Cannot connect two ospf-instances over tun-interface
Jan Maria Matejka
jan.matejka at nic.cz
Wed Apr 4 10:59:13 CEST 2018
Hello,
please could you enable 'debug all' for the ospf protocol at server?
It should tell you whether it receives the packets and what is it doing
with them.
OpenVPN in TUN mode does quite strange things with routing. Have you tried
routing by static routes first (to see whether it works or not)?
Example:
Server has 10.29.0.1/30 (peer 10.29.0.2).
Client A has 10.29.0.5/30 (peer 10.29.0.6) and 172.30.5.0/24 on other iface.
Client B has 10.29.0.9/30 (peer 10.29.0.10) and 172.30.9.0/24 on other iface.
Have you managed to add a route on Client A that would route traffic
to 172.30.9.0/24? (If yes, please tell me, I also need something like that.)
Now I overcome these problems by several GRE (or GRETAP) tunnels over the VPN,
these are real PtP links and also routing works over them quite well.
M.
On 04/04/2018 10:29 AM, dawid k wrote:
> Additional info:
>
> bird show ospf state on server:
>
> area 0.0.0.0
>
> router 10.29.0.1
> distance 0
> stubnet 10.29.0.0/22 <http://10.29.0.0/22> metric 10
> external 1.1.1.1/32 <http://1.1.1.1/32> metric 33
> external 10.29.0.0/22 <http://10.29.0.0/22> metric 33
>
> I wonder, why my netowrk is marked as stubnet. I defined in config stub no. I suppose, that's the problem, but how can I avoid this ?
>
> bird show ospf state on first client :
>
> router 192.168.21.17
> distance 20
> network 192.168.21.16/28 <http://192.168.21.16/28> metric 5
> network 10.29.0.0/22 <http://10.29.0.0/22> metric 10 #ethernet
> external 192.168.9.17/32 <http://192.168.9.17/32> metric2 10000 via 192.168.21.25 #static
>
> network
> ......
>
>
>
>
> 2018-04-04 8:59 GMT+02:00 dawid k <tookie009smieci at gmail.com <mailto:tookie009smieci at gmail.com>>:
>
> Hi Chris,
>
> Thank you for your advice, I got a little bit forward.
>
> I expended my topology with another pc - another vpn client - and I got these two vpn clients working, but somehow I cannot get the server to work properly. The server remains always in state Init/Other.
>
> I can see with tcpdump, that every pc is sending the hello-message, but the server is missing the neighbor list:
>
>
> 08:48:55.791063 IP (tos 0xc0, ttl 1, id 15221, offset 0, flags [none], proto OSPF (89), length 64)
> server > ospf-all.mcast.net <http://ospf-all.mcast.net>: OSPFv2, Hello, length 44
> Router-ID 10.29.0.1, Backbone Area, Authentication Type: none (0)
> Options [External]
> Hello Timer 10s, Dead Timer 40s, Mask 255.255.252.0, Priority 1
> Designated Router 10.29.0.1
> 08:49:02.449351 IP (tos 0xc0, ttl 1, id 6717, offset 0, flags [none], proto OSPF (89), length 72)
> 10.29.0.8 > ospf-all.mcast.net <http://ospf-all.mcast.net>: OSPFv2, Hello, length 52
> Router-ID 192.168.21.1, Backbone Area, Authentication Type: none (0)
> Options [External]
> Hello Timer 10s, Dead Timer 40s, Mask 255.255.252.0, Priority 1
> Designated Router 10.29.0.4, Backup Designated Router 10.29.0.8
> Neighbor List:
> 192.168.21.17
> 10.29.0.1
> 08:49:02.854749 IP (tos 0xc0, ttl 1, id 9690, offset 0, flags [none], proto OSPF (89), length 72)
> 10.29.0.4 > ospf-all.mcast.net <http://ospf-all.mcast.net>: OSPFv2, Hello, length 52
> Router-ID 192.168.21.17, Backbone Area, Authentication Type: none (0)
> Options [External]
> Hello Timer 10s, Dead Timer 40s, Mask 255.255.252.0, Priority 1
> Designated Router 10.29.0.4, Backup Designated Router 10.29.0.8
> Neighbor List:
> 192.168.21.1
> 10.29.0.1
>
> Here the output from birdc show ospf neighbors on client:
>
> Router ID Pri State DTime Interface Router IP
> 192.168.21.17 1 Full/DR 00:35 tun0 10.29.0.4
> 10.29.0.1 1 Init/Other 00:38 tun0 10.29.0.1
>
> and finally my ospf-setup for every device:
>
>
> protocol ospf myOSPFX { # X depending on device (1,2,3)
> debug all;
> import filter importAll;
> export filter onlyLocalExport;
> area 0.0.0.0 {
> interface "tun0" {
> cost 10;
> type bcast;
> stub no;
> hello 10;
> transmit delay 5;
> wait 10;
> dead 40;
> };
> };
> }
>
> Do you have any idea, what I'm missing?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 2018-04-03 16:52 GMT+02:00 Chris Boot <lists at bootc.boo.tc <mailto:lists at bootc.boo.tc>>:
>
> [re-sending to the list with the correct From address]
>
> Hi,
>
> You should be able to do this with 'topology subnet' on your server end.
> It doesn't work with net30 (the default) or p2p, but I can confirm that
> OSPFv2 for IPv4 works in broadcast mode with 'topology subnet'.
>
> I think there are issues with IPv6 on tun links with respect to
> multicast, so you may struggle to get OSPFv3 working, but I haven't had
> to do that yet.
>
> HTH,
> Chris
>
> On 03/04/18 15:34, dawid k wrote:
> > Therefore I tried running ospf in broadcast mode as well, but then it
> > changed automatically:
> >
> > <WARN> myOSPF3: Cannot use interface tun0 as broadcast, forcing ptp
> >
> > I tried the tap-Interface and it's working (or at least the neighbours
> > were detected) but as said, my system has to use tun and I cannot change
> > it. So there is propably no solution for such settings. I will try bgp
> > instead. Thank you for your help.
> >
> > 2018-04-03 16:18 GMT+02:00 Ondrej Zajicek <santiago at crfreenet.org <mailto:santiago at crfreenet.org>
> > <mailto:santiago at crfreenet.org <mailto:santiago at crfreenet.org>>>:
> >
> > On Tue, Apr 03, 2018 at 08:05:41AM -0600, Michael McConnell wrote:
> > > OpenVPN won’t do multicast over TUN, only TAP.
> >
> > Well, that would be silly from OpenVPN. But tcpdump output from Dawid K
> > shows that multicast packets are propagated throught TUN:
> >
> > > 06:59:00.439738 IP (tos 0xc0, ttl 1, id 15270, offset 0, flags [none], proto OSPF (89), length 64)
> > > server > 224.0.0.5 <http://224.0.0.5>: OSPFv2, Hello, length 44
> > > Router-ID repo.traffic.local, Backbone Area, Authentication Type: none (0)
> > > Options [External]
> > > Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1
> > > 06:59:02.449363 IP (tos 0xc0, ttl 1, id 18875, offset 0, flags [none], proto OSPF (89), length 64)
> > > 10.29.0.6 > 224.0.0.5 <http://224.0.0.5>: OSPFv2, Hello, length 44
> > > Router-ID 192.168.21.17, Backbone Area, Authentication Type: none (0)
> > > Options [External]
> > > Hello Timer 10s, Dead Timer 40s, Mask 0.0.0.0, Priority 1
> >
> > --
> > Elen sila lumenn' omentielvo
> >
> > Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org <mailto:santiago at crfreenet.org>
> > <mailto:santiago at crfreenet.org <mailto:santiago at crfreenet.org>>)
> > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3,
> > wwwkeys.pgp.net <http://wwwkeys.pgp.net> <http://wwwkeys.pgp.net>)
> > "To err is human -- to blame it on a computer is even more so."
> >
> >
>
>
> --
> Chris Boot
> bootc at boo.tc <mailto:bootc at boo.tc>
>
> --
> Chris Boot
> bootc at boo.tc <mailto:bootc at boo.tc>
>
>
>
More information about the Bird-users
mailing list