ethertap dropping packets?

Thu Nov 8 08:26:41 CET 2001

Hello,

I'm having some routing issue with my tinc setup.  I'm running a fairly
basic VPN configuration between two networks:

-------
Site A:
-------

--- tinc-up ---

#!/bin/sh

/sbin/ifconfig tap0 hs ether fe:fd:00:00:00:00
/sbin/ifconfig tap0 10.11.1.2 netmask 255.0.0.0
/sbin/ifconfig tap0 -arp

---- tinc.conf ---
Name = orca
Hostnames = no
InterfaceIP = 63.108.71.7
KeyExpire = 30000000
PrivateKeyFile = /etc/tinc/.rsa-private
TapDevice = /dev/tap0

-------
Site B:
-------

---- tinc-up ----

#!/bin/sh

/sbin/ifconfig $NETNAME hs ether fe:fd:00:00:00:00
/sbin/ifconfig $NETNAME 10.11.15.1 netmask 255.0.0.0
/sbin/ifconfig $NETNAME -arp

----- tinc.conf ----

ConnectTo = orca
Name = pax
Hostnames = no
InterfaceIP = 24.176.163.186
KeyExpire = 30000000
PrivateKeyFile = /etc/tinc/.rsa-private
TapDevice = /dev/tun

------------------
Shared Hosts Files
------------------

--- pax ---
Address = x.x.x.x
Subnet = 10.11.15.0/24
PublicKeyFile=/etc/tinc/hosts/.pax-rsa-public

--- orca ---
Address = y.y.y.y
Subnet = 10.11.1.0/24
PublicKeyFile=/etc/tinc/hosts/.orca-rsa-public

#######################################################

I get a succesfull connection and everything looks to be okay, however,
I am unable to ping anything from either side.

I ran a few tcpdumps and found believe that I have found where the
problem lies, but I don't know exactly what the problem is.

>From a second machine sitting in network B (10.11.15.11), I tried
pinging a machine on network A (10.11.15.1).  I had a tcpdump running on
3 different interfaces:

eth0 on orca:  (tcpdump -i eth0 icmp)
--------------
17:59:45.212188 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
17:59:45.213943 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
17:59:46.207298 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
17:59:46.208155 < 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)

ethertap interface on pax:  (tcpdump -i tap0 icmp)
---------------------------
00:07:14.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:14.820000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)
00:07:15.750000 > 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:15.840000 P 10.11.1.1 > 10.11.15.11: icmp: echo reply (DF)

eth1 on pax: (tcpdump -i $NETNAME icmp)
-------------
00:07:39.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:40.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)
00:07:41.980000 < 10.11.15.11 > 10.11.1.1: icmp: echo request (DF)

My interpritation of the above tcpdumps is:

-- ICMP echo request --
1) Leave its source (10.11.15.11)
2) Enter eth0 on pax
3) Enter ethertap on pax
4) tunnel to ethertap orca
5) forwrad to eth0 on orca
6) reach it's destination succesfully

-- ICMP echo reply --
1) Leave it's source (10.11.1.1)
2) Enter eth0 on orca
3) forward to ethertap on orca
4) tunnel to ethertap on pax
5) !!Packet appears to be dropped here!!!

I have tried both:
    /sbin/iptables -F
&   /sbin/iptables -t nat -F

Anybody have any ideas?  I'm pretty stumped here.

I also DO see the following in syslog on pax:

 No valid key known yet for orca (63.108.71.7), queueing packet

pax is running linux 2.4.2
oraca is running linux 2.2.16
tincd is: 1.0pre4

- Allen

Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/