Control: fixed -1 2.4.3-4
Am 18.07.2017 um 10:44 schrieb Patrick Matthäi:
Hi,
thanks for the logs!
>>>>> we have got the same issue with all our VPNs upgraded to Stretch now.
>>>>> Most VPNs are connected about a 1 GBit/s datacenter connection with each
>>>>> other (also same LAN), the other ones are connected about a 100 MBit/s
>>>>> connection.
>>>>
>>> I also uploaded the current testing version to stretch-bpo and deployed
>>> it on one host, to see if there is a difference later
>> Ah, I was already wondering who did.
>>
>>
>
> Today I updated our Sophos UTM, which is one OpenVPN server, where are
> here multiple vpn clients are connected with. While updating the UTM,
> there are 2 reboots of the devices, so the client needs a reconnect.
>
> The client with version openvpn_2.4.3-4~bpo9+1 still works, all
> 2.4.0-6+deb9u1 are dead. Also the VPN endpoint is not reachable on the
> dead nodes.
> Please note, that I replaced many IPs and hostnames with other stuff.
Thanks, so 2.4.0 is affected and 2.4.3-4 is not anymore. I have adjusted
the fixed version accordingly.
I have cleaned up your logs from working and notworking1 to get
something I can feed to diff, see attached.
There is one remarkable difference. When the working client reconnects
it logs
Preserving previous TUN/TAP instance: tun0
+NOTE: Pulled options changed on restart, will need to close and reopen
TUN/TAP device.
+/sbin/ip route del EXT.IP.FROM.VPN/32
+/sbin/ip route del INT.BEHIND.VPN2.0/24
+/sbin/ip route del INT.BEHIND.VPN1.0/24
+Closing TUN/TAP interface
+/sbin/ip addr del dev tun0 10.200.13.2/24
+ROUTE_GATEWAY TWO.NETWORK.2.1/255.255.255.0 IFACE=eth0
HWADDR=00:0c:29:cd:45:cc
+TUN/TAP device tun0 opened
+TUN/TAP TX queue length set to 100
+do_ifconfig, tt->did_ifconfig_ipv6_setup=0
+/sbin/ip link set dev tun0 up mtu 1500
+/sbin/ip addr add dev tun0 10.200.13.4/24 broadcast 10.200.13.255
+/sbin/ip route add EXT.IP.FROM.VPN/32 via TWO.NETWORK.2.1
+/sbin/ip route add INT.BEHIND.VPN2.0/24 via 10.200.13.1
+/sbin/ip route add INT.BEHIND.VPN1.0/24 via 10.200.13.1
Initialization Sequence Completed
The notworking version does nothing like this. This smells like a bug.
What I don't understand is that you claim the VPN endpoint is not
reachable on the dead nodes (the outer IP I presume). Both nodes still
have a hostroute towards the VPN gateway in their routing table
root@login:~# ip r
default via TWO.NETWORK.2.1 dev eth0 onlink
EXT.IP.FROM.VPN via TWO.NETWORK.2.1 dev eth0
root@notworking1:~# ip r
default via ONE.NETWORK.1.1 dev eth0 onlink
EXT.IP.FROM.VPN via ONE.NETWORK.1.1 dev eth0
and you can see in the log that notworking1 actually has reconnected
just fine, so the outer communication seems to be working.
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address:
[AF_INET]EXT.IP.FROM.VPN:1197
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]EXT.IP.FROM.VPN:1197
TLS: Initial packet from [AF_INET]EXT.IP.FROM.VPN:1197, sid=05d4dc5d
c20155bd
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH,
CN=company Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de,
emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de,
emailAddress=tech...@company.de
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384,
4096 bit RSA
[address.of.utm.de] Peer Connection Initiated with
[AF_INET]EXT.IP.FROM.VPN:1197
so it's not the dreaded routing "loop".
I've browsed through the git commits between 2.4.0 and 2.4.3, these
might be relevant here
https://community.openvpn.net/openvpn/ticket/812
https://community.openvpn.net/openvpn/ticket/887
Are you able to build a version with these patches applied yourself?
Bernhard
[address.of.utm.de] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]EXT.IP.FROM.VPN:1197
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]EXT.IP.FROM.VPN:1197
TLS: Initial packet from [AF_INET]EXT.IP.FROM.VPN:1197, sid=4030f3bf 8b41b71f
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH, CN=company
Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096
bit RSA
[address.of.utm.de] Peer Connection Initiated with [AF_INET]EXT.IP.FROM.VPN:1197
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway
10.200.13.1,route-gateway 10.200.13.1,topology subnet,ping 10,ping-restart
120,route INT.BEHIND.VPN2.0 255.255.255.0,route INT.BEHIND.VPN1.0
255.255.255.0,dhcp-option DNS INT.BEHIND.VPN1.210,dhcp-option DNS
INT.BEHIND.VPN2.250,dhcp-option DOMAIN domäne.intern,ifconfig 10.200.13.4
255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Preserving previous TUN/TAP instance: tun0
NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP
device.
/sbin/ip route del EXT.IP.FROM.VPN/32
/sbin/ip route del INT.BEHIND.VPN2.0/24
/sbin/ip route del INT.BEHIND.VPN1.0/24
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 10.200.13.2/24
ROUTE_GATEWAY TWO.NETWORK.2.1/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:cd:45:cc
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.200.13.4/24 broadcast 10.200.13.255
/sbin/ip route add EXT.IP.FROM.VPN/32 via TWO.NETWORK.2.1
/sbin/ip route add INT.BEHIND.VPN2.0/24 via 10.200.13.1
/sbin/ip route add INT.BEHIND.VPN1.0/24 via 10.200.13.1
Initialization Sequence Completed
[address.of.utm.de] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]EXT.IP.FROM.VPN:1197
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]EXT.IP.FROM.VPN:1197
TLS: Initial packet from [AF_INET]EXT.IP.FROM.VPN:1197, sid=2641d8ae 42f32787
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH, CN=company
Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096
bit RSA
[address.of.utm.de] Peer Connection Initiated with [AF_INET]EXT.IP.FROM.VPN:1197
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway
10.200.13.1,route-gateway 10.200.13.1,topology subnet,ping 10,ping-restart
120,route INT.BEHIND.VPN2.0 255.255.255.0,route INT.BEHIND.VPN1.0
255.255.255.0,dhcp-option DNS INT.BEHIND.VPN1.210,dhcp-option DNS
INT.BEHIND.VPN2.250,dhcp-option DOMAIN domäne.intern,ifconfig 10.200.13.5
255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Preserving previous TUN/TAP instance: tun0
NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP
device.
/sbin/ip route del EXT.IP.FROM.VPN/32
/sbin/ip route del INT.BEHIND.VPN2.0/24
/sbin/ip route del INT.BEHIND.VPN1.0/24
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 10.200.13.4/24
ROUTE_GATEWAY TWO.NETWORK.2.1/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:cd:45:cc
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.200.13.5/24 broadcast 10.200.13.255
/sbin/ip route add EXT.IP.FROM.VPN/32 via TWO.NETWORK.2.1
/sbin/ip route add INT.BEHIND.VPN2.0/24 via 10.200.13.1
/sbin/ip route add INT.BEHIND.VPN1.0/24 via 10.200.13.1
Initialization Sequence Completed
root@login:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:0c:29:cd:45:cc brd ff:ff:ff:ff:ff:ff
inet TWO.NETWORK.2.102/24 brd TWO.NETWORK.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.127.1/24 brd 192.168.127.255 scope global eth0:1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecd:45cc/64 scope link
valid_lft forever preferred_lft forever
17: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN group default qlen 100
link/none
inet 10.242.2.8/24 brd 10.242.2.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::f390:a02f:783b:7d4e/64 scope link flags 800
valid_lft forever preferred_lft forever
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN group default qlen 100
link/none
inet 10.200.13.5/24 brd 10.200.13.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::85d4:e9c5:d11a:807/64 scope link flags 800
valid_lft forever preferred_lft forever
root@login:~# ip r
default via TWO.NETWORK.2.1 dev eth0 onlink
10.200.13.0/24 dev tun0 proto kernel scope link src 10.200.13.5
10.242.2.0/24 dev tun1 proto kernel scope link src 10.242.2.8
62.214.68.130 via TWO.NETWORK.2.1 dev eth0
EXT.IP.FROM.VPN via TWO.NETWORK.2.1 dev eth0
172.27.0.11 via 10.242.2.1 dev tun1
172.27.0.131 via 10.242.2.1 dev tun1
172.27.0.133 via 10.242.2.1 dev tun1
172.27.0.134 via 10.242.2.1 dev tun1
192.168.127.0/24 dev eth0 proto kernel scope link src 192.168.127.1
INT.BEHIND.VPN1.0/24 via 10.200.13.1 dev tun0
INT.BEHIND.VPN2.0/24 via 10.200.13.1 dev tun0
TWO.NETWORK.2.0/24 dev eth0 scope link
TWO.NETWORK.2.0/24 dev eth0 proto kernel scope link src TWO.NETWORK.2.102
ONE.NETWORK.1.0/24 dev eth0 scope link
root@login:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode
DEFAULT group default qlen 1000
link/ether 00:0c:29:cd:45:cc brd ff:ff:ff:ff:ff:ff
17: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN mode DEFAULT group default qlen 100
link/none
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN mode DEFAULT group default qlen 100
link/none
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH, CN=company
Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096
bit RSA
[address.of.utm.de] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]EXT.IP.FROM.VPN:1197
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]EXT.IP.FROM.VPN:1197
TLS: Initial packet from [AF_INET]EXT.IP.FROM.VPN:1197, sid=bf60e79c 829c1465
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH, CN=company
Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096
bit RSA
[address.of.utm.de] Peer Connection Initiated with [AF_INET]EXT.IP.FROM.VPN:1197
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway
10.200.13.1,route-gateway 10.200.13.1,topology subnet,ping 10,ping-restart
120,route INT.BEHIND.VPN1.212 255.255.255.255,dhcp-option DNS
INT.BEHIND.VPN1.210,dhcp-option DNS INT.BEHIND.VPN2.250,dhcp-option DOMAIN
domäne.intern,ifconfig 10.200.13.3 255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Jul 18
09:32:36 notworking1 ovpn-utm[23466]: Data Channel Decrypt: Using 256 bit
message hash 'SHA256' for HMAC authentication
Preserving previous TUN/TAP instance: tun0
Initialization Sequence Completed
[address.of.utm.de] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]EXT.IP.FROM.VPN:1197
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]EXT.IP.FROM.VPN:1197
TLS: Initial packet from [AF_INET]EXT.IP.FROM.VPN:1197, sid=05d4dc5d c20155bd
VERIFY OK: depth=1, C=de, L=Paderborn, O=company Internet GmbH, CN=company
Internet GmbH VPN CA, emailAddress=tech...@company.de
VERIFY X509NAME OK: C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
VERIFY OK: depth=0, C=de, ST=Nordrhein-Westfalen, L=Paderborn, O=company
Internet GmbH, OU=Technik, CN=address.of.utm.de, emailAddress=tech...@company.de
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096
bit RSA
[address.of.utm.de] Peer Connection Initiated with [AF_INET]EXT.IP.FROM.VPN:1197
SENT CONTROL [address.of.utm.de]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway
10.200.13.1,route-gateway 10.200.13.1,topology subnet,ping 10,ping-restart
120,route INT.BEHIND.VPN1.212 255.255.255.255,dhcp-option DNS
INT.BEHIND.VPN1.210,dhcp-option DNS INT.BEHIND.VPN2.250,dhcp-option DOMAIN
domäne.intern,ifconfig 10.200.13.4 255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC
authentication
Preserving previous TUN/TAP instance: tun0
Initialization Sequence Completed
root@notworking1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:0c:29:f2:d5:b8 brd ff:ff:ff:ff:ff:ff
inet ONE.NETWORK.1.138/24 brd ONE.NETWORK.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef2:d5b8/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN group default qlen 100
link/none
inet 10.200.13.3/24 brd 10.200.13.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::17e6:9f90:15c0:870c/64 scope link flags 800
valid_lft forever preferred_lft forever
root@notworking1:~# ip r
default via ONE.NETWORK.1.1 dev eth0 onlink
10.200.13.0/24 dev tun0 proto kernel scope link src 10.200.13.3
EXT.IP.FROM.VPN via ONE.NETWORK.1.1 dev eth0
INT.BEHIND.VPN1.212 via 10.200.13.1 dev tun0
TWO.NETWORK.2.0/24 dev eth0 scope link
ONE.NETWORK.1.0/24 dev eth0 scope link
ONE.NETWORK.1.0/24 dev eth0 proto kernel scope link src ONE.NETWORK.1.138
root@notworking1:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode
DEFAULT group default qlen 1000
link/ether 00:0c:29:f2:d5:b8 brd ff:ff:ff:ff:ff:ff
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN mode DEFAULT group default qlen 100
link/none
