[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #29822 [Internal Services/Tor Sysadmin Team]: prometheus server cannot reach build-arm* boxes
#29822: prometheus server cannot reach build-arm* boxes
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: weasel
Type: defect | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Minor | Resolution:
Keywords: | Actual Points:
Parent ID: #29681 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* owner: anarcat => weasel
Comment:
i have tried setting up ipsec on nbg1 and it mostly works when connecting
to the other TPO boxes. i've documented what I did in
[https://help.torproject.org/tsa/howto/ipsec/ the wiki] but mostly I have
deployed everything through puppet following the existing configs and
rebooted the monitoring server. i then ran puppet on all the other puppet
nodes and things generally seem to work.
unfortunately, this doesn't bypass NAT: I cannot ping the ARM boxes behind
the microtik server. I assume I also need the `local peers` configuration
that is deployed on the other hosts.
I have tried adding the following static configuration:
{{{
conn hetzner-nbg1-01.torproject.org-mikrotik.sbg.torproject.org
ike = aes128-sha256-modp3072
#type = tunnel
left = 195.201.139.202
leftsubnet = 195.201.139.202/32, 172.30.142.0/24
right = 141.201.12.27
rightallowany = yes
rightid = mikrotik.sbg.torproject.org
rightsubnet = 172.30.115.0/24
auto = route
forceencaps = yes
dpdaction = hold
}}}
I made up `172.30.142.0/24` because I didn't know what to put there.
trying to raise that interface fails:
{{{
root@hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec reload
Reloading strongSwan IPsec configuration...
root@hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec up hetzner-
nbg1-01.torproject.org-mikrotik.sbg.torproject.org
retransmit 3 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
retransmit 4 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
retransmit 5 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'hetzner-nbg1-01.torproject.org-
mikrotik.sbg.torproject.org' failed
}}}
It looks like the microtik server refuses to talk to us somehow. I have
also tried to connect to it as documented in tor-passwords, to no avail:
{{{
Authenticated to kvm4.torproject.org ([2a01:4f8:10b:239f::2]:22).
debug1: channel_connect_stdio_fwd mikrotik.sbg.torproject.org:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting no-more-sessions@xxxxxxxxxxx
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@xxxxxxxxxxx
want_reply 0
channel 0: open failed: connect failed: Connection timed out
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
"ssh -v4 -J kvm4.torproject.org admin@xxxxxxxxxxxxxxxxxxxxxxxxxxx" took 2
mins 12 secs
}}}
So it seems I have a part of the configuration missing, namely the
Microtik server bits, and I don't seem to have the access to perform that.
Reassigning to weasel so he can hold my hand for that last step. :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29822#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs