Ситуация: есть головной офис и филлиал, соединены между собой по OpenVPN. Маршруты проброшены, на компах всё работает, не работают IP телефоны в филлиале: не видят станцию в головном офисе.
Например с телефонной станции (172.16.0.250) пингую телефон 192.168.170.226 через шлюз головного офиса (172.16.0.253), соединенный по OpenVPN с шлюзом филлиала (192.168.170.250). Вид со стороны станции (172.16.0.250)
1) пинг
#ping 192.168.170.226
PING 192.168.170.226 (192.168.170.226): 56 data bytes
^C
--- 192.168.170.226 ping statistics ---
81 packets transmitted, 0 packets received, 100.0% packet loss
2) трассировка
# traceroute 192.168.170.226
traceroute to 192.168.170.226 (192.168.170.226), 64 hops max, 40 byte packets
1 172.16.0.253 (172.16.0.253) 0.485 ms 0.240 ms 0.393 ms
2 10.0.2.56 (10.0.2.56) 4.071 ms 4.221 ms 4.264 ms
3 * * *
4 * * *
5 * * *
^C
Вид на шлюзе головного офиса (172.16.0.253):
1) пинг
#tcpdump -n -i tun1 | grep 172.16.0.250
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
12:52:32.654769 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 53, length 64
12:52:33.664494 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 54, length 64
12:52:34.674144 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 55, length 64
...
2) трассировка
# tcpdump -n -i tun1 | grep 172.16.0.250
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
14:39:19.088402 IP 172.16.0.250.39731 > 192.168.170.226.33438: UDP, length 12
14:39:19.092221 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48
14:39:19.193979 IP 172.16.0.250.39731 > 192.168.170.226.33439: UDP, length 12
14:39:19.197819 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48
14:39:19.198336 IP 172.16.0.250.39731 > 192.168.170.226.33440: UDP, length 12
14:39:19.202099 IP 10.0.2.56 > 172.16.0.250: ICMP time exceeded in-transit, length 48
14:39:19.202586 IP 172.16.0.250.39731 > 192.168.170.226.33441: UDP, length 12
14:39:24.218813 IP 172.16.0.250.39731 > 192.168.170.226.33442: UDP, length 12
14:39:29.227224 IP 172.16.0.250.39731 > 192.168.170.226.33443: UDP, length 12
14:39:34.235858 IP 172.16.0.250.39731 > 192.168.170.226.33444: UDP, length 12
14:39:39.249780 IP 172.16.0.250.39731 > 192.168.170.226.33445: UDP, length 12
14:39:44.258362 IP 172.16.0.250.39731 > 192.168.170.226.33446: UDP, length 12
14:39:49.266899 IP 172.16.0.250.39731 > 192.168.170.226.33447: UDP, length 12
14:39:54.276259 IP 172.16.0.250.39731 > 192.168.170.226.33448: UDP, length 12
14:39:59.284356 IP 172.16.0.250.39731 > 192.168.170.226.33449: UDP, length 12
14:40:04.293039 IP 172.16.0.250.39731 > 192.168.170.226.33450: UDP, length 12
Вид на шлюзе филлиала (192.168.170.250):
1) Пинг
#tcpdump | grep 172.16.0.250
12:52:32.659531 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 53, length 64
12:52:32.659899 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 53, length 64
12:52:33.669513 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 54, length 64
12:52:33.669878 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 54, length 64
12:52:34.679000 IP 172.16.0.250 > 192.168.170.226: ICMP echo request, id 21627, seq 55, length 64
12:52:34.679367 IP 192.168.170.226 > 172.16.0.250: ICMP echo reply, id 21627, seq 55, length 64
...
2) Трассировка
# tcpdump | grep 172.16.0.250
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:39:19.213393 IP 172.16.0.250.39731 > 192.168.170.226.33441: UDP, length 12
14:39:19.213759 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33441 unreachable, length 48
14:39:24.229546 IP 172.16.0.250.39731 > 192.168.170.226.33442: UDP, length 12
14:39:24.229916 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33442 unreachable, length 48
14:39:29.237954 IP 172.16.0.250.39731 > 192.168.170.226.33443: UDP, length 12
14:39:29.238339 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33443 unreachable, length 48
14:39:34.246625 IP 172.16.0.250.39731 > 192.168.170.226.33444: UDP, length 12
14:39:34.247031 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33444 unreachable, length 48
14:39:39.260536 IP 172.16.0.250.39731 > 192.168.170.226.33445: UDP, length 12
14:39:39.260903 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33445 unreachable, length 48
14:39:44.269294 IP 172.16.0.250.39731 > 192.168.170.226.33446: UDP, length 12
14:39:44.269663 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33446 unreachable, length 48
14:39:49.277696 IP 172.16.0.250.39731 > 192.168.170.226.33447: UDP, length 12
14:39:49.278087 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33447 unreachable, length 48
14:39:54.286966 IP 172.16.0.250.39731 > 192.168.170.226.33448: UDP, length 12
14:39:54.287360 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33448 unreachable, length 48
14:39:59.296265 IP 172.16.0.250.39731 > 192.168.170.226.33449: UDP, length 12
14:39:59.296827 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33449 unreachable, length 48
14:40:04.304005 IP 172.16.0.250.39731 > 192.168.170.226.33450: UDP, length 12
14:40:04.306797 IP 192.168.170.226 > 172.16.0.250: ICMP 192.168.170.226 udp port 33450 unreachable, length 48
Т.е видно, что ответ от телефона приходит а дальше где то теряется... Все правила iptables решил не постить, указанные правила установлены выше всего остального
Головной офис:
# uname -a
Linux name 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
# cat /etc/debian_version
7.4
#iptables -L -v -n
Chain INPUT (policy ACCEPT 1868 packets, 227K bytes)
pkts bytes target prot opt in out source destination
44218 425M ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0
664 339K ACCEPT all — tun1 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 41 packets, 3462 bytes)
pkts bytes target prot opt in out source destination
355 29820 ACCEPT all — * * 172.16.0.250 192.168.170.226
0 0 ACCEPT all — * * 192.168.170.226 172.16.0.250
Chain OUTPUT (policy ACCEPT 462K packets, 1050M bytes)
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 <внешний шлюз> 0.0.0.0 UG 0 0 0 eth1
5.5.0.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t0
5.5.4.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t1
5.5.8.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t2
5.5.12.0 0.0.0.0 255.255.252.0 U 0 0 0 as0t3
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.13.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
<внешняя сеть> 0.0.0.0 255.255.255.248 U 0 0 0 eth1
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.170.0 10.0.2.1 255.255.255.0 UG 0 0 0 tun1
# openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
Филлиал:
# uname -a
Linux name2 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
# cat /etc/debian_version
7.4
# iptables -L -v -n
Chain INPUT (policy ACCEPT 23 packets, 1902 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0
592 94678 ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
75 6300 ACCEPT all — * * 172.16.0.250 192.168.170.226
75 6300 ACCEPT all — * * 192.168.170.226 172.16.0.250
2398 374K ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0
2424 835K ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 158K packets, 39M bytes)
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 <внешний шлюз> 0.0.0.0 UG 0 0 0 eth1
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.16.0.0 10.0.2.1 255.255.255.0 UG 0 0 0 tun0
192.168.170.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
<внешняя сеть> 0.0.0.0 255.255.255.248 U 0 0 0 eth1
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 29 packets, 5886 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 1341 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 24 packets, 4202 bytes)
pkts bytes target prot opt in out source destination
1 76 MASQUERADE all — * eth1 0.0.0.0/0 0.0.0.0/0
# openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
Видно, что пакеты с филлиала вроде как идут (счетчик сработавшего правила увеличивается, но они почему то не доходят до головного офиса. Раньше в этом филлиале стояла другая система - FreeBSD 8.2 версии, на которой все работало но она благополучно скончалась.
Прошу подсказать как можно посмотреть, почему пакеты не доходят или хотя бы с чем это может быть связано, уже всю голову сломал думать...