its not only with that machine but with all my other remote
openVPN machines, all machines behind those does not have this kind of
problems.

Anyone know a solution
TIA
-- 
This is Unix-Land. In quiet nights, you can hear the Windows machines reboot.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Routing problem

[Heinz Sporn]

Am Mittwoch, den 07.09.2005, 16:18 +0200 schrieb Patrick Marquetecken:
> Hi,
> 
> I have connected two sites with openVPN, this works fine all traffic goes
> trought the tunnels, and i can ping machines from one site to another.
> But, i can't ping a machine from siteA from openVPN from siteB. to make it
> compleet bizar the machine on siteA can ping the openVPN on siteB.
> 

It's rather hard to help you here. You described only the sympthoms but
didn't provide any basic details like IP-ranges on both sides, routes,
ovpn config, OpenVPN versions used, etc. etc.

And what do you mean by "I have connected two sites" ? Are we talking
Linux - Linux here, or is a Windoze box involved ? Firewalls in between?

> If i do a ping -R on the machine at siteA i see this:
> RR:     10.32.3.172 <- machine siteA
>         10.32.101.3 <- tunnel
>         10.32.16.52 <- openVPN siteB
>         10.32.16.52
>         10.32.3.51 <- must be 10.32.101.3 (openVPN siteA)
>         10.32.3.172
> It seems that the answer goes direct between the two openVPN machines and
> not the tunnel (10.32.101.x)
> There is a route  10.32.0.0 netmask 255.255.252.0 gw 10.32.101.3 dev tun1.
> 
> A ping from openVPN siteB to openVPN siteA
> RR:     10.32.101.4
>         10.32.3.51
>         10.32.3.51
>         10.32.101.4
> 
> My main portage server is in siteA and i would like to update my remore
> openVPN machines.
> This behaviour its not only with that machine but with all my other remote
> openVPN machines, all machines behind those does not have this kind of
> problems.
> 
> Anyone know a solution
> TIA
> -- 
> This is Unix-Land. In quiet nights, you can hear the Windows machines reboot.
-- 
Mit freundlichen Grüßen

Heinz Sporn

SPORN it-freelancing

Mobile:  ++43 (0)699 / 127 827 07
Email:   heinz.sporn@sporn-it.com
         heinz.sporn@utanet.at
Website: http://www.sporn-it.com
Snail:   Steyrer Str. 20
         A-4540 Bad Hall
         Austria / Europe

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Routing problem

[Patrick Marquetecken]

> It's rather hard to help you here. You described only the sympthoms but
> didn't provide any basic details like IP-ranges on both sides, routes,
> ovpn config, OpenVPN versions used, etc. etc.
SiteA 10.32.0.0/22
siteB 10.32.16.0/24
connection goes over 10.32.100.0
tunnels ip's are 10.32.101.3 for siteA and 10.32.101.4 for SiteB
routing tables:
siteA
eth0 10.32.3.51
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.32.101.6     0.0.0.0         255.255.255.255 UH    0      0        0 tun2
10.32.101.4     0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.32.101.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.32.16.160    10.32.101.2     255.255.255.255 UGH   0      0        0 tun0
10.32.101.14    0.0.0.0         255.255.255.255 UH    0      0        0 tun5
10.32.101.12    0.0.0.0         255.255.255.255 UH    0      0        0 tun4
10.32.101.8     0.0.0.0         255.255.255.255 UH    0      0        0 tun3
10.32.32.0      0.0.0.0         255.255.255.248 U     0      0        0 eth0
10.32.100.16    0.0.0.0         255.255.255.240 U     0      0        0 eth2
10.32.100.0     0.0.0.0         255.255.255.240 U     0      0        0 eth1
10.32.100.32    10.32.0.20      255.255.255.240 UG    0      0        0 eth0
10.35.0.0       10.32.101.8     255.255.255.0   UG    0      0        0 tun3
10.32.24.0      10.32.101.6     255.255.255.0   UG    0      0        0 tun2
10.35.1.0       10.32.100.17    255.255.255.0   UG    0      0        0 eth2
10.32.25.0      10.32.100.17    255.255.255.0   UG    0      0        0 eth2
10.32.66.0      10.32.101.4     255.255.255.0   UG    0      0        0 tun1
10.32.16.0      10.32.101.4     255.255.255.0   UG    0      0        0 tun1
10.32.67.0      10.32.101.4     255.255.255.0   UG    0      0        0 tun1
10.32.0.0       0.0.0.0         255.255.252.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         10.32.0.20      0.0.0.0         UG    0      0        0 eth0

siteB
eth0
10.32.16.52
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.32.101.3     0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.32.101.1     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.32.3.129     10.32.101.1     255.255.255.255 UGH   0      0        0 tun0
10.32.3.128     10.32.101.1     255.255.255.255 UGH   0      0        0 tun0
81.246.22.210   10.32.16.20     255.255.255.255 UGH   0      0        0 eth0
10.32.101.13    0.0.0.0         255.255.255.255 UH    0      0        0 tun5
10.32.101.11    0.0.0.0         255.255.255.255 UH    0      0        0 tun4
10.32.32.0      10.32.101.3     255.255.255.248 UG    0      0        0 tun1
10.32.26.0      10.32.16.20     255.255.255.240 UG    0      0        0 eth0
10.32.100.16    10.32.16.20     255.255.255.240 UG    0      0        0 eth0
10.32.100.0     0.0.0.0         255.255.255.240 U     0      0        0 eth1
10.32.100.32    0.0.0.0         255.255.255.240 U     0      0        0 eth2
10.35.0.0       10.32.101.3     255.255.255.0   UG    0      0        0 tun1
10.32.24.0      10.32.101.3     255.255.255.0   UG    0      0        0 tun1
10.32.16.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.33.10.0      10.32.101.3     255.255.255.0   UG    0      0        0 tun1
10.32.64.0      10.32.101.3     255.255.255.0   UG    0      0        0 tun1
10.32.65.0      10.32.101.3     255.255.255.0   UG    0      0        0 tun1
10.32.0.0       10.32.101.3     255.255.252.0   UG    0      0        0 tun1
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         10.32.16.20     0.0.0.0         UG    0      0        0 eth0


RR:     10.32.3.172
        10.32.101.3
        10.32.16.52
        10.32.16.52
        10.32.3.51 <- should be 10.32.101.3
        10.32.3.172


>
> And what do you mean by "I have connected two sites" ? Are we talking
> Linux - Linux here, or is a Windoze box involved ? Firewalls in between
Its Linux to Linux direct without any firewalls.
the VPN tunnels are now working for more than 3 months, its only that the
openVPN machines can't connect to other machines then theireselfs.

Patrick

> Heinz Sporn



-- 
This is Unix-Land. In quiet nights, you can hear the Windows machines reboot.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Routing problem - Solved

[Patrick Marquetecken]

After spending some hours watching tcpdumps, i saw that the openvpn at
siteB comes with ip form the vpntunnel to the client, setting up a route
on the client solved it all.
I tought that i always would use the ip of eth0 ?

Patrick


-- 
Arwen: "Why do you fear the past? You are Isildur's heir, not Isildur
himself. You are not bound to his fate."
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Routing problem - Solved

[Heinz Sporn]

Am Donnerstag, den 08.09.2005, 11:37 +0200 schrieb Patrick Marquetecken:
> After spending some hours watching tcpdumps, i saw that the openvpn at
> siteB comes with ip form the vpntunnel to the client, setting up a route
> on the client solved it all.
> I tought that i always would use the ip of eth0 ?

I have to say your network layout seems to be rather odd. Why on earth
do you need so many tunnels and routes? If site A and B contain just a
number of servers and clients I'd say you just need one tunnel at all
and one route on each side of it that points to the correspondig LAN.

> 
> Patrick
> 
> 
> -- 
> Arwen: "Why do you fear the past? You are Isildur's heir, not Isildur
> himself. You are not bound to his fate."
-- 
Mit freundlichen Grüßen

Heinz Sporn

SPORN it-freelancing

Mobile:  ++43 (0)699 / 127 827 07
Email:   heinz.sporn@sporn-it.com
         heinz.sporn@utanet.at
Website: http://www.sporn-it.com
Snail:   Steyrer Str. 20
         A-4540 Bad Hall
         Austria / Europe

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Routing problem

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Marquetecken wrote:
> Its Linux to Linux direct without any firewalls.
> the VPN tunnels are now working for more than 3 months, its only that the
> openVPN machines can't connect to other machines then theireselfs.

Have you enabled forwarding for the tun interfaces on both ends? Check sysctl.conf and iptables -t
nat -L


- --
Arturo "Buanzo" Busleiman - www.buanzo.com.ar
Consultor en Seguridad Informatica
KTP Consultores - info AT ktpconsultores.com.ar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDICmqAlpOsGhXcE0RAg0cAJ9Il2XBx8pLlQDPU5v8XtM4CPLbXQCdFnA/
txVntftfWXQfyV+iV0myjrs=
=dZMi
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list