Hi all.
I have been playing with vtun for the last couple of hours. I have got the tunnel working and I see traffic flowing in both directions. When I ping from the client to the server using the tunnel IP address, I got a response. but when I ping from the server to the client I do not have any reply although I do see with a tcpdump traffic reaching the client. Should ping work in both ways? I do not see why not, but cannot find a reason this is not working. is it an ARP problem? any help would be much appreciated. thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I thought it may be a routing problem, but it doesn't sound like it. I
think it's a firewall problem on the client. Check that firewalls
aren't allowing RELATED but blocking NEW ICMP incoming.
Generally, ping SHOULD work both ways, and if the ICMP is coming in to
the client (tcpdump) then we know ARP is working.
If that's no good, send me a note and help me duplicate your setup: on
client and server, show me
- your vtund.conf
- rpm -q vtun
- route -n
- ifconfig
.. and we'll see if that gives us a proper hint.
bish
morkeus wrote:
Hi all.
I have been playing with vtun for the last couple of hours. I have got
the tunnel working and I see traffic flowing in both directions. When I
ping from the client to the server using the tunnel IP address, I got a
response. but when I ping from the server to the client I do not have
any reply although I do see with a tcpdump traffic reaching the client.
Should ping work in both ways? I do not see why not, but cannot find a
reason this is not working. is it an ARP problem? any help would be much
appreciated. thanks.
Thanks Bishop. still troubleshooting this. there are no active firewalls on both servers are fresh vps images from digitalocean, so I assume consistency.
here are the configs, some pings and the routing table.
————————begin server config ——————————————
options {
port 12345;
# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipchains;
ip /sbin/ip;
}
Default session options
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
multi yes;
persist yes;
}
Server
new {
passwd 1xy63;
type tun;
proto tcp;
up {
ifconfig "%% 192.168.100.1 pointopoint 192.168.100.2 mtu 1450";
program "/usr/sbin/arp -sD 192.168.100.1 eth0 pub";
};
}
Thanks for all the information you've sent. Your original thought about
ARP seems to be more interesting. Usually you don't need to do this,
and I'm wondering what your plan is here.
Consider disabling them and seeing whether it fixes the connectivity.
bish
morkeus wrote:
Thanks Bishop. still troubleshooting this. there are no active firewalls
on both servers are fresh vps images from digitalocean, so I assume
consistency.
here are the configs, some pings and the routing table.
ââââââââbegin server config ââââââââââââââ
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
multi yes;
persist yes;
}
Server
new {
passwd 1xy63;
type tun;
proto tcp;
up {
ifconfig "%% 192.168.100.1 pointopoint 192.168.100.2 mtu 1450";
program "/usr/sbin/arp -sD 192.168.100.1 eth0 pub";
};
}
âââââââend server config.âââââââââ
Hi Bishop. yeap, tried not adding any ARP already. also tried on the server only and also playing a bit setting routes and static mac addresses. I honestly cannot find it, and that really piss me of.
I have a couple of hypotesis.
1- VPS provider has a filter somewhere -probably anti spoofing or he is using a transparent proxy on one of the sites that is not supporting something of what I am doing.
2- I have seen this in very old cisco routers, that even with a local interface in the same network, the IOS will default the source interface on some other network, and therefore unless you have the full routing sorted, it will not work. but tried changing ping source and still not working.
Anyway, I am building a point to multipoint tunnel for forwarding non critical traffic, but could not pass this point and wondering whether vtun is the right choice if I cannot even debug this. I love the simplicity of vtun and the fact that it is not wasting cpu cycles encrypting and can run on a shared kernel VPS (which GRE cannot).
nevertheless, I will out of internet for the next couple of weeks, will try again once I am back. thanks for your help mate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all.
I have been playing with vtun for the last couple of hours. I have got the tunnel working and I see traffic flowing in both directions. When I ping from the client to the server using the tunnel IP address, I got a response. but when I ping from the server to the client I do not have any reply although I do see with a tcpdump traffic reaching the client. Should ping work in both ways? I do not see why not, but cannot find a reason this is not working. is it an ARP problem? any help would be much appreciated. thanks.
Hi!
I thought it may be a routing problem, but it doesn't sound like it. I
think it's a firewall problem on the client. Check that firewalls
aren't allowing RELATED but blocking NEW ICMP incoming.
Generally, ping SHOULD work both ways, and if the ICMP is coming in to
the client (tcpdump) then we know ARP is working.
If that's no good, send me a note and help me duplicate your setup: on
client and server, show me
- your vtund.conf
- rpm -q vtun
- route -n
- ifconfig
.. and we'll see if that gives us a proper hint.
morkeus wrote:
Argh. That's are allowing related, but blocking new ICMP.
Argh again.
Bishop wrote:
Thanks Bishop. still troubleshooting this. there are no active firewalls on both servers are fresh vps images from digitalocean, so I assume consistency.
here are the configs, some pings and the routing table.
————————begin server config ——————————————
options {
port 12345;
# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipchains;
ip /sbin/ip;
}
Default session options
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
multi yes;
persist yes;
}
Server
new {
passwd 1xy63;
type tun;
proto tcp;
up {
ifconfig "%% 192.168.100.1 pointopoint 192.168.100.2 mtu 1450";
program "/usr/sbin/arp -sD 192.168.100.1 eth0 pub";
};
}
———————end server config.—————————
Server status
root@us:/etc# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.241.245.1 0.0.0.0 UG 0 0 0 eth0
192.168.100.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.241.245.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
eth0 is internet.
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.100.1 P-t-P:192.168.100.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1450 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:168 (168.0 B) TX bytes:504 (504.0 B)
Ping to client does not work.
root@us:/etc# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
^C
--- 192.168.100.2 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 1999ms
But of course, I can ping my own ip.
root@us:/etc# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=64 time=0.049 ms
64 bytes from 192.168.100.1: icmp_req=2 ttl=64 time=0.058 ms
^C
--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.049/0.053/0.058/0.008 ms
———————Begin client Config—————————
options {
port 12345;
# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipchains;
ip /sbin/ip;
}
Default session options
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
}
Client Configuration sample No.2
new {
passwd 1xy63;
type tun;
proto tcp;
up {
ifconfig "%% 192.168.100.2 pointopoint 192.168.100.1 mtu 1450";
program "/usr/sbin/arp -sD 192.168.100.2 eth0 pub";
};
}
———————end client config—————————
client status
root@ams:/etc# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 188.226.184.1 0.0.0.0 UG 0 0 0 eth0
188.226.184.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.100.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Ping works in both directions.
root@ams:/etc/vtun# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=64 time=91.0 ms
64 bytes from 192.168.100.1: icmp_req=2 ttl=64 time=91.1 ms
^C
--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 91.080/91.123/91.167/0.304 ms
root@ams:/etc/vtun# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_req=1 ttl=64 time=0.061 ms
64 bytes from 192.168.100.2: icmp_req=2 ttl=64 time=0.056 ms
^C
--- 192.168.100.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.056/0.058/0.061/0.008 ms
Thanks for your help.
Regards.
Hey Morkeus,
Thanks for all the information you've sent. Your original thought about
ARP seems to be more interesting. Usually you don't need to do this,
and I'm wondering what your plan is here.
Consider disabling them and seeing whether it fixes the connectivity.
morkeus wrote:
Hi Bishop. yeap, tried not adding any ARP already. also tried on the server only and also playing a bit setting routes and static mac addresses. I honestly cannot find it, and that really piss me of.
I have a couple of hypotesis.
1- VPS provider has a filter somewhere -probably anti spoofing or he is using a transparent proxy on one of the sites that is not supporting something of what I am doing.
2- I have seen this in very old cisco routers, that even with a local interface in the same network, the IOS will default the source interface on some other network, and therefore unless you have the full routing sorted, it will not work. but tried changing ping source and still not working.
Anyway, I am building a point to multipoint tunnel for forwarding non critical traffic, but could not pass this point and wondering whether vtun is the right choice if I cannot even debug this. I love the simplicity of vtun and the fact that it is not wasting cpu cycles encrypting and can run on a shared kernel VPS (which GRE cannot).
nevertheless, I will out of internet for the next couple of weeks, will try again once I am back. thanks for your help mate.