par dotazu na VPN - OpenVPN

Miroslav Lachman 000.fbsd at quip.cz
Wed Apr 16 14:15:27 CEST 2008


Dan Lukes wrote:

> Miroslav Lachman wrote:
> 
>>tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
>>         inet 10.8.0.226 --> 10.8.0.225 netmask 0xffffffff
>>         Opened by PID 827
> 
> 
>>Klienti v LAN maji adresy v rozsahu 10.1.1.0/24 a meli by byt schopni se 
>>dostat napriklad na 10.8.0.1
> 
> 
> 	Takze si pustis tcpdump na interface tun0, zkusis komunikaci, ktera 
> nejde a zanalyzujes co ti ukazuje tcpdump. Predpokladam, ze uvidis 
> pakety odchazejici, ale neuvidis vracet se odpovedi. Takze primo z 
> routeru to jde, ale z druhe strany neprichazeji odpovedi - pak to musi 
> resit spravce routeru na opacne strane, ale nejspis je to problem s 
> routovaci tabulkou nebo firewallem tam.
> 
> 	Pokud odpovedi z druhe strany prichazet budou, budou videt na routeru 
> ale na klienta nedorazi, pak je problem na tve strane.
> 
> 	A dal bych to resil az kouknes na ten tcpdump a budeme vedet, ktera z 
> moznosti to je.

Tohle je dump, kdyz pingam na 10.8.0.1 primo z toho stroje (gw), na 
kterem bezi OpenVPN jako klient
# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
14:01:57.111909 IP 10.8.0.226 > 10.8.0.1: ICMP echo request, id 54720, 
seq 17, length 64
14:01:57.116098 IP 10.8.0.1 > 10.8.0.226: ICMP echo reply, id 54720, seq 
17, length 64
14:01:58.153285 IP 10.8.0.226 > 10.8.0.1: ICMP echo request, id 54720, 
seq 18, length 64
14:01:58.157451 IP 10.8.0.1 > 10.8.0.226: ICMP echo reply, id 54720, seq 
18, length 64

Toto je dump, pokud na 10.8.0.1 jde ping ze stroje v LAN
# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
14:07:32.152619 IP 10.1.1.2 > 10.8.0.1: ICMP echo request, id 1, seq 
1302, length 40
14:07:37.152998 IP 10.1.1.2 > 10.8.0.1: ICMP echo request, id 1, seq 
1304, length 40

Pripadne i verbose varianta tehoz
# tcpdump -i tun0 -vv
tcpdump: listening on tun0, link-type NULL (BSD loopback), capture size 
96 bytes
14:10:02.165020 IP (tos 0x0, ttl 127, id 5165, offset 0, flags [none], 
proto ICMP (1), length 60) 10.1.1.2 > 10.8.0.1: ICMP echo request, id 1, 
seq 1334, length 40
14:10:07.165456 IP (tos 0x0, ttl 127, id 5222, offset 0, flags [none], 
proto ICMP (1), length 60) 10.1.1.2 > 10.8.0.1: ICMP echo request, id 1, 
seq 1335, length 40

Packety tedy odchazi a nevraci se - je i jine mozne vysvetleni nez to, 
ze je to "spatne" nastavene na druhem konci? Rad bych vyloucil svou 
vlastni chybu pred tim, nez zacnu (docela slozite) otravovat nekoho na 
druhe strane.

Mirek



More information about the Users-l mailing list