Discussion:
[Openvpn-users] Incoming packet rejected
sam wun
2004-10-31 03:18:15 UTC
Permalink
Hi

Sorry this msg should be sent to openvpn maliing list directly, but I
don't know why I am not able to subscribe to the list.
Here is the problem I have wiht openvpn.
Sometimes when a second vpn client start a connection request to the
openvpn server, there are some error message shown up in the windows
dosshell:
TCP/UDP: Incoming packet rejected from 192.168.4.254:5000, expected peer
address: 192.168.9.254:5000 (allow this incoming source address/port by
removing --remote or adding --float)

The windows client is with the address 192.168.4.0, the openvpn will
route all traffic to the destination subnet 192.168.9.0 if connection is
successfully established.
I m running Beta 14, with the following openvpn config:
dev tap
port 5000
mode server
....
....
push "ping 10"
push "ping-restart 30"
#push "persist-tun"
push "persist-key"
push "redirect-gateway"
push "route-gateway 172.16.0.1"
push "dhcp-option DNS 192.168.9.254"
push "dhcp-option WINS 192.168.9.254"
push "route delete 192.168.9.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"
push "ip-win32 dynamic"
push "dhcp-option NBT 8"
push "dhcp-option DOMAIN authtec.com"

But if I wait for longer time, the connection will be established. I
don't know what is wrong with it..

Thanks
Sam
sam wun
2004-10-31 12:39:02 UTC
Permalink
Post by sam wun
Hi
Sorry this msg should be sent to openvpn maliing list directly, but I
don't know why I am not able to subscribe to the list.
Here is the problem I have wiht openvpn.
Sometimes when a second vpn client start a connection request to the
openvpn server, there are some error message shown up in the windows
TCP/UDP: Incoming packet rejected from 192.168.4.254:5000, expected
peer address: 192.168.9.254:5000 (allow this incoming source
address/port by removing --remote or adding --float)
The windows client is with the address 192.168.4.0, the openvpn will
route all traffic to the destination subnet 192.168.9.0 if connection
is successfully established.
dev tap
port 5000
mode server
....
....
push "ping 10"
push "ping-restart 30"
#push "persist-tun"
push "persist-key"
push "redirect-gateway"
push "route-gateway 172.16.0.1"
push "dhcp-option DNS 192.168.9.254"
push "dhcp-option WINS 192.168.9.254"
push "route delete 192.168.9.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"
push "ip-win32 dynamic"
push "dhcp-option NBT 8"
push "dhcp-option DOMAIN authtec.com"
But if I wait for longer time, the connection will be established. I
don't know what is wrong with it..
Thanks
Sam
HI,

I found the following code evaluated as true in forward.c file when second vpn client initiated connection request:

if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from))
link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);


How can I get rid of the error?

Thanks
Sam
sam wun
2004-10-31 13:25:00 UTC
Permalink
Post by sam wun
Post by sam wun
Hi
Sorry this msg should be sent to openvpn maliing list directly, but I
don't know why I am not able to subscribe to the list.
Here is the problem I have wiht openvpn.
Sometimes when a second vpn client start a connection request to the
openvpn server, there are some error message shown up in the windows
TCP/UDP: Incoming packet rejected from 192.168.4.254:5000, expected
peer address: 192.168.9.254:5000 (allow this incoming source
address/port by removing --remote or adding --float)
The windows client is with the address 192.168.4.0, the openvpn will
route all traffic to the destination subnet 192.168.9.0 if connection
is successfully established.
dev tap
port 5000
mode server
....
....
push "ping 10"
push "ping-restart 30"
#push "persist-tun"
push "persist-key"
push "redirect-gateway"
push "route-gateway 172.16.0.1"
push "dhcp-option DNS 192.168.9.254"
push "dhcp-option WINS 192.168.9.254"
push "route delete 192.168.9.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"
push "ip-win32 dynamic"
push "dhcp-option NBT 8"
push "dhcp-option DOMAIN aud.com"
But if I wait for longer time, the connection will be established. I
don't know what is wrong with it..
Thanks
Sam
HI,
I found the following code evaluated as true in forward.c file when
if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from))
link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);
How can I get rid of the error?
I m not sure whether this problem is caused by the dhcpd server.
My server use dhcpd server configured as follow:
option domain-name "aud.com";
option domain-name-servers 192.168.4.254;
option subnet-mask 255.255.255.0;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
subnet 192.168.4.0 netmask 255.255.255.0 {
range 192.168.4.200 192.168.4.235;
option routers 192.168.4.254;
option broadcast-address 192.168.4.255;
}

Any idea?

thanks
Sam
sam wun
2004-11-01 02:24:28 UTC
Permalink
Hi,

The problem with the "Incoming packet rejected from..." error is caused by the DNS broadcast 2 IP addresses to a single domain name which are 192.168.4.0 and 192.168.9.0. The 192.168.4.254 is the gateway IP address where 192.168.9.254 is the destination address that the vpn tunnel is going to be redirected to.

Openvpn will choose one of them randomly. When 192.168.4.254 is selected as the gateway address, openvpn vpn server accepts it; when 192.168.9.254 is selected, openvpn rejects the connection. This is beause the gateway address can't be the same as the destination address that the openvpn is going to redirect to.

Sam.

Loading...