Ситуация: есть головной офис и филлиал, соединены между собой по OpenVPN. Маршруты проброшены, на компах всё работает, не работают IP телефоны в филлиале: не видят станцию в головном офисе.
Например с телефонной станции (172.16.0.250) пингую телефон 192.168.170.226 через шлюз головного офиса (172.16.0.253), соединенный по OpenVPN с шлюзом филлиала (192.168.170.250). Вид со стороны станции (172.16.0.250)
1) пинг #ping 192.168.170.226 PING 192.168.170.226 (192.168.170.226): 56 data bytes ^C --- 192.168.170.226 ping statistics --- 81 packets transmitted, 0 packets received, 100.0% packet loss 2) трассировка # traceroute 192.168.170.226 traceroute to 192.168.170.226 (192.168.170.226), 64 hops max, 40 byte packets 1 172.16.0.253 (172.16.0.253) 0.485 ms 0.240 ms 0.393 ms 2 10.0.2.56 (10.0.2.56) 4.071 ms 4.221 ms 4.264 ms 3 * * * 4 * * * 5 * * * ^CВид на шлюзе головного офиса (172.16.0.253):
1) пинг #tcpdump -n -i tun1 | grep 172.16.0.250 listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes 12:52:32.654769 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 53, length 64 12:52:33.664494 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 54, length 64 12:52:34.674144 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 55, length 64 ... 2) трассировка # tcpdump -n -i tun1 | grep 172.16.0.250 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes 14:39:19.088402 IP 172.16.0.250.39731 > 192.168.170.226.33438: UDP, length 12 14:39:19.092221 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48 14:39:19.193979 IP 172.16.0.250.39731 > 192.168.170.226.33439: UDP, length 12 14:39:19.197819 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48 14:39:19.198336 IP 172.16.0.250.39731 > 192.168.170.226.33440: UDP, length 12 14:39:19.202099 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48 14:39:19.202586 IP 172.16.0.250.39731 > 192.168.170.226.33441: UDP, length 12 14:39:24.218813 IP 172.16.0.250.39731 > 192.168.170.226.33442: UDP, length 12 14:39:29.227224 IP 172.16.0.250.39731 > 192.168.170.226.33443: UDP, length 12 14:39:34.235858 IP 172.16.0.250.39731 > 192.168.170.226.33444: UDP, length 12 14:39:39.249780 IP 172.16.0.250.39731 > 192.168.170.226.33445: UDP, length 12 14:39:44.258362 IP 172.16.0.250.39731 > 192.168.170.226.33446: UDP, length 12 14:39:49.266899 IP 172.16.0.250.39731 > 192.168.170.226.33447: UDP, length 12 14:39:54.276259 IP 172.16.0.250.39731 > 192.168.170.226.33448: UDP, length 12 14:39:59.284356 IP 172.16.0.250.39731 > 192.168.170.226.33449: UDP, length 12 14:40:04.293039 IP 172.16.0.250.39731 > 192.168.170.226.33450: UDP, length 12
Вид на шлюзе филлиала (192.168.170.250):
1) Пинг #tcpdump | grep 172.16.0.250 12:52:32.659531 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 53, length 64 12:52:32.659899 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 53, length 64 12:52:33.669513 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 54, length 64 12:52:33.669878 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 54, length 64 12:52:34.679000 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 55, length 64 12:52:34.679367 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 55, length 64 ... 2) Трассировка # tcpdump | grep 172.16.0.250 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:39:19.213393 IP 172.16.0.250.39731 > 192.168.170.226.33441: UDP, length 12 14:39:19.213759 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33441 unreachable, length 48 14:39:24.229546 IP 172.16.0.250.39731 > 192.168.170.226.33442: UDP, length 12 14:39:24.229916 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33442 unreachable, length 48 14:39:29.237954 IP 172.16.0.250.39731 > 192.168.170.226.33443: UDP, length 12 14:39:29.238339 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33443 unreachable, length 48 14:39:34.246625 IP 172.16.0.250.39731 > 192.168.170.226.33444: UDP, length 12 14:39:34.247031 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33444 unreachable, length 48 14:39:39.260536 IP 172.16.0.250.39731 > 192.168.170.226.33445: UDP, length 12 14:39:39.260903 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33445 unreachable, length 48 14:39:44.269294 IP 172.16.0.250.39731 > 192.168.170.226.33446: UDP, length 12 14:39:44.269663 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33446 unreachable, length 48 14:39:49.277696 IP 172.16.0.250.39731 > 192.168.170.226.33447: UDP, length 12 14:39:49.278087 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33447 unreachable, length 48 14:39:54.286966 IP 172.16.0.250.39731 > 192.168.170.226.33448: UDP, length 12 14:39:54.287360 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33448 unreachable, length 48 14:39:59.296265 IP 172.16.0.250.39731 > 192.168.170.226.33449: UDP, length 12 14:39:59.296827 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33449 unreachable, length 48 14:40:04.304005 IP 172.16.0.250.39731 > 192.168.170.226.33450: UDP, length 12 14:40:04.306797 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33450 unreachable, length 48Т.е видно, что ответ от телефона приходит а дальше где то теряется... Все правила iptables решил не постить, указанные правила установлены выше всего остального
Головной офис:
# uname -a Linux name 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux # cat /etc/debian_version 7.4 #iptables -L -v -n Chain INPUT (policy ACCEPT 1868 packets, 227K bytes) pkts bytes target prot opt in out source destination 44218 425M ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0 664 339K ACCEPT all — tun1 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 41 packets, 3462 bytes) pkts bytes target prot opt in out source destination 355 29820 ACCEPT all — * * 172.16.0.250 192.168.170.226 0 0 ACCEPT all — * * 192.168.170.226 172.16.0.250 Chain OUTPUT (policy ACCEPT 462K packets, 1050M bytes) # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 <внешний шлюз> 0.0.0.0 UG 0 0 0 eth1 5.5.0.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t0 5.5.4.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t1 5.5.8.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t2 5.5.12.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t3 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 10.13.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 <внешняя сеть> 0.0.0.0 255.255.255.248 U 0 0 0 eth1 172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.170.0 10.0.2.1 255.255.255.0 UG 0 0 0 tun1 # openvpn --version OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> $ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
Филлиал:
# uname -a Linux name2 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux # cat /etc/debian_version 7.4 # iptables -L -v -n Chain INPUT (policy ACCEPT 23 packets, 1902 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 1 84 ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0 592 94678 ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 75 6300 ACCEPT all — * * 172.16.0.250 192.168.170.226 75 6300 ACCEPT all — * * 192.168.170.226 172.16.0.250 2398 374K ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0 2424 835K ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 158K packets, 39M bytes) # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 <внешний шлюз> 0.0.0.0 UG 0 0 0 eth1 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 172.16.0.0 10.0.2.1 255.255.255.0 UG 0 0 0 tun0 192.168.170.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 <внешняя сеть> 0.0.0.0 255.255.255.248 U 0 0 0 eth1 # iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 29 packets, 5886 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 4 packets, 1341 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 24 packets, 4202 bytes) pkts bytes target prot opt in out source destination 1 76 MASQUERADE all — * eth1 0.0.0.0/0 0.0.0.0/0 # openvpn --version OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> $ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
Видно, что пакеты с филлиала вроде как идут (счетчик сработавшего правила увеличивается, но они почему то не доходят до головного офиса. Раньше в этом филлиале стояла другая система - FreeBSD 8.2 версии, на которой все работало но она благополучно скончалась.
Прошу подсказать как можно посмотреть, почему пакеты не доходят или хотя бы с чем это может быть связано, уже всю голову сломал думать...