[tor-bugs] #29822 [Internal Services/Tor Sysadmin Team]: prometheus server cannot reach build-arm* boxes
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 4 22:20:45 UTC 2019
#29822: prometheus server cannot reach build-arm* boxes
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: weasel
Type: defect | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Minor | Resolution:
Keywords: | Actual Points:
Parent ID: #29681 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* owner: anarcat => weasel
Comment:
i have tried setting up ipsec on nbg1 and it mostly works when connecting
to the other TPO boxes. i've documented what I did in
[https://help.torproject.org/tsa/howto/ipsec/ the wiki] but mostly I have
deployed everything through puppet following the existing configs and
rebooted the monitoring server. i then ran puppet on all the other puppet
nodes and things generally seem to work.
unfortunately, this doesn't bypass NAT: I cannot ping the ARM boxes behind
the microtik server. I assume I also need the `local peers` configuration
that is deployed on the other hosts.
I have tried adding the following static configuration:
{{{
conn hetzner-nbg1-01.torproject.org-mikrotik.sbg.torproject.org
ike = aes128-sha256-modp3072
#type = tunnel
left = 195.201.139.202
leftsubnet = 195.201.139.202/32, 172.30.142.0/24
right = 141.201.12.27
rightallowany = yes
rightid = mikrotik.sbg.torproject.org
rightsubnet = 172.30.115.0/24
auto = route
forceencaps = yes
dpdaction = hold
}}}
I made up `172.30.142.0/24` because I didn't know what to put there.
trying to raise that interface fails:
{{{
root at hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec reload
Reloading strongSwan IPsec configuration...
root at hetzner-nbg1-01:/etc/ipsec.conf.d# ipsec up hetzner-
nbg1-01.torproject.org-mikrotik.sbg.torproject.org
retransmit 3 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
retransmit 4 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
retransmit 5 of request with message ID 0
sending packet: from 195.201.139.202[500] to 141.201.12.27[500] (1300
bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'hetzner-nbg1-01.torproject.org-
mikrotik.sbg.torproject.org' failed
}}}
It looks like the microtik server refuses to talk to us somehow. I have
also tried to connect to it as documented in tor-passwords, to no avail:
{{{
Authenticated to kvm4.torproject.org ([2a01:4f8:10b:239f::2]:22).
debug1: channel_connect_stdio_fwd mikrotik.sbg.torproject.org:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
channel 0: open failed: connect failed: Connection timed out
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
"ssh -v4 -J kvm4.torproject.org admin at mikrotik.sbg.torproject.org" took 2
mins 12 secs
}}}
So it seems I have a part of the configuration missing, namely the
Microtik server bits, and I don't seem to have the access to perform that.
Reassigning to weasel so he can hold my hand for that last step. :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29822#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list