Routing issue (fixed)

Erik Logtenberg erik at logtenberg.eu
Mon Mar 15 15:52:14 CET 2010 

Thanks Guus, this fixed the routing issue, and tinc now works nicely
together with ospf.

Guus Sliepen wrote:
> On Fri, Mar 12, 2010 at 07:10:42PM +0100, Erik Logtenberg wrote:
> 
>> I gave both of my vpn routers an IP in the 172.16.100.0/24 range, and
>> used the Subnet-directive to inform tinc of this. This works fine, I can
>> ping both hosts from both sides of the vpn.
> [...]
>> When I try to ping an IP on the other end of the VPN, I get the following:
>>
>> # ping 192.168.4.1
>> PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
>> From 192.168.4.1 icmp_seq=1 Destination Net Unknown
>>
>> Note that there is no lag. This error comes from the local end of the
>> VPN tunnel. I checked everything, from route tables to firewall
>> configuration. I can only assume that tinc gives these errors, probably
>> because it doesn't know about these subnets.
> 
> Yes, tinc will generate ICMP packets for unknown or unreachable destinations.
> Indeed, since you only supplied Subnets for the 172.16.100.0/24 range, it does
> not know about 192.168.4.1 and therefore doesn't know how to route those
> packets.
> 
>> I think this should just work. The route to 192.168.4.0/24 is configured
>> with the other vpn router as gateway, so as far as tinc is concerned, it
>> should just forward the traffic to that host (which by itself is
>> reachable) and let the other side care about routing the traffic
>> further. With ospf this is always configured correctly on both sides, so
>> it should always work.
> 
> The problem is that in the default mode, tinc will act as a layer 3 router. A
> gateway route only makes sense on layer 2 networks. If you send a packet to
> 192.168.4.1, there is no mention of 172.16.100.x at all in the IP packets, so
> tinc does not know that you want those packets forwarded via a gateway.
> 
>> Is there any way to have tinc allow this traffic?
> 
> Yes, use Mode = switch to let tinc act as a layer 2 switch. Then your gateway
> routes will work as you intended. You also do not need the Subnet statements
> anymore.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list