OpenVPN - nejde ping z jedne strany
Zdenek Janis
zdenek.janis na brajan.cz
Neděle Září 11 12:17:48 CEST 2005
Dobry den,
mam dva stroje spojene VPNkou. Na tunelove IP si pinknu oboustrane, ale
na jinou IP, ktera je na stejnem stroji jako VPN uz jen z jedne strany.
Posilam vypis "ping", "tcpdump -i tun0", "route" a "iptables" z
jednotlivych stroju a chtel bych zvedeti, na kterem z tech dvou stroju
je neco blbe nastaveno.
OpenVPN je nastaven jako server na (gw) a ocekava se, ze se na nej bude
pripojovat vice klientu/siti, ale zatim me trapi ping jen koncovych VPN.
-----------------------
gw:~# ping 10.0.0.6 /* druhy konec VPNky (sarge) */
64 bytes from 10.0.0.6: icmp_seq=0 ttl=64 time=129.7 ms
gw:~# tcpdump -i tun0
11:50:02.609744 10.0.0.1 > 10.0.0.6: icmp: echo request (DF)
11:50:02.739113 10.0.0.6 > 10.0.0.1: icmp: echo reply
sarge:~# tcpdump -i tun0
11:50:02.833323 IP 10.0.0.1 > 10.0.0.6: ICMP echo request, id 6920, seq
0, length 64
11:50:02.836787 IP 10.0.0.6 > 10.0.0.1: ICMP echo reply, id 6920, seq
0, length 64
-----------------------
gw:~# ping 10.3.0.55 /* IP na stejnem PC jako je druhy konec VPN */
--- 10.3.0.55 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
gw:~# tcpdump -i tun0
11:55:23.117404 10.0.0.1 > 10.3.0.55: icmp: echo request (DF)
11:55:24.108034 10.0.0.1 > 10.3.0.55: icmp: echo request (DF)
11:55:25.108028 10.0.0.1 > 10.3.0.55: icmp: echo request (DF)
sarge:~# tcpdump -i tun0
--- zadny vypis :-( ---
-----------------------
sarge:~# ping 10.0.0.1 /* druhy konec VPNky (gw) */
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=156 ms
gw:~# tcpdump -i tun0
11:57:30.885548 10.0.0.6 > 10.0.0.1: icmp: echo request (DF)
11:57:30.885645 10.0.0.1 > 10.0.0.6: icmp: echo reply
sarge:~# tcpdump -i tun0
11:57:30.977687 IP 10.0.0.6 > 10.0.0.1: ICMP echo request, id 32796,
seq 1, length 64
11:57:31.133758 IP 10.0.0.1 > 10.0.0.6: ICMP echo reply, id 32796, seq
1, length 64
-----------------------
sarge:~# ping 192.168.1.1 /* IP na stejnem PC jako je konec VPN */
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=147 ms
gw:~# tcpdump -i tun0
11:59:42.500555 10.0.0.6 > 192.168.1.1: icmp: echo request (DF)
11:59:42.500647 192.168.1.1 > 10.0.0.6: icmp: echo reply
sarge:~# tcpdump -i tun0
11:59:42.624111 IP 10.0.0.6 > 192.168.1.1: ICMP echo request, id 33308,
seq 1, length 64
11:59:42.771097 IP 192.168.1.1 > 10.0.0.6: ICMP echo reply, id 33308,
seq 1, length 64
-----------------------
-----------------------
gw:~# route
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
213.235.170.208 * 255.255.255.252 U 0 0 0 eth1
192.168.33.72 * 255.255.255.252 U 0 0 0 eth2
192.168.33.0 * 255.255.255.252 U 0 0 0 eth1
192.168.33.68 * 255.255.255.252 U 0 0 0 eth2
10.0.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
localnet * 255.255.255.0 U 0 0 0 eth0
10.3.0.0 10.0.0.2 255.255.0.0 UG 0 0 0 tun0
default 192.168.33.1 0.0.0.0 UG 0 0 0 eth1
-----------------------
gw:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- localnet/24 anywhere to:213.235.170.210
SNAT all -- 192.168.33.2 anywhere to:213.235.170.210
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------
-----------------------
sarge:~# route
Adresát Brána Maska Přízn Metrik Odkaz Užt Rozhraní
10.0.0.5 * 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 10.0.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 10.0.0.5 255.255.255.0 UG 0 0 0 tun0
localnet * 255.255.0.0 U 0 0 0 eth0
default 10.3.0.100 0.0.0.0 UG 0 0 0 eth0
-----------------------
sarge:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-----------------------
-----------------------
--
Dekuji
Zdenek Janis
Další informace o konferenci Linux