|
|
Title: [Openvpn-users] OpenVPN behind ISA on one end, Monowall on the other
First fix the system clocks.
Bad time can cause TLS problems.
Regards,
David
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Paul Wright
Sent: Tue 01-Jan-08 16:19
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [Openvpn-users] OpenVPN behind ISA on one end, Monowall on the other
I had a successful connection running with OpenVPN using the following topology:
Linux wks (OpenVPN client) ---> Belkin Cable/DSL router --->
{internet} ---> ISA Server -----> Linux server (OpenVPN server)
-----> internal network
For a variety of reasons, I swapped out the Belkin router for a
Soekris box running Monowall 1.23 and everything is working except the
OpenVPN tunnel. I duplicated the Belkin settings as regards NAT as
much as was possible but something broke.
The log on the client just shows repeated writes to the correct
IP:port for the external interface of the ISA box but no responses.
The log on the server shows that it is receiving packets from the
client and is responding back on an incrementing port number (e.g.
7148) and the firewall log on the Monowall shows those packets being
received and forwarded to the OpenVPN client but the server reports no
response (at least I gather that is what the ECONNREFUSED.... error =
111 means). So it seems that perhaps the issue is that the OpenVPN
client is not listening on the port being used by the server.
The other piece of this is that the ISA Server has several external
addresses bound to it but all outbound NAT traffic exits through the
primary interface address so the OpenVPN traffic arrives at the ISA
Server on XXX.XXX.74.71 and exits on XXX.XXX.64.46. I don't
particularly like this characteristic of ISA Server, but it was
working prior to swapping out the router on the client end.
I am using the -float and -nobind switches in the client config and
the full configurations are as follows:
[client configuration]
client
dev tun
proto udp
remote server.dyndns.org 4444
float
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/st9573.crt
key /etc/openvpn/keys/st9573.key
ns-cert-type server
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC # AES Federal standard 256
comp-lzo
verb 6
mute 10
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
[server configuration]
port 4444
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/nwfdvpncore.crt
key /etc/openvpn/keys/nwfdvpncore.key
dh /etc/openvpn/keys/dh1024.pem
server 10.129.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/st9573-ipp.txt
push "route 10.0.0.0 255.224.0.0"
push "route 10.32.0.0 255.224.0.0"
push "route 10.64.0.0 255.224.0.0"
push "route 10.96.0.0 255.224.0.0"
push "route 10.160.0.0 255.224.0.0"
push "route 10.224.0.0 255.224.0.0"
push "route 166.89.71.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.254.0 255.255.255.0"
client-config-dir ccd
route 192.168.236.0 255.255.255.0
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/status-st9573.log
log-append /var/log/openvpn-st9573.log
verb 6
mute 20
Server-side log:
Mon Dec 31 23:15:28 2007 us=991241 Initialization Sequence Completed
Mon Dec 31 23:15:29 2007 us=723733 MULTI: multi_create_instance called
Mon Dec 31 23:15:29 2007 us=723852 <client IP addr>:7148 Re-using
SSL/TLS context
Mon Dec 31 23:15:29 2007 us=723942 <client IP addr>:7148 LZO
compression initialized
Mon Dec 31 23:15:29 2007 us=724406 <client IP addr>:7148 Control
Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Dec 31 23:15:29 2007 us=724494 <client IP addr>:7148 Data Channel
MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Dec 31 23:15:29 2007 us=724636 <client IP addr>:7148 Local Options
String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize
256,tls-auth,key-method 2,tls-server'
Mon Dec 31 23:15:29 2007 us=724664 <client IP addr>:7148 Expected
Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu
1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth
SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Dec 31 23:15:29 2007 us=724759 <client IP addr>:7148 Local Options
hash (VER=V4): '162b04de'
Mon Dec 31 23:15:29 2007 us=724804 <client IP addr>:7148 Expected
Remote Options hash (VER=V4): '9e7066d2'
Mon Dec 31 23:15:29 2007 us=724930 <client IP addr>:7148 UDPv4 READ
[42] from <client IP addr>:7148: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0
pid=[ #11 ] [ ] pid=0 DATA len=0
Mon Dec 31 23:15:29 2007 us=724973 <client IP addr>:7148 TLS: Initial
packet from <client IP addr>:7148, sid=251b9262 472963ff
Mon Dec 31 23:15:29 2007 us=725126 <client IP addr>:7148 UDPv4 WRITE
[54] to <client IP addr>:7148: P_CONTROL_HARD_RESET_SERVER_V2 kid=0
pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Mon Dec 31 23:15:29 2007 us=804415 read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Mon Dec 31 23:15:31 2007 us=983336 <client IP addr>:7148 UDPv4 WRITE
[42] to <client IP addr>:7148: P_CONTROL_HARD_RESET_SERVER_V2 kid=0
pid=[ #2 ] [ ] pid=0 DATA len=0
Mon Dec 31 23:15:32 2007 us=40072 <client IP addr>:7148 UDPv4 READ
[42] from <client IP addr>:7148: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0
pid=[ #12 ] [ ] pid=0 DATA len=0
Mon Dec 31 23:15:32 2007 us=40318 <client IP addr>:7148 UDPv4 WRITE
[50] to <client IP addr>:7148: P_ACK_V1 kid=0 pid=[ #3 ] [ 0 ]
Mon Dec 31 23:15:32 2007 us=44084 read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
(The last few lines repeat over and over)
Client side log:
Mon Dec 31 23:17:12 2007 us=547847 Local Options String: 'V4,dev-type
tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher
AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Dec 31 23:17:12 2007 us=547871 Expected Remote Options String:
'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize
256,tls-auth,key-method 2,tls-server'
Mon Dec 31 23:17:12 2007 us=547919 Local Options hash (VER=V4): '9e7066d2'
Mon Dec 31 23:17:12 2007 us=547957 Expected Remote Options hash
(VER=V4): '162b04de'
Mon Dec 31 23:17:12 2007 us=548001 Socket Buffers: R=[109568->131072]
S=[109568->131072]
Mon Dec 31 23:17:12 2007 us=548060 UDPv4 link local: [undef]
Mon Dec 31 23:17:12 2007 us=548089 UDPv4 link remote: <server IP addr>:4444
Mon Dec 31 23:17:12 2007 us=548221 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:14 2007 us=744597 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:16 2007 us=950284 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:18 2007 us=48738 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:20 2007 us=245175 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:22 2007 us=442600 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #6 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:24 2007 us=709205 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #7 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:26 2007 us=974427 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #8 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:28 2007 us=108141 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #9 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:30 2007 us=375546 UDPv4 WRITE [42] to <server IP
addr>:4444: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #10 ] [ ] pid=0
DATA len=0
Mon Dec 31 23:17:32 2007 us=640932 NOTE: --mute triggered...
Mon Dec 31 23:18:13 2007 us=12445 18 variation(s) on previous 10
message(s) suppressed by --mute
Mon Dec 31 23:18:13 2007 us=12573 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Mon Dec 31 23:18:13 2007 us=12597 TLS Error: TLS handshake failed
Mon Dec 31 23:18:13 2007 us=12825 TCP/UDP: Closing socket
Mon Dec 31 23:18:13 2007 us=12920 SIGUSR1[soft,tls-error] received,
process restarting
So, it looks like to me that the server is seeing the client packets
and is responding to them but the client is not seeing or not
responding to the server packets. The client firewall log indicates
that the incoming packets from the server are being received and
forwarded.
Any ideas?
thanks!
paul
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-01/msg00005.html on line 183
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-01/msg00005.html on line 183
|