tinc: very interesting problem

Jeremy Singer jbs at gleim.com
Wed Jan 28 00:08:28 CET 2004 

Guus, or anyone that will help ...

Okay.. I've been running tinc for a few months now, and Its been working
pretty well with my machine. Attempts to install it on others WinXP Pro,
WinXP Home, and WinNT boxes have been spotty at best, with some
installations working perfectly, and some not working at all.

My latest issue is this. My windows 2000 machine can connect perfectly to
our external server which serves as the bridge between the internal LAN
and home machines that are connecting. Say I am connected (I am client A,
jbs_home, whose config is listed below) and I have Client B (ser_home)
connect. Noctest_svr when it "shakes hands" with client B (ser_home) will
drop connection with Client A (jbs_home). The log files show that it
connects to client B and "becomes reachable". After Client B  becomes
reachable (it is communicating over 655), noctest_svr can ping client B ,
but client B cannot ping noctest_svr. This happens when client B is using
TCPONLY and when it is NOT using tcponly. If client A tries to reconnect,
it doesnt work unless you restart TINC. Client B  never works properly at
the same time.

There are home routers in front of client A and B, but it connects through
them. Still the same problem when you put them in the demilitarized zone
(DMZ) or when you forward tcp/udp 655.

I have had Client A work properly with other TINC demons (client D, E, F..
etc) at the same time. Their configurations are all the same, with the
exception of the first subnet= line, (the IP address that they have).

Server A is open to the world as the main TINC server.
There are no firewall rules that prohibit packets from coming into the
external interface of this server.

tinc.conf on main server, address lets say: noctest_svr.com
device = /dev/tun
AddressFamily = ipv4
KeyExpire = 30000000
name = noctest_svr
pingtimeout = 10

the public key config looks like this:
address = XXX.XXX.XXX.XXX
compression = 10
subnet = 172.16.244.0/22
subnet = 172.16.240.0/22

The machine has these interfaces, as well as an external interface, to
which the clients connect.

eth0:1    Link encap:Ethernet  HWaddr 00:50:04:AB:D6:BE
          inet addr:172.16.240.12  Bcast:172.16.243.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:9 Base address:0xfc00
noctest_s Link encap:Point-to-Point Protocol
          inet addr:172.16.245.1  P-t-P:172.16.245.1  Mask:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1200  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:2609 (2.5 Kb)  TX bytes:11425 (11.1 Kb)

Route info:

172.16.240.0    *               255.255.252.0   U     0      0        0 eth0
172.16.244.0    *               255.255.252.0   U     0      0        0
noctest_svr
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
(also some data here about default gateway is deleted)

Client A, "jbs_home"
tinc.conf:
name = jbs_home
connectto = noctest_svr
pingtimeout = 10
privatekeyfile = c:\program files\tinc\rsa_key.priv

jbs_home file in hosts/
subnet = 172.16.244.1/32
subnet = 172.16.240.0/22
compression = 10

IP address of JBS_HOME = 172.16.244.1

Client B, "ser_home"
tinc.conf:
name = ser_home
connectto = noctest_svr
pingtimeout = 10
privatekeyfile = c:\program files\tinc\rsa_key.priv

ser_home file in hosts/
subnet = 172.16.244.15/32
subnet = 172.16.240.0/22
compression = 10

IP address of SER_HOME = 172.16.244.15














-- 
Jeremy Singer
Gleim Publications
ph: 713.622.8614



Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/

More information about the Tinc mailing list