Menu
▾
▴
[Openvpn-users] tunnel strangeness
|
From: Adrian T. <ate...@gm...> - 2009-10-23 15:53:31
|
Hello all,
I've uncovered some wierdness re: tunnel routing - and it's not clear wots
up. If there are any specifics you need from the configs - please let me
know - I'm using topology subnet with a server config directive.
manually added client routes (to the server side) - don't appear to hit
tunnel - but the client added server routes do?
(Is there magic that I'm missing from the man page?)
setup
cr1=core router 1
er1 = edge router 1
(cr1) (er1)
1.1.1.1/24 (eth0 server) - 1.1.1.2/24 (eth0-client)
||-tun0(10.8.0.1) ||---------------------eth1 (
172.16.10.1/16)
| |
3.3.3.1/24(eth0:1) tun0(10.8.0.4)
tunnel stands up aok -
from client can ping server (10.8.0.1)
from server can ping client (10.8.0.4)
force in a manual route on the tunnel from the client to the server (
3.3.3.0/25)
route add -net 3.3.3.0/24 gw 10.8.0.1 (on client)
can ping the server 3.3.3.1
route add -net 172.16.10.0/24 gw 10.8.0.4 (on server)
cannot ping 172.16.10.1 from the server - (ping returns nothing and the
routes look ok) (captured below) ( and the packet never hits tun0 from a
tcpdump trace)
and yet ...
cr1:~# ip route get 172.16.10.1
172.16.10.1 via 10.8.0.4 dev tun0 src 10.8.0.1
cache mtu 1500 advmss 1460 hoplimit 64
cr1:~#
[client routes]
er1:~# ip route show
2.2.2.0/24 via 10.8.0.1 dev tun0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4
1.1.1.0/24 dev eth0 proto kernel scope link src 1.1.1.2
172.16.10.0/24 dev eth1 proto kernel scope link src 172.16.10.1
3.3.3.0/24 via 10.8.0.1 dev tun0
er1:~#
er1:~# ping 3.3.3.1
PING 3.3.3.1 (3.3.3.1) 56(84) bytes of data.
64 bytes from 3.3.3.1: icmp_seq=1 ttl=64 time=1.56 ms
^C
--- 3.3.3.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.567/1.567/1.567/0.000 ms
er1:~#
[server routes]
cr1:~# ip route
2.2.2.0/24 dev eth1 proto kernel scope link src 2.2.2.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
5.5.5.0/24 dev eth1 proto kernel scope link src 5.5.5.5
1.1.1.0/24 dev eth1 proto kernel scope link src 1.1.1.1
172.16.10.0/24 via 10.8.0.4 dev tun0
3.3.3.0/24 dev eth1 proto kernel scope link src 3.3.3.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.215
default via 192.168.10.11 dev eth0
cr1:~# ping 172.16.10.1
PING 172.16.10.1 (172.16.10.1) 56(84) bytes of data.
^C
--- 172.16.10.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms
if you read this far - thank you this is the only thing that seems to point
to anything being wrong on the server side it's the repeating ....
recvmsg(3, 0x7fff3f1a1bc0, 0) = -1 EAGAIN (Resource temporarily
unavailable)
which i think is
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
Why the heck would the socket be unavailable? - packets aren't hitting any
other interfaces on the host (did a sniff with tcpdump on the eth0/eth1
interfaces and the
cr1:~# ping 172.16.10.1
PING 172.16.10.1 (172.16.10.1) 56(84) bytes of data.
^C
--- 172.16.10.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms
cr1:~# strace ping 172.16.10.1
execve("/bin/ping", ["ping", "172.16.10.1"], [/* 15 vars */]) = 0
brk(0) = 0xadc000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f5b371a0000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f5b3719e000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7308, ...}) = 0
mmap(NULL, 7308, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5b3719c000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/libresolv.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\00003\0\0\0\0\0\0@"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=72568, ...}) = 0
mmap(NULL, 2177800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f5b36d72000
mprotect(0x7f5b36d82000, 2097152, PROT_NONE) = 0
mmap(0x7f5b36f82000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x7f5b36f82000
mmap(0x7f5b36f84000, 6920, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5b36f84000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\342\1\0\0\0\0\0@"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f5b36a1f000
mprotect(0x7f5b36b69000, 2093056, PROT_NONE) = 0
mmap(0x7f5b36d68000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7f5b36d68000
mmap(0x7f5b36d6d000, 17016, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5b36d6d000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f5b3719b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f5b3719a000
arch_prctl(ARCH_SET_FS, 0x7f5b3719a6e0) = 0
mprotect(0x7f5b36d68000, 12288, PROT_READ) = 0
munmap(0x7f5b3719c000, 7308) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
getuid() = 0
setuid(0) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(1025),
sin_addr=inet_addr("172.16.10.1")}, 16) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(47283),
sin_addr=inet_addr("10.8.0.1")}, [4546980343248322576]) = 0
close(4) = 0
setsockopt(3, SOL_RAW, ICMP_FILTER,
~(ICMP_ECHOREPLY|ICMP_DEST_UNREACH|ICMP_SOURCE_QUENCH|ICMP_REDIRECT|ICMP_TIME_EXCEEDED|ICMP_PARAMETERPROB),
4) = 0
setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [324], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0
getsockopt(3, SOL_SOCKET, SO_RCVBUF, [4546978934499180544], [4]) = 0
brk(0) = 0xadc000
brk(0xafd000) = 0xafd000
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f5b3719d000
write(1, "PING 172.16.10.1 (172.16.10.1) 56"..., 53PING 172.16.10.1
(172.16.10.1) 56(84) bytes of data.
) = 53
setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO,
"\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 16) = 0
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO,
"\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 16) = 0
getpid() = 6890
rt_sigaction(SIGINT, {0x403890, [], SA_RESTORER|SA_INTERRUPT,
0x7f5b36a50f60}, NULL, 8) = 0
rt_sigaction(SIGALRM, {0x403890, [], SA_RESTORER|SA_INTERRUPT,
0x7f5b36a50f60}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {0x4038a0, [], SA_RESTORER|SA_INTERRUPT,
0x7f5b36a50f60}, NULL, 8) = 0
gettimeofday({1256312197, 522993}, NULL) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...})
= 0
ioctl(1, TIOCGWINSZ, {ws_row=24, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
gettimeofday({1256312197, 523411}, NULL) = 0
gettimeofday({1256312197, 523514}, NULL) = 0
sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("172.16.10.1")},
msg_iov(1)=[{"\10\0\345\373\352\32\0\1\205\315\341J\0\0\0\0\372\374\7\0\0\0\0\0\20\21\22\23\24\25\26\27\30"...,
64}], msg_controllen=0, msg_flags=0}, 0) = 64
recvmsg(3, 0x7fff3f1a1bc0, 0) = -1 EAGAIN (Resource temporarily
unavailable)
gettimeofday({1256312198, 522958}, NULL) = 0
gettimeofday({1256312198, 524081}, NULL) = 0
sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("172.16.10.1")},
msg_iov(1)=[{"\10\0\255\370\352\32\0\2\206\315\341J\0\0\0\0001\377\7\0\0\0\0\0\20\21\22\23\24\25\26\27\30"...,
64}], msg_controllen=0, msg_flags=0}, 0) = 64
recvmsg(3, 0x7fff3f1a1bc0, 0) = -1 EAGAIN (Resource temporarily
unavailable)
gettimeofday({1256312199, 531183}, NULL) = 0
gettimeofday({1256312199, 532080}, NULL) = 0
sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("172.16.10.1")},
msg_iov(1)=[{"\10\0m\330\352\32\0\3\207\315\341J\0\0\0\0p\36\10\0\0\0\0\0\20\21\22\23\24\25\26\27\30"...,
64}], msg_controllen=0, msg_flags=0}, 0) = 64
recvmsg(3, ^C <unfinished ...>
cr1:~#
|