connectivity issues
Guus Sliepen
guus at tinc-vpn.org
Sun May 12 14:12:24 CEST 2013
On Sun, May 12, 2013 at 11:49:24AM +1000, Mike Bentzen wrote:
> Since the CVE-2013-1428 was announced, I followed the recommendation
> to update my windows machines to tinc1.1pre7.
> I've had connectivity issues since upgrading. I've done some
> debugging but I can't figure out when or why its happening.
>
> All machines on the network are running Windows 7 or Windows 2008R2
> Enterprise server and tinc 1.1pre7.
> I've got one master node, which all machines connect to. Everything
> is running in router mode.
> All machines (apart from MIKEIPHONE and MIKEIPAD are connected to
> the network and authenticated)
> I've also recently changed the Forwarding variable on the master
> node to: Forwarding = off, but I cannot remember how long ago this
> was, and I'm not sure if this is what is causing the issue.
> I don't want VPS01PP to route any VPN traffic, I only want it to be
> used for establishing the connection between other nodes.
Try it without "Forwarding = off" in any case.
> When trying to connect MIKEHOMEPC to MIKEDEV02, i get a destination
> unreachable message.
> VPN addresses: MIKEHOMEPC = 192.168.69.5/32, MIKEDEV02 = 192.168.69.3/32
>
> Pinging 192.168.69.3 with 32 bytes of data:
> Reply from 192.168.69.3: Destination net unreachable.
That reply is generated by tinc and means that it thinks it knows the
192.168.69.3 address, but that the node it belongs to is offline.
> --:MIKEDEV02:--
> I can do a tincctl top, and I can see the following:
>
> Tinc vpn Nodes: 8 Sort: name Current
>
> Node IN pkts IN bytes OUT pkts OUT bytes
> MIKEHOMEPC 0 0 0 0
[...]
> MIKEDEV02 0 0 1 208
> VPS01PP 1 208 0 0
That means MIKEDEV02 is receiving approxmitely 1 packet from VPS01PP and
sending it to the virtual network interface.
> tinc.vpn> dump edges
> MIKEHOMEPC to VPS01PP at x.232.112.61 port 655 options c weight 115
> MIKEDEV02 to VPS01PP at x.232.112.61 port 655 options c weight 87
[...]
> VPS01PP to MIKEHOMEPC at x.241.100.155 port 655 options c weight 115
> VPS01PP to MIKEDEV02 at x.62.187.113 port 655 options c weight 87
> From this screen, it seems that MIKEHOMEPC is only accessible via VPS01PP?
Not necessarily, the "edges" are only the meta connections between the nodes.
To check whether MIKEHOMEPC is reachable, you should give the command:
tinc -n vpn info MIKEHOMEPC
> tinc.rgdevvpn> dump reachable nodes
> MIKEHOMEPC at x.241.100.155 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 0018 nexthop VPS01PP via MIKEHOMEPC distance 2 pmtu 1451 (min 0 max 1518)
[...]
> MIKEDEV02 at MYSELF port 655 cipher 0 digest 0 maclength 0 compression 0 options 200000c status 0018 nexthop MIKEDEV02 via MIKEDEV02 distance 0 pmtu 1518 (min 0 max 1518)
> VPS01PP at x.232.112.61 port 655 cipher 91 digest 64 maclength 4 compression 0 options c status 009a nexthop VPS01PP via VPS01PP distance 1 pmtu 1459 (min 1459 max 1459)
Hm, that looks like it has a direct connection to MIKEHOMEPC, so it shouldn't
give Destination net unreachable replies.
> When I disconnect MIKEDEV02 from the VPN, and reconnect (restarting
> the windows service), it works as expected until I've logged off and
> finished what I was doing. Log back on, and I can't connect. I can
> probably provide some debugging output and config shortly, if the
> reason isn't obvious.
Look at the output of "tinc -n vpn info MIKEHOMEPC" when pings are not working.
You can also get detailed log output at any time by running "tinc -n vpn log 5".
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20130512/7f7a58e7/attachment.pgp>
More information about the tinc
mailing list