[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN on FC4 - client and server cannot ping each other

  • Subject: Re: [Openvpn-users] OpenVPN on FC4 - client and server cannot ping each other
  • From: "Leonard Isham" <leonard.isham@xxxxxxxxx>
  • Date: Fri, 3 Mar 2006 08:03:51 -0500
On 3/2/06, Khemera Lin <lin.kh@xxxxxxxxxxxx> wrote:
>
> Dear All,
>
> First, let me apologize as it may not be a right topic to ask here. I hope,
> some of you have come across and solved the same problem already.
>
> I've been having problem with OpenVPN server on my Fedora Core 4 box and
> client on my XP box. I could connect from the client to the server but could
> not ping.
>
> My connection diagram looks like this:
>
Client1<--->Mikrotik(with NAT)<--->FC4(OpenVPN
Server)<--->Cisco7206<--->Client2
                                                                      
    |
                                                                      
  Client3
>
> If I tried to connect from Client3 (without passing through the Router or
> Mikrotik NAT), it is fine; they can ping each other. However, when I try to
> connect from Client1 (through Mikrotik 2.9 with NAT) or Client2 (from
> outside through my border Router with IOS 12.0), they cannot ping each
> other.
>
More specifics required.

1. Are you trying to ping the ethernet IP address or the tunnel IP address?

If you are trying to ping the ethernet IP address then Client3, most
likely, isn't using the VPN just the local LAN. This would indicate a
routing issue.

2. What do the you see with traceroute/tracert?

3. Are you using IP addresses or IP addresses?

Hint: Use IP to establish connectivity availability and then work on
name resolution issues.

3. Are client 1,2 & 3 the same box?  Are they using the same exact
configuration (copied between the systems)?
>
> For Client1, I'm quite sure, it is the problem of Mikrotik firewall/NAT
> rules. For Client2, it may be the Router access-list policy. I'm desperate
> in how to resolve this after searching through the Web for a while, esp. the
> OpenVPN web site. I hope, some of you have had the same experience and would
> help me out.
>
Some NAT devices have problems with UPD and you may have to move to
TCP.Without the cisco configuration we can only speculate.  Cisco ACLs
are "top down"  and one line may mask another line.

>
> Here is my server config (on FC4):
>
> ---
>
> port 1194
>
> proto udp
>
> dev tun
>
> server 192.168.99.0 255.255.255.0
>
> ifconfig 192.168.99.1 255.255.255.0
>
> #ifconfig-pool-persist ipp.txt
>
> mode server
>
> ca   /etc/openvpn/easy-rsa/keys/ca.crt
>
> cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
>
> key  /etc/openvpn/easy-rsa/keys/vpnserver.key  # This file
> should be kept secret
>
> dh   /etc/openvpn/easy-rsa/keys/dh1024.pem
>
> #duplicate-cn
>
> #client-config-dir /etc/openvpn/ccd
>
> push "route 202.79.24.64 255.255.255.192"
>
> push "route 202.79.24.128 255.255.255.192"
>
> user nobody
>
> group nobody
>
> keepalive 10 120
>
> comp-lzo
>
> persist-key
>
> persist-tun
>
> log-append /etc/openvpn/openvpn.log
>
> status /etc/openvpn/openvpn-status.log
>
> verb 3
>
> ---
>
>
>
> Here is a client config (on Windows XP):
>
> ---
>
> client
>
> dev tun
>
> proto udp
>
> remote 202.79.24.151 1194
>
> resolv-retry infinite
>
> nobind
>
> persist-key
>
> persist-tun
>
> ca   ca.crt
>
> cert client1.crt
>
> key  client1.key
>
> comp-lzo
>
> verb 3
>
> ---
>
>
>
> Here is the log on server when a client connects:
>
> ---
>
> Fri Mar  3 10:28:49 2006 OpenVPN 2.0.5 i386-redhat-linux-gnu [SSL] [LZO]
> [EPOLL] built on Nov  4 2005
>
> Fri Mar  3 10:28:49 2006 Diffie-Hellman initialized with 1024 bit key
>
> Fri Mar  3 10:28:49 2006 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0
> EL:0 ]
>
> Fri Mar  3 10:28:49 2006 TUN/TAP device tun0 opened
>
> Fri Mar  3 10:28:49 2006 /sbin/ip link set dev tun0 up mtu 1500
>
> Fri Mar  3 10:28:49 2006 /sbin/ip addr add dev tun0 local 192.168.99.1 peer
> 192.168.99.2
>
> Fri Mar  3 10:28:50 2006 /sbin/ip route add 192.168.99.0/24 via 192.168.99.2
>
> Fri Mar  3 10:28:50 2006 Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135
> ET:0 EL:0 AF:3/1 ]
>
> Fri Mar  3 10:28:50 2006 GID set to nobody
>
> Fri Mar  3 10:28:50 2006 UID set to nobody
>
> Fri Mar  3 10:28:50 2006 UDPv4 link local (bound): [undef]:1194
>
> Fri Mar  3 10:28:50 2006 UDPv4 link remote: [undef]
>
> Fri Mar  3 10:28:50 2006 MULTI: multi_init called, r=256 v=256
>
> Fri Mar  3 10:28:50 2006 IFCONFIG POOL: base=192.168.99.4 size=62
>
> Fri Mar  3 10:28:50 2006 Initialization Sequence Completed
>
> Fri Mar  3 10:29:08 2006 MULTI: multi_create_instance called
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Re-using SSL/TLS context
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 LZO compression initialized
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Control Channel MTU parms [
> L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel MTU parms [ L:1542
> D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Local Options hash (VER=V4):
> '530fdded'
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Expected Remote Options hash
> (VER=V4): '41690919'
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 TLS: Initial packet from
> 202.79.24.158:1566, sid=e379c074 060c9d72
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 VERIFY OK: depth=1,
> /C=KH/ST=KD/L=PP/O=WICAM.NET/OU=Base/CN=vpnserver/emailAddress=vidol@xxxxxxxxxxxx
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 VERIFY OK: depth=0,
> /C=KH/ST=KD/O=WICAM.NET/OU=Base/CN=vidol/emailAddress=vidol@xxxxxxxxxxxx
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Encrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Encrypt: Using 160
> bit message hash 'SHA1' for HMAC authentication
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Decrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Decrypt: Using 160
> bit message hash 'SHA1' for HMAC authentication
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Control Channel: TLSv1, cipher
> TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
>
> Fri Mar  3 10:29:08 2006 202.79.24.158:1566 [vidol] Peer Connection
> Initiated with 202.79.24.158:1566
>
> Fri Mar  3 10:29:08 2006 vidol/202.79.24.158:1566 MULTI: Learn: 192.168.99.6
> -> vidol/202.79.24.158:1566
>
> Fri Mar  3 10:29:08 2006 vidol/202.79.24.158:1566 MULTI: primary virtual IP
> for vidol/202.79.24.158:1566: 192.168.99.6
>
> Fri Mar  3 10:29:09 2006 vidol/202.79.24.158:1566 PUSH: Received control
> message: 'PUSH_REQUEST'
>
> Fri Mar  3 10:29:09 2006 vidol/202.79.24.158:1566 SENT CONTROL [vidol]:
> 'PUSH_REPLY,route 202.79.24.64 255.255.255.192,route 202.79.24.128
> 255.255.255.192,route 192.168.99.1,ping 10,ping-restart 120,ifconfig
> 192.168.99.6 192.168.99.5' (status=1)
>
> ---
>
>
>
>
>
> Thank you,
>
> Khem


--
Leonard Isham, CISSP
Ostendo non ostento.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00035.html on line 435

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00035.html on line 435