RE: [Openvpn-users] Road Warrior can't see other machine on the server side.

I solve the problem. It was nice of Microsoft to tell us that we HAD to reboot the server after we set IPEnableRouter = 1 in the registry in the KB Article for enabling IP Forwarding.

It would also be nice if you guys would change the documentation under the FAQ for "How do I enable IP Forwarding?" To be "On Windows 2000/2003/XP, see this KB article (Don't forget to reboot your server)."

thanks guys

-Craig

From: openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Craig T. Manske
Sent: Thursday, September 29, 2005 6:41 PM
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [Openvpn-users] Road Warrior can't see other machine on the server side.

Before anyone goes off on the 192.0.2.x subnet I use, it's been in this place forever and would be hell to fix.

Anyway.

I have a Windows 2003 server (192.0.2.4) running OpenVPN 2.0 sitting behind a Linux NAT (192.0.2.1, also the default gateway for this network). I have a Windows XP SP2 box (192.168.1.101) sitting behind a Cable router. OpenVPN is working perfectly between the Windows 2003 box and Windows XP box through my NAT via port forwarding of the UDP packets.

Here's a picture

Windows 2003 server

Private IP: 192.0.2.4

OpenVPN IP: 192.168.3.1

|

|

Linux NAT/Firewall

Default Gateway

Private IP: 192.0.2.1

|

|

{Internet}

|

|

Cable Router

Private IP: 192.168.1.1

|

|

Windows XP SP2

Private IP: 192.168.1.101

OpenVPN IP: 192.168.3.2

I have IP Forwarding turned on at both the Linux machine (192.0.2.1) and the OpenVPN server (192.0.2.4).

Here are the routing tables

Windows 2003 Open VPN Server

------------------------------------------------

Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0        192.0.2.1        192.0.2.4     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        192.0.2.0    255.255.255.0        192.0.2.4        192.0.2.4     10
        192.0.2.4 255.255.255.255        127.0.0.1        127.0.0.1     10
      192.0.2.255 255.255.255.255        192.0.2.4        192.0.2.4     10
      192.168.3.0    255.255.255.0      192.168.3.1      192.168.3.1     30
      192.168.3.1 255.255.255.255        127.0.0.1        127.0.0.1     30
    192.168.3.255 255.255.255.255      192.168.3.1      192.168.3.1     30
        224.0.0.0        240.0.0.0        192.0.2.4        192.0.2.4     10
        224.0.0.0        240.0.0.0      192.168.3.1      192.168.3.1     30
255.255.255.255 255.255.255.255        192.0.2.4        192.0.2.4      1
255.255.255.255 255.255.255.255      192.168.3.1      192.168.3.1      1

Default Gateway:         192.0.2.1

Linux Default Gateway

--------------------------------

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.3.0     192.0.2.4       255.255.255.0   UG    1      0        0 eth0
216.47.252.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     192.0.2.4       255.255.255.0   UG    1      0        0 eth0
192.0.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         216.47.252.1    0.0.0.0         UG    0      0        0 eth1

Windows XP OpenVPN client

-------------------------------------------

Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.101   10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
        192.0.2.0    255.255.255.0      192.168.3.1     192.168.3.2   1
      192.168.1.0    255.255.255.0    192.168.1.101   192.168.1.101   10
    192.168.1.101 255.255.255.255        127.0.0.1       127.0.0.1   10
    192.168.1.255 255.255.255.255    192.168.1.101   192.168.1.101   10
      192.168.3.0    255.255.255.0      192.168.3.2     192.168.3.2   30
      192.168.3.2 255.255.255.255        127.0.0.1       127.0.0.1   30
    192.168.3.255 255.255.255.255      192.168.3.2     192.168.3.2   30
        224.0.0.0        240.0.0.0    192.168.1.101   192.168.1.101   10
        224.0.0.0        240.0.0.0      192.168.3.2     192.168.3.2   30
255.255.255.255 255.255.255.255    192.168.1.101   192.168.1.101   1
255.255.255.255 255.255.255.255      192.168.3.2     192.168.3.2   1
Default Gateway:       192.168.1.1

I used tcpdump and windump to watch the ICMP packets when pinging 192.0.2.1 from my Windows XP machine and here is what I saw.

Windump on Server 2003 openvpn box.

--------------------------------------------------------

18:36:33.004880 IP (tos 0x0, ttl 128, id 24074, offset 0, flags [none], proto: ICMP (1), length: 60) FRANK > 192.0.2.1: ICMP echo request, id 768, seq 22784, length 40
18:36:38.327714 IP (tos 0x0, ttl 128, id 24089, offset 0, flags [none], proto: ICMP (1), length: 60) FRANK > 192.0.2.1: ICMP echo request, id 768, seq 23040, length 40
18:36:43.827488 IP (tos 0x0, ttl 128, id 24096, offset 0, flags [none], proto: ICMP (1), length: 60) FRANK > 192.0.2.1: ICMP echo request, id 768, seq 23296, length 40
18:36:49.338261 IP (tos 0x0, ttl 128, id 24099, offset 0, flags [none], proto: ICMP (1), length: 60) FRANK > 192.0.2.1: ICMP echo request, id 768, seq 23552, length 40

tcpdump on the Linux box (192.0.2.1)

------------------------------------------------------

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:33:56.674255 IP (tos 0xc0, ttl 64, id 41994, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > 192.168.3.1: icmp 86: 192.0.2.1 udp port netbios-ns unreachable
17:33:56.708866 IP (tos 0xc0, ttl 64, id 57930, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > dantooine.stanek.domain: icmp 86: 192.0.2.1 udp port netbios-ns unreachable
17:33:58.171497 IP (tos 0xc0, ttl 64, id 41995, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > 192.168.3.1: icmp 86: 192.0.2.1 udp port netbios-ns unreachable
17:33:58.171512 IP (tos 0xc0, ttl 64, id 57931, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > dantooine.stanek.domain: icmp 86: 192.0.2.1 udp port netbios-ns unreachable
17:33:59.671152 IP (tos 0xc0, ttl 64, id 41996, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > 192.168.3.1: icmp 86: 192.0.2.1 udp port netbios-ns unreachable
17:33:59.671169 IP (tos 0xc0, ttl 64, id 57932, offset 0, flags [none], proto 1, length: 106) 192.0.2.1 > dantooine.stanek.domain: icmp 86: 192.0.2.1 udp port netbios-ns unreachable

It seems that the ICMP packets are reaching the Linux box, but once they get there I am seeing this udp port unreachable stuff. Remember, IP Forwarding is turned on at both the Windows 2003 OpenVPN server and the Linux box.

Can someone see where my routing is messed up and/or why the packets are not returning?

Thanks

--
Craig Manske <craig.manske@xxxxxxxxxxxxxx>
Senior IS Manager
Stanek Tool Corporation <www.stanektool.com>
New Berlin, WI

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-10/msg00000.html on line 482

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-10/msg00000.html on line 482