vpn with shortcuts?

Roberto Meyer rmeyer at idr.org.ar
Thu Nov 11 22:05:18 CET 2004 

Hi all,

There's long time I'm having problems with a vpn... I'd be glad
if somebody could check my current setup.

Our problem is we're having tinc-vpn shortcuts while we have no
bandwidth problem nither 'ssh' trouble.

I attached some log lines from both the "server" and the 
"client".

Some ASCII art...

    ___                  ___                ___
   |   |    tinc vpn    |   |              |   |
   | p |    over ADSL   | i |      LAN     | p |
   | a |    __________  | s |    ________  | a |
   | m |   /         /  | i |   /       /  | t |
   |   |__/         /___|   |__/       /___|   |
   -----                -----              -----
   pub:200.x.x.x        pub:dynamic
   vpn:10.10.10.1       vpn:10.10.10.2
                        pri:192.168.144.1  pri:192.168.144.1
 

Ok, let's see the configs of pam(perito) and isi(dorito). 
I named their virtual interfaces as 'pamvpn' and 'isivpn'.

a-'isidorito' (our gateway+firewall+proxy) with dynamic IP

  /etc/tinc/vpn/tinc.conf
    Name = isivpn
    Device = /dev/net/tun
    PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv
    ConnectTo = pamvpn

  /etc/tinc/vpn/tinc-up
    ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
    ifconfig $INTERFACE 10.10.10.2 netmask 255.255.0.0
    ifconfig $INTERFACE -arp

  /etc/tinc/vpn/hosts/isivpn
    Subnet = 10.10.10.2/32
    Subnet = 192.168.144.0/24
    TCPOnly = yes
    -----BEGIN RSA PUBLIC KEY-----
    ...
    -----END RSA PUBLIC KEY-----

  /etc/tinc/vpn/hosts/pamvpn
    isidorito:/etc/tinc/vpn/hosts# cat /etc/tinc/vpn/hosts/
    isivpn  pamvpn  
    isidorito:/etc/tinc/vpn/hosts# cat /etc/tinc/vpn/hosts/pamvpn 
    Address = 200.x.x.x
    Subnet = 10.10.10.1/32
    -----BEGIN RSA PUBLIC KEY-----
    ...
    -----END RSA PUBLIC KEY-----


b-'pamperito' (it waits for isi's connections)

  /etc/tinc/vpn/tinc.conf
    Name = pamvpn
    Device = /dev/tun
    PrivateKeyFile = /etc/tinc/vpn/rsa_key.priv

  /etc/tinc/vpn/tinc-up
    ifconfig $INTERFACE hw ether fe:fd:0:0:0:0
    ifconfig $INTERFACE 10.10.10.1 netmask 255.255.0.0
    ifconfig $INTERFACE -arp
    route add -net 192.168.144.0 netmask 255.255.255.0 gw isivpn
    dev vpn

  pamvpn and isivpn are setup as in 'isidorito'


Is everything ok here?

In isidorito's syslog I even found:

nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with
pamvpn (200.x.x.x port 655)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with
isivpn (MYSELF)
^^^^^^^^^^^^^^^

I remember I added the subnet 192.168.144.0/24 because 'pat' 
is our internal smtp server... so 'pam' needs to reach 'pat'
for mail delivery and viceversa.

I suspect I'm making a setup mistake, any clue will be very
appreciated. 

TIA,

-
Roberto
------------ próxima parte ------------
nov 11 16:12:29 pamperito tinc.vpn[17311]: Metadata socket error for isivpn (168.226.139.225 port 1871): Conexi?n reinicializada por la m?quina remota
nov 11 16:14:54 pamperito tinc.vpn[17311]: Metadata socket error for isivpn (168.226.139.225 port 2341): Conexi?n reinicializada por la m?quina remota
nov 11 16:16:21 pamperito tinc.vpn[17311]: Bogus data received from isivpn (168.226.139.225 port 2381)
nov 11 16:17:08 pamperito tinc.vpn[17311]: Bogus data received from isivpn (168.226.139.225 port 2386)
Nov 11 16:49:02 pamperito exiscanv2[31949]: 1CSKwD-0000SI-00 F:<tinc-bounces en tinc-vpn.org> T:rmeyer en idr.org.ar R:clean, marked for dequeue
nov 11 17:05:41 pamperito tinc.vpn[17311]: Bogus data received from isivpn (168.226.140.12 port 3110)

------------ próxima parte ------------
nov 11 16:12:38 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x port 655) failed: Recurso no disponible temporalmente
nov 11 16:12:38 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 16:12:38 isidorito tinc.vpn[5841]: Trying to re-establish outgoing connection in 5 seconds
nov 11 16:12:45 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 16:12:46 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 16:12:47 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated
nov 11 16:15:02 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x port 655) failed: Recurso no disponible temporalmente
nov 11 16:15:02 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 16:15:02 isidorito tinc.vpn[5841]: Trying to re-establish outgoing connection in 10 seconds
nov 11 16:15:18 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 16:15:19 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 16:15:20 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated
nov 11 16:16:31 isidorito tinc.vpn[5841]: Metadata socket error for pamvpn (200.x.x.x port 655): Conexi?n reinicializada por la m?quina remota
nov 11 16:16:31 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 16:16:31 isidorito tinc.vpn[5841]: Trying to re-establish outgoing connection in 15 seconds
nov 11 16:16:52 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 16:16:53 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 16:16:54 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated
nov 11 16:17:17 isidorito tinc.vpn[5841]: Metadata socket error for pamvpn (200.x.x.x port 655): Conexi?n reinicializada por la m?quina remota
nov 11 16:17:17 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 16:17:17 isidorito tinc.vpn[5841]: Trying to re-establish outgoing connection in 20 seconds
nov 11 16:17:40 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 16:17:41 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 16:17:42 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated
nov 11 16:43:24 isidorito tinc.vpn[5841]: Regenerating symmetric key
nov 11 17:05:29 isidorito tinc.vpn[5841]: Got HUP signal
nov 11 17:05:34 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Closing connection with isivpn (MYSELF)
nov 11 17:05:35 isidorito tinc.vpn[5841]: Rereading configuration file and restarting in 5 seconds...
nov 11 17:05:40 isidorito tinc.vpn[5841]: /dev/net/tun is a Linux tun/tap device
nov 11 17:05:40 isidorito tinc.vpn[5841]: Executing script tinc-up
nov 11 17:05:41 isidorito tinc.vpn[5841]: Listening on 0.0.0.0 port 655
nov 11 17:05:41 isidorito tinc.vpn[5841]: Ready
nov 11 17:05:41 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 17:05:41 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 17:05:42 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated
nov 11 17:05:50 isidorito tinc.vpn[5841]: Sending meta data to pamvpn (200.x.x.x port 655) failed: Recurso no disponible temporalmente
nov 11 17:05:50 isidorito tinc.vpn[5841]: Closing connection with pamvpn (200.x.x.x port 655)
nov 11 17:05:50 isidorito tinc.vpn[5841]: Trying to re-establish outgoing connection in 5 seconds
nov 11 17:06:04 isidorito tinc.vpn[5841]: Trying to connect to pamvpn (200.x.x.x port 655)
nov 11 17:06:05 isidorito tinc.vpn[5841]: Connected to pamvpn (200.x.x.x port 655)
nov 11 17:06:06 isidorito tinc.vpn[5841]: Connection with pamvpn (200.x.x.x port 655) activated

More information about the tinc mailing list