#29822: prometheus server cannot reach build-arm* boxes -------------------------------------------------+------------------------- Reporter: anarcat | Owner: weasel Type: defect | Status: | assigned Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Minor | Resolution: Keywords: | Actual Points: Parent ID: #29681 | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by anarcat):
* owner: anarcat => weasel Comment: i have tried setting up ipsec on nbg1 and it mostly works when connecting to the other TPO boxes. i've documented what I did in [https://help.torproject.org/tsa/howto/ipsec/ the wiki] but mostly I have deployed everything through puppet following the existing configs and rebooted the monitoring server. i then ran puppet on all the other puppet nodes and things generally seem to work. unfortunately, this doesn't bypass NAT: I cannot ping the ARM boxes behind the microtik server. I assume I also need the `local peers` configuration that is deployed on the other hosts. I have tried adding the following static configuration: {{{ conn hetzner-nbg1-01.torproject.org-mikrotik.sbg.torproject.org ike = aes128-sha256-modp3072 #type = tunnel left = 195.201.139.202 leftsubnet = 195.201.139.202/32, 172.30.142.0/24 right = 141.201.12.27 rightallowany = yes rightid = mikrotik.sbg.torproject.org rightsubnet = 172.30.115.0/24 auto = route forceencaps = yes dpdaction = hold }}} I made up `172.30.142.0/24` because I didn't know what to put there. trying to raise that interface fails: {{{ root@hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec reload Reloading strongSwan IPsec configuration... root@hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec up hetzner- nbg1-01.torproject.org-mikrotik.sbg.torproject.org retransmit 3 of request with message ID 0 sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300 bytes) retransmit 4 of request with message ID 0 sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300 bytes) retransmit 5 of request with message ID 0 sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300 bytes) giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'hetzner-nbg1-01.torproject.org- mikrotik.sbg.torproject.org' failed }}} It looks like the microtik server refuses to talk to us somehow. I have also tried to connect to it as documented in tor-passwords, to no avail: {{{ Authenticated to kvm4.torproject.org ([2a01:4f8:10b:239f::2]:22). debug1: channel_connect_stdio_fwd mikrotik.sbg.torproject.org:22 debug1: channel 0: new [stdio-forward] debug1: getpeername failed: Bad file descriptor debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys...@openssh.com want_reply 0 channel 0: open failed: connect failed: Connection timed out stdio forwarding failed ssh_exchange_identification: Connection closed by remote host "ssh -v4 -J kvm4.torproject.org ad...@mikrotik.sbg.torproject.org" took 2 mins 12 secs }}} So it seems I have a part of the configuration missing, namely the Microtik server bits, and I don't seem to have the access to perform that. Reassigning to weasel so he can hold my hand for that last step. :) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29822#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs