* Problems with Core 70 and OpenVPN N2N @ 2013-07-11 18:33 Erik K. 2013-07-11 22:06 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Erik K. @ 2013-07-11 18:33 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1389 bytes --] Hi all, have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. The infrastructure: IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire So both sides with double NAT. The log messages gives me the following back Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) have never seen this message (in the middle) before... So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated. Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 . May some one have an idea what´s causing this problem ? Greetings Erik ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N 2013-07-11 18:33 Problems with Core 70 and OpenVPN N2N Erik K. @ 2013-07-11 22:06 ` Michael Tremer 2013-07-12 9:04 ` Erik K. 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2013-07-11 22:06 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1852 bytes --] Could you provide the iptables ruleset that is loaded? This should not be caused by the latest NAT changes in core update 70. But that's just a wild guess. -Michael On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: > Hi all, > have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. > > The infrastructure: > > IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire > > So both sides with double NAT. The log messages gives me the following back > > Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 > Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 > Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) > have never seen this message (in the middle) before... > > So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated. > > Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' > Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 > Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting > > > Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 . > > May some one have an idea what´s causing this problem ? > > > Greetings > > > Erik > > > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N 2013-07-11 22:06 ` Michael Tremer @ 2013-07-12 9:04 ` Erik K. 2013-07-12 11:24 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Erik K. @ 2013-07-12 9:04 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 13428 bytes --] Hi Michael, here are the ovpn chains Chain OVPNFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OVPNINPUT (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:5329 Chain OVPN_BLUE_FORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OVPN_BLUE_INPUT (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell ACCEPT all -- anywhere anywhere and the rest of iptables -L Chain INPUT (policy DROP) target prot opt source destination BADTCP all -- anywhere anywhere CUSTOMINPUT all -- anywhere anywhere GUARDIAN all -- anywhere anywhere IPTVINPUT all -- anywhere anywhere GUIINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED IPSECINPUT all -- anywhere anywhere OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */ ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT !icmp -- anywhere anywhere state NEW DHCPBLUEINPUT all -- anywhere anywhere OVPNINPUT all -- anywhere anywhere OVPN_BLUE_INPUT all -- anywhere anywhere OPENSSLPHYSICAL all -- anywhere anywhere WIRELESSINPUT all -- anywhere anywhere state NEW REDINPUT all -- anywhere anywhere XTACCESS all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT " DROP all -- anywhere anywhere /* DROP_INPUT */ Chain FORWARD (policy DROP) target prot opt source destination BADTCP all -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU GUARDIAN all -- anywhere anywhere CUSTOMFORWARD all -- anywhere anywhere IPTVFORWARD all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED IPSECFORWARD all -- anywhere anywhere OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */ OUTGOINGFWMAC all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW OVPNFORWARD all -- anywhere anywhere OVPN_BLUE_FORWARD all -- anywhere anywhere DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state NEW WIRELESSFORWARD all -- anywhere anywhere state NEW REDFORWARD all -- anywhere anywhere DMZHOLES all -- anywhere anywhere state NEW PORTFWACCESS all -- anywhere anywhere state NEW UPNPFW all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT " DROP all -- anywhere anywhere /* DROP_OUTPUT */ Chain OUTPUT (policy ACCEPT) target prot opt source destination CUSTOMOUTPUT all -- anywhere anywhere OUTGOINGFW all -- anywhere anywhere IPSECOUTPUT all -- anywhere anywhere Chain BADTCP (2 references) target prot opt source destination RETURN all -- anywhere anywhere PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW Chain CUSTOMFORWARD (1 references) target prot opt source destination ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn Chain CUSTOMINPUT (1 references) target prot opt source destination ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn DROP all -- anywhere 192.168.220.255 DROP all -- anywhere all-systems.mcast.net DROP all -- anywhere 192.168.2.255 Chain CUSTOMOUTPUT (1 references) target prot opt source destination Chain DHCPBLUEINPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps Chain DMZHOLES (2 references) target prot opt source destination Chain GUARDIAN (2 references) target prot opt source destination Chain GUIINPUT (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request Chain IPSECFORWARD (1 references) target prot opt source destination Chain IPSECINPUT (1 references) target prot opt source destination Chain IPSECOUTPUT (1 references) target prot opt source destination Chain IPTVFORWARD (1 references) target prot opt source destination Chain IPTVINPUT (1 references) target prot opt source destination Chain LOG_DROP (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning DROP all -- anywhere anywhere Chain LOG_REJECT (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain NEWNOTSYN (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN " DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */ Chain OPENSSLPHYSICAL (1 references) target prot opt source destination Chain OPENSSLVIRTUAL (2 references) target prot opt source destination Chain OUTGOINGFW (1 references) target prot opt source destination Chain OUTGOINGFWMAC (1 references) target prot opt source destination Chain PORTFWACCESS (1 references) target prot opt source destination Chain PSCAN (5 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " DROP all -- anywhere anywhere /* DROP_PScan */ Chain REDFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain REDINPUT (1 references) target prot opt source destination Chain UPNPFW (1 references) target prot opt source destination Chain WIRELESSFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward" DROP all -- anywhere anywhere /* DROP_Wirelessforward */ Chain WIRELESSINPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput" DROP all -- anywhere anywhere /* DROP_Wirelessinput */ Chain XTACCESS (1 references) target prot opt source destination ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident Erik Am 12.07.2013 um 00:06 schrieb Michael Tremer: > Could you provide the iptables ruleset that is loaded? > > This should not be caused by the latest NAT changes in core update 70. > But that's just a wild guess. > > -Michael > > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: >> Hi all, >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. >> >> The infrastructure: >> >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire >> >> So both sides with double NAT. The log messages gives me the following back >> >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) >> have never seen this message (in the middle) before... >> >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated. >> >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting >> >> >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 . >> >> May some one have an idea what´s causing this problem ? >> >> >> Greetings >> >> >> Erik >> >> >> _______________________________________________ >> Development mailing list >> Development(a)lists.ipfire.org >> http://lists.ipfire.org/mailman/listinfo/development > > > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N 2013-07-12 9:04 ` Erik K. @ 2013-07-12 11:24 ` Michael Tremer 0 siblings, 0 replies; 4+ messages in thread From: Michael Tremer @ 2013-07-12 11:24 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 14207 bytes --] See? Firewall rules are fine. On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote: > Hi Michael, > here are the ovpn chains > > Chain OVPNFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain OVPNINPUT (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell > ACCEPT all -- anywhere anywhere > ACCEPT udp -- anywhere anywhere udp dpt:5329 > > Chain OVPN_BLUE_FORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain OVPN_BLUE_INPUT (1 references) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell > ACCEPT all -- anywhere anywhere > > and the rest of iptables -L > > Chain INPUT (policy DROP) > target prot opt source destination > BADTCP all -- anywhere anywhere > CUSTOMINPUT all -- anywhere anywhere > GUARDIAN all -- anywhere anywhere > IPTVINPUT all -- anywhere anywhere > GUIINPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > IPSECINPUT all -- anywhere anywhere > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */ > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT !icmp -- anywhere anywhere state NEW > DHCPBLUEINPUT all -- anywhere anywhere > OVPNINPUT all -- anywhere anywhere > OVPN_BLUE_INPUT all -- anywhere anywhere > OPENSSLPHYSICAL all -- anywhere anywhere > WIRELESSINPUT all -- anywhere anywhere state NEW > REDINPUT all -- anywhere anywhere > XTACCESS all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT " > DROP all -- anywhere anywhere /* DROP_INPUT */ > > Chain FORWARD (policy DROP) > target prot opt source destination > BADTCP all -- anywhere anywhere > TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU > GUARDIAN all -- anywhere anywhere > CUSTOMFORWARD all -- anywhere anywhere > IPTVFORWARD all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > IPSECFORWARD all -- anywhere anywhere > OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */ > OUTGOINGFWMAC all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state NEW > DROP all -- 127.0.0.0/8 anywhere state NEW > OVPNFORWARD all -- anywhere anywhere > OVPN_BLUE_FORWARD all -- anywhere anywhere > DROP all -- anywhere 127.0.0.0/8 state NEW > ACCEPT all -- anywhere anywhere state NEW > ACCEPT all -- anywhere anywhere state NEW > WIRELESSFORWARD all -- anywhere anywhere state NEW > REDFORWARD all -- anywhere anywhere > DMZHOLES all -- anywhere anywhere state NEW > PORTFWACCESS all -- anywhere anywhere state NEW > UPNPFW all -- anywhere anywhere state NEW > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT " > DROP all -- anywhere anywhere /* DROP_OUTPUT */ > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > CUSTOMOUTPUT all -- anywhere anywhere > OUTGOINGFW all -- anywhere anywhere > IPSECOUTPUT all -- anywhere anywhere > > Chain BADTCP (2 references) > target prot opt source destination > RETURN all -- anywhere anywhere > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN > PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST > PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN > NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW > > Chain CUSTOMFORWARD (1 references) > target prot opt source destination > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn > > Chain CUSTOMINPUT (1 references) > target prot opt source destination > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp > ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp > REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable > ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn > DROP all -- anywhere 192.168.220.255 > DROP all -- anywhere all-systems.mcast.net > DROP all -- anywhere 192.168.2.255 > > Chain CUSTOMOUTPUT (1 references) > target prot opt source destination > > Chain DHCPBLUEINPUT (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps > ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps > > Chain DMZHOLES (2 references) > target prot opt source destination > > Chain GUARDIAN (2 references) > target prot opt source destination > > Chain GUIINPUT (1 references) > target prot opt source destination > ACCEPT icmp -- anywhere anywhere icmp echo-request > > Chain IPSECFORWARD (1 references) > target prot opt source destination > > Chain IPSECINPUT (1 references) > target prot opt source destination > > Chain IPSECOUTPUT (1 references) > target prot opt source destination > > Chain IPTVFORWARD (1 references) > target prot opt source destination > > Chain IPTVINPUT (1 references) > target prot opt source destination > > Chain LOG_DROP (0 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning > DROP all -- anywhere anywhere > > Chain LOG_REJECT (0 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning > REJECT all -- anywhere anywhere reject-with icmp-port-unreachable > > Chain NEWNOTSYN (1 references) > target prot opt source destination > LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN " > DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */ > > Chain OPENSSLPHYSICAL (1 references) > target prot opt source destination > > Chain OPENSSLVIRTUAL (2 references) > target prot opt source destination > > Chain OUTGOINGFW (1 references) > target prot opt source destination > > Chain OUTGOINGFWMAC (1 references) > target prot opt source destination > > > Chain PORTFWACCESS (1 references) > target prot opt source destination > > Chain PSCAN (5 references) > target prot opt source destination > LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " > LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " > LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " > LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " > DROP all -- anywhere anywhere /* DROP_PScan */ > > Chain REDFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain REDINPUT (1 references) > target prot opt source destination > > Chain UPNPFW (1 references) > target prot opt source destination > > Chain WIRELESSFORWARD (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward" > DROP all -- anywhere anywhere /* DROP_Wirelessforward */ > > Chain WIRELESSINPUT (1 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B > LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput" > DROP all -- anywhere anywhere /* DROP_Wirelessinput */ > > Chain XTACCESS (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident > > > Erik > > > Am 12.07.2013 um 00:06 schrieb Michael Tremer: > > > Could you provide the iptables ruleset that is loaded? > > > > This should not be caused by the latest NAT changes in core update 70. > > But that's just a wild guess. > > > > -Michael > > > > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: > >> Hi all, > >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection. > >> > >> The infrastructure: > >> > >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire > >> > >> So both sides with double NAT. The log messages gives me the following back > >> > >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 > >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 > >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) > >> have never seen this message (in the middle) before... > >> > >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated. > >> > >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' > >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 > >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting > >> > >> > >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 . > >> > >> May some one have an idea what´s causing this problem ? > >> > >> > >> Greetings > >> > >> > >> Erik > >> > >> > >> _______________________________________________ > >> Development mailing list > >> Development(a)lists.ipfire.org > >> http://lists.ipfire.org/mailman/listinfo/development > > > > > > _______________________________________________ > > Development mailing list > > Development(a)lists.ipfire.org > > http://lists.ipfire.org/mailman/listinfo/development > > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-12 11:24 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-07-11 18:33 Problems with Core 70 and OpenVPN N2N Erik K. 2013-07-11 22:06 ` Michael Tremer 2013-07-12 9:04 ` Erik K. 2013-07-12 11:24 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox