OpenVPN - MULTI: bad source address from client, packet dropped - forum Administratorzy

Temat: OpenVPN - MULTI: bad source address from client, packet...

Witam,

Na potrzeby testów róznych konfiguracji OpenVPN, pomiedzy dwoma maszynami z Windows Server na pokladzie zestawilem tunel OpenVPN.
Na komputerach wylaczone sa firewalle.
W logach serwera pojawiaja sie komunikaty:



MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

Klient znajduje sie w sieci 192.168.1.0/24
Serwer znajduje sie w sieci 192.168.200.0/24

server.ovpn



dev tun

proto tcp-server

port 1196

resolv-retry infinite

persist-key

persist-tun



server 10.8.7.0 255.255.255.0

push "route 192.168.200.0 255.255.255.0"

push "route 192.168.199.0 255.255.255.0"

push "redirect-gateway"



client-config-dir C:\\OpenVPN\\config\\ccd

route 192.168.1.0 255.255.255.0



dh C:\\OpenVPN\\config\\dh1024.pem

ca C:\\OpenVPN\\config\\ca.crt

cert C:\\OpenVPN\\config\\server.crt

key C:\\OpenVPN\\config\\server.key



verb 5

mssfix

comp-lzo

Dodalem do pliku C:\OpenVPN\config\ccd\client1 nastepujacy wpis:



iroute 192.168.1.0 255.255.255.0

client1.ovpn



client

dev tun

proto tcp

remote vpn.domena.com 1196

resolv-retry infinite

persist-key

persist-tun



ca C:\\OpenVPN\\config\\ca.crt

cert C:\\OpenVPN\\config\\client1.crt

key C:\\OpenVPN\\config\\client1.key



verb 5

mssfix

comp-lzo



redirect-gateway def1

route-method exe

route-delay 2

Po zestawieniu polaczenia serwe otrzymuje adres 10.8.7.1 a client 10.8.7.6

Routing na cliencie:



Sat Apr 06 19:49:00 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan  8 2013

Sat Apr 06 19:49:00 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340

Sat Apr 06 19:49:00 2013 Need hold release from management interface, waiting...

Sat Apr 06 19:49:01 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340

Sat Apr 06 19:49:01 2013 MANAGEMENT: CMD 'state on'

Sat Apr 06 19:49:01 2013 MANAGEMENT: CMD 'log all on'

Sat Apr 06 19:49:01 2013 MANAGEMENT: CMD 'hold off'

Sat Apr 06 19:49:01 2013 MANAGEMENT: CMD 'hold release'

Sat Apr 06 19:49:01 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Sat Apr 06 19:49:01 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Sat Apr 06 19:49:01 2013 LZO compression initialized

Sat Apr 06 19:49:01 2013 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]

Sat Apr 06 19:49:01 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]

Sat Apr 06 19:49:01 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

Sat Apr 06 19:49:01 2013 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'

Sat Apr 06 19:49:01 2013 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

Sat Apr 06 19:49:01 2013 Local Options hash (VER=V4): '69109d17'

Sat Apr 06 19:49:01 2013 Expected Remote Options hash (VER=V4): 'c01

Sat Apr 06 19:49:01 2013 Attempting to establish TCP connection with [AF_INET]A.B.C.D:1196

Sat Apr 06 19:49:01 2013 MANAGEMENT: >STATE:1365270541,TCP_CONNECT,,,

Sat Apr 06 19:49:01 2013 TCP connection established with [AF_INET]A.B.C.D:1196

Sat Apr 06 19:49:01 2013 TCPv4_CLIENT link local: [undef]

Sat Apr 06 19:49:01 2013 TCPv4_CLIENT link remote: [AF_INET]A.B.C.D:1196

Sat Apr 06 19:49:01 2013 MANAGEMENT: >STATE:1365270541,WAIT,,,

Sat Apr 06 19:49:01 2013 MANAGEMENT: >STATE:1365270541,AUTH,,,

Sat Apr 06 19:49:01 2013 TLS: Initial packet from [AF_INET]A.B.C.D:1196, sid=b4aede7e 63d2838b

Sat Apr 06 19:49:03 2013 VERIFY OK: depth=1, C=PL, ST=Wawa, L=Wawa, O=Firma, OU=vpn, CN=vpn, name=vpn, emailAddress=user@gmail.com

Sat Apr 06 19:49:03 2013 VERIFY OK: depth=0, C=PL, ST=Wawa, L=Wawa, O=Firma, OU=vpn, CN=vpn, name=vpn, emailAddress=user@gmail.com

Sat Apr 06 19:49:06 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sat Apr 06 19:49:06 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat Apr 06 19:49:06 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sat Apr 06 19:49:06 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat Apr 06 19:49:06 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Sat Apr 06 19:49:06 2013 [vpn] Peer Connection Initiated with [AF_INET]92.244.36.210:1196

Sat Apr 06 19:49:07 2013 MANAGEMENT: >STATE:1365270547,GET_CONFIG,,,

Sat Apr 06 19:49:09 2013 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)

Sat Apr 06 19:49:09 2013 PUSH: Received control message: 'PUSH_REPLY,route 192.168.200.0 255.255.255.0,route 192.168.199.0 255.255.255.0,redirect-gateway,route 10.8.7.1,topology net30,ifconfig 10.8.7.6 10.8.7.5'

Sat Apr 06 19:49:09 2013 OPTIONS IMPORT: --ifconfig/up options modified

Sat Apr 06 19:49:09 2013 OPTIONS IMPORT: route options modified

Sat Apr 06 19:49:09 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Sat Apr 06 19:49:09 2013 MANAGEMENT: >STATE:1365270549,ASSIGN_IP,,10.8.7.6,

Sat Apr 06 19:49:09 2013 open_tun, tt->ipv6=0

Sat Apr 06 19:49:09 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{B9D20233-7064-4BD6-9667-41A2AFC5412A}.tap

Sat Apr 06 19:49:09 2013 TAP-Windows Driver Version 9.9 

Sat Apr 06 19:49:09 2013 TAP-Windows MTU=1500

Sat Apr 06 19:49:09 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.7.6/255.255.255.252 on interface {B9D20233-7064-4BD6-9667-41A2AFC5412A} [DHCP-serv: 10.8.7.5, lease-time: 31536000]

Sat Apr 06 19:49:09 2013 Successful ARP Flush on interface [25] {B9D20233-

Sat Apr 06 19:49:11 2013 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD A.B.C.D MASK 255.255.255.255 192.168.1.1

Sat Apr 06 19:49:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.7.5

Sat Apr 06 19:49:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.7.5

Sat Apr 06 19:49:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:49:11 2013 MANAGEMENT: >STATE:1365270551,ADD_ROUTES,,,

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD 192.168.200.0 MASK 255.255.255.0 10.8.7.5

Sat Apr 06 19:49:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD 192.168.199.0 MASK 255.255.255.0 10.8.7.5

Sat Apr 06 19:49:11 2013 env_bl

Sat Apr 06 19:49:11 2013 C:\Windows\system32\route.exe ADD 10.8.7.1 MASK 255.255.255.255 10.8.7.5

Sat Apr 06 19:49:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:49:12 2013 Initialization Sequence Completed

Sat Apr 06 19:49:12 2013 MANAGEMENT: >STATE:1365270552,CONNECTED,SUCCESS,10.8.7.6,A.B.C.D

[b]

Sat Apr 06 19:55:15 2013 client1/46.171.107.3:51096 MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

Sat Apr 06 19:55:16 2013 client1/46.171.107.3:51096 MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

Sat Apr 06 19:55:18 2013 client1/46.171.107.3:51096 MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

Sat Apr 06 19:55:22 2013 client1/46.171.107.3:51096 MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

Sat Apr 06 19:55:30 2013 client1/46.171.107.3:51096 MULTI: bad source address from client [fe80::60ac:b458:3ba2:7981], packet dropped

[/b]

Log na serwerze



Sat Apr 06 19:45:00 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013

Sat Apr 06 19:45:00 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340

Sat Apr 06 19:45:00 2013 Need hold release from management interface, waiting...

Sat Apr 06 19:45:01 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340

Sat Apr 06 19:45:01 2013 MANAGEMENT: CMD 'state on'

Sat Apr 06 19:45:01 2013 MANAGEMENT: CMD 'log all on'

Sat Apr 06 19:45:01 2013 MANAGEMENT: CMD 'hold off'

Sat Apr 06 19:45:01 2013 MANAGEMENT: CMD 'hold release'

Sat Apr 06 19:45:01 2013 WARNING: --keepalive option is missing from server config

Sat Apr 06 19:45:01 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Sat Apr 06 19:45:01 2013 Diffie-Hellman initialized with 1024 bit key

Sat Apr 06 19:45:01 2013 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]

Sat Apr 06 19:45:01 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]

Sat Apr 06 19:45:01 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Sat Apr 06 19:45:01 2013 MANAGEMENT: >STATE:1365270301,ASSIGN_IP,,10.8.7.1,

Sat Apr 06 19:45:01 2013 open_tun, tt->ipv6=0

Sat Apr 06 19:45:01 2013 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{E740ACAC-D381-420B-81FF-778B0BA0E624}.tap

Sat Apr 06 19:45:01 2013 TAP-Windows Driver Version 9.9 

Sat Apr 06 19:45:01 2013 TAP-Windows MTU=1500

Sat Apr 06 19:45:01 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.7.1/255.255.255.252 on interface {E740ACAC-D381-420B-81FF-778B0BA0E624} [DHCP-serv: 10.8.7.2, lease-time: 31536000]

Sat Apr 06 19:45:01 2013 Sleeping for 10 seconds...

Sat Apr 06 19:45:11 2013 Successful ARP Flush on interface [36] {E740ACAC-D381-420B-81FF-778B0BA0E624}

Sat Apr 06 19:45:11 2013 MANAGEMENT: >STATE:1365270311,ADD_ROUTES,,,

Sat Apr 06 19:45:11 2013 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.7.2

[b]

Sat Apr 06 19:45:11 2013 Warning: route gateway is not reachable on any active network adapters: 10.8.7.2

Sat Apr 06 19:45:11 2013 Route addition via IPAPI failed [adaptive]

[/b]

Sat Apr 06 19:45:11 2013 Route addition fallback to route.exe

Sat Apr 06 19:45:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:45:11 2013 C:\Windows\system32\route.exe ADD 10.8.7.0 MASK 255.255.255.0 10.8.7.2

[b]

Sat Apr 06 19:45:11 2013 Warning: route gateway is not reachable on any active network adapters: 10.8.7.2

Sat Apr 06 19:45:11 2013 Route addition via IPAPI failed [adaptive]

[/b]

Sat Apr 06 19:45:11 2013 Route addition fallback to route.exe

Sat Apr 06 19:45:11 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

Sat Apr 06 19:45:11 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

Sat Apr 06 19:45:11 2013 Listening for incoming TCP connection on [undef]

Sat Apr 06 19:45:11 2013 TCPv4_SERVER link local (bound): [undef]

Sat Apr 06 19:45:11 2013 TCPv4_SERVER link remote: [undef]

Sat Apr 06 19:45:11 2013 MULTI: multi_init called, r=256 v=256

Sat Apr 06 19:45:11 2013 IFCONFIG POOL: base=10.8.7.4 size=62, ipv6=0

Sat Apr 06 19:45:11 2013 MULTI: TCP INIT maxclients=60 maxevents=64

Sat Apr 06 19:45:11 2013 Initialization Sequence Completed

Sat Apr 06 19:45:11 2013 MANAGEMENT: >STATE:1365270311,CONNECTED,SUCCESS,10.8.7.1,

routing na client1



IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     25

[b]

          0.0.0.0        128.0.0.0         10.8.7.5         10.8.7.6     31

         10.8.7.1  255.255.255.255         10.8.7.5         10.8.7.6     31

         10.8.7.4  255.255.255.252         On-link          10.8.7.6    286

         10.8.7.6  255.255.255.255         On-link          10.8.7.6    286

         10.8.7.7  255.255.255.255         On-link          10.8.7.6    286

   A.B.C.D  255.255.255.255      192.168.1.1      192.168.1.3     26

[/b]

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

[b]

        128.0.0.0        128.0.0.0         10.8.7.5         10.8.7.6     31

[/b]

      192.168.1.0    255.255.255.0         On-link       192.168.1.3    281

      192.168.1.3  255.255.255.255         On-link       192.168.1.3    281

    192.168.1.255  255.255.255.255         On-link       192.168.1.3    281

[b]

    192.168.200.0    255.255.255.0         10.8.7.5         10.8.7.6     31

[/b]

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link          10.8.7.6    286

        224.0.0.0        240.0.0.0         On-link       192.168.1.3    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

[b]

  255.255.255.255  255.255.255.255         On-link          10.8.7.6    286

[/b]

  255.255.255.255  255.255.255.255         On-link       192.168.1.3    281

Czy ktos ma jakies pomysly, co moze byc przyczyna problemu?Łukasz Kisielewicz edytował(a) ten post dnia 06.04.13 o godzinie 20:03

Link do wypowiedzi

Przemek M. Software Engineer,
TomTom

Temat: OpenVPN - MULTI: bad source address from client, packet...

Jeżeli klient rozwiązuje vpn.domena.com jako adres ipv6 to nie dziw się, że przedstawia się również adresem ipv6.

Link do wypowiedzi

Łukasz Kisielewicz :]

Temat: OpenVPN - MULTI: bad source address from client, packet...

nie, klient rozwiazuje vpn.domena.com jako adres IPv4.

Link do wypowiedzi

konto usunięte

Temat: OpenVPN - MULTI: bad source address from client, packet...

Dopisz do konfiguracji serwera jakiego IP ma używać:
http://openvpn.net/index.php/open-source/documentation...

# Which local IP address should OpenVPN

# listen on? (optional)

;local a.b.c.d

Link do wypowiedzi

Łukasz Kisielewicz :]

Temat: OpenVPN - MULTI: bad source address from client, packet...

Witam,

Po dopisaniu



local 192.168.200.150

Niestety nadal pojawia się ten sam błąd.

Link do wypowiedzi

konto usunięte

Temat: OpenVPN - MULTI: bad source address from client, packet...

Wyłącz IPV6 na wirtualnym interfejsie TAP-

Link do wypowiedzi

Łukasz Kisielewicz :]

Temat: OpenVPN - MULTI: bad source address from client, packet...

Dopiero wyłączenie IPv6 na WSZYSTKICH kartach sieciowych pomogło, zarówno na serwerze jak i na kliencie.

W tej chwili mogę pingować z maszyny client1 serwer VPN korzystając z adresu przydzielonego przez VPN: 10.8.7.1.

Nie mogę natomiast spingować prawdziwego adresu serwera: 192.168.200.150.
Z serwera nie mogę też spingowac klienta - ani jego prawdziwego adresu z sieci 192.168.1.0/24 ani 10.8.7.6, który otrzymał od VPN.

W tej chwili, stworzony tunel jest typu client-to-site. Czy chcac zrobic site-to-site powinienem konfigurowac obie strony jako "server"?

Co zrobic by zapewnic ruch w obie strony?

Link do wypowiedzi

konto usunięte

Temat: OpenVPN - MULTI: bad source address from client, packet...

Łukasz K.:
Dopiero wyłączenie IPv6 na WSZYSTKICH kartach sieciowych pomogło, zarówno na serwerze jak i na kliencie.

W tej chwili mogę pingować z maszyny client1 serwer VPN korzystając z adresu przydzielonego przez VPN: 10.8.7.1.

Nie mogę natomiast spingować prawdziwego adresu serwera: 192.168.200.150.
Z serwera nie mogę też spingowac klienta - ani jego prawdziwego adresu z sieci 192.168.1.0/24 ani 10.8.7.6, który otrzymał od VPN.

W tej chwili, stworzony tunel jest typu client-to-site. Czy chcac zrobic site-to-site powinienem konfigurowac obie strony jako "server"?

Nie. Popatrz też na bridge mode.
Łukasz, pomóż mi zrozumieć - po co zadajesz pytania na które Google odpowiada w 2 sekundy? Testujesz nas?
http://www.smallnetbuilder.com/security/security-howto...Marcin Bojko edytował(a) ten post dnia 07.04.13 o godzinie 15:24

Link do wypowiedzi

Administratorzy

Czy na pewno chcesz zrezygnować z tej grupy?

Zgłoś nieprawidłowości w wypowiedzi

OpenVPN - MULTI: bad source address from client, packet dropped

OpenVPN - MULTI: bad source address from...

Blokowanie użytkownika

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Temat: OpenVPN - MULTI: bad source address from client, packet...

Podobne tematy

Administratorzy » FreeRadius Framed-Ip-Address -

Administratorzy » Failover OpenVpn na Mikrotiku -

Administratorzy » DHCPD - czym zarządzać (open source) ? -

Administratorzy » Inwentaryzacja sprzętu w serwerowni - oprogramowanie open... -

Administratorzy » Red5: Open Source Flash Serve -

Administratorzy » open source control panel -

Administratorzy » Open Source Security 2009 -

Administratorzy » Open Source Barcamp - będzie ciekawie -

Administratorzy » Open Source CA -

Administratorzy » Książka dla uczestników Open Source Security -

FreeRadius Framed-Ip-Address

Parametry komputerów w sieci

Archiwizacja i odzyskiwanie danych

Oferty pracy