[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] Re: Mystery of Openvpn


  • Subject: RE: [Openvpn-users] Re: Mystery of Openvpn
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 8 Dec 2004 17:14:30 -0700 (MST)

On Wed, 8 Dec 2004, Tibbs, Richard wrote:

> Davis,
> I tried your suggestion (redirect-gateway) on my wireless winxp laptop,
> but to no avail. same situation, cant ping the other end of the tunnel
> (10.1.1.1) and cant bring up a web page. No communication whatsoever.
> 
> I am beginning to believe that 2.0beta15 is incompatible with 1.6
> fundamentally. I have disable-occ on the 1.6 machine.

That's definitely not true.  Lot's of people including myself have 1.6 <-> 
2.0 tunnels.  See below for more comments.

> I have no mac address filtering on the linksys AP, nor any firewall or
> security agent running on the winxp box. Yet still nothing gets through.
> 
> On the firewall here are the relevant openvpn 1.6 messages in
> daemon.log, followed by my interfaces and route table on winXP (openvpn
> 2.15beta). Note that we never get beyond initiating the peer connection.
> 
> Following that are configs for both machines.
> 
> If no-one can suggest anything further, I will have to give up on
> openvpn.
> Rick
> 
> ============== openvpn 1.6 config
> 
> dev tun
> # For compatability with 2.x openvpn clients/servers
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1450
> disable-occ
> local 192.168.1.254
> remote 192.168.1.4
> 
> ifconfig 10.1.1.1 10.1.1.2
> route 192.168.1.4 
> secret static.key
> verb 4
> mute 10
> 
> 
> ============== openvpn 1.6 (192.168.1.254) daemon.log
> Dec 8 19:01:41 firewall openvpn[23622]: OpenVPN 1.6.0 i686-pc-linux-gnu
> [SSL] [LZO] built on Dec 1 2004
> Dec 8 19:01:41 firewall openvpn[23622]: Static Encrypt: Cipher 'BF-CBC'
> initialized with 128 bit key
> Dec 8 19:01:41 firewall openvpn[23622]: Static Encrypt: Using 160 bit
> message hash 'SHA1' for HMAC authentication
> Dec 8 19:01:41 firewall openvpn[23622]: Static Decrypt: Cipher 'BF-CBC'
> initialized with 128 bit key
> Dec 8 19:01:41 firewall openvpn[23622]: Static Decrypt: Using 160 bit
> message hash 'SHA1' for HMAC authentication
> Dec 8 19:01:41 firewall openvpn[23622]: TUN/TAP device tun0 opened
> Dec 8 19:01:41 firewall openvpn[23622]: ip link set dev tun0 up mtu 1500
> Dec 8 19:01:41 firewall openvpn[23622]: ip addr add dev tun0 local
> 10.1.1.1 peer 10.1.1.2
> Dec 8 19:01:41 firewall openvpn[23622]: ip route add 192.168.1.4/32 via
> 10.1.1.2
> Dec 8 19:01:41 firewall openvpn[23622]: Data Channel MTU parms [ L:1576
> D:1450 EF:44 EB:0 ET:32 EL:0 ]
> Dec 8 19:01:41 firewall openvpn[23622]: Local Options String:
> 'V3,dev-type tun,link-mtu 1576,tun-mtu 1532,proto UDPv4,ifconfig
> 10.1.1.2 10.1.1.1,cipher BF-CBC,auth SHA1,keysize 128,secret'
> Dec 8 19:01:41 firewall openvpn[23622]: Expected Remote Options String:
> 'V3,dev-type tun,link-mtu 1576,tun-mtu 1532,proto UDPv4,ifconfig
> 10.1.1.1 10.1.1.2,cipher BF-CBC,auth SHA1,keysize 128,secret'
> Dec 8 19:01:41 firewall openvpn[23622]: Local Options hash (VER=V3):
> '839efbe9'
> Dec 8 19:01:41 firewall openvpn[23622]: Expected Remote Options hash
> (VER=V3): '437d064a'
> Dec 8 19:01:41 firewall openvpn[18048]: UDPv4 link local (bound):
> 192.168.1.254:5000
> Dec 8 19:01:41 firewall openvpn[18048]: UDPv4 link remote:
> 192.168.1.4:5000
> Dec 8 19:01:58 firewall openvpn[18048]: Peer Connection Initiated with
> 192.168.1.4:5000
> Dec 8 19:03:57 firewall openvpn[18048]: MSS: 1460 -> 1334
> Dec 8 19:04:07 firewall last message repeated 2 times
> Dec 8 19:05:28 firewall last message repeated 2 times
> Dec 8 19:06:39 firewall openvpn[18048]: MSS: 1460 -> 1334
> Dec 8 19:06:49 firewall last message repeated 2 times
> 
> =============== ipconfig -all and route print on WINxp
> Ethernet adapter Local Area Connection 4:
> 
>         Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : TAP-Win32 Adapter V8
>         Physical Address. . . . . . . . . : 00-FF-48-43-61-8D
>         Dhcp Enabled. . . . . . . . . . . : Yes
>         Autoconfiguration Enabled . . . . : Yes
>         IP Address. . . . . . . . . . . . : 10.1.1.2
>         Subnet Mask . . . . . . . . . . . : 255.255.255.252
>         Default Gateway . . . . . . . . . :
>         DHCP Server . . . . . . . . . . . : 10.1.1.1
>         Lease Obtained. . . . . . . . . . : Wednesday, December 08, 2004
> 5:46:
> 
>         Connection-specific DNS Suffix  . : private.network
>         Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG
> Netwo
>  Connection
>         Physical Address. . . . . . . . . : 00-0E-35-15-24-F3
>         Dhcp Enabled. . . . . . . . . . . : Yes
>         Autoconfiguration Enabled . . . . : Yes
>         IP Address. . . . . . . . . . . . : 192.168.1.4
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
>         Default Gateway . . . . . . . . . : 192.168.1.254
>         DHCP Server . . . . . . . . . . . : 192.168.1.254
>         DNS Servers . . . . . . . . . . . : 192.168.1.254
> 
> C:\Documents and Settings\rwtibbs>route print
> ========================================================================
> ===
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x20003 ...00 ff 48 43 61 8d ...... TAP-Win32 Adapter V8 - Deterministic
> Netwo
>  Enhancer Miniport
> 0x30002 ...00 0e 35 15 24 f3 ...... Intel(R) PRO/Wireless 2200BG Network
> Conne
> ion - Deterministic Network Enhancer Miniport
> ========================================================================
> ===
> ========================================================================
> ===
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
> Metric
>           0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.4
> 2
>          10.1.1.0  255.255.255.252         10.1.1.2        10.1.1.2
> 30
>          10.1.1.2  255.255.255.255        127.0.0.1       127.0.0.1
> 30
>    10.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2
> 30
>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
> 1
>       192.168.1.0    255.255.255.0      192.168.1.4     192.168.1.4
> 2
>       192.168.1.4  255.255.255.255        127.0.0.1       127.0.0.1
> 2
>     192.168.1.255  255.255.255.255      192.168.1.4     192.168.1.4
> 2
>         224.0.0.0        240.0.0.0         10.1.1.2        10.1.1.2
> 30
>         224.0.0.0        240.0.0.0      192.168.1.4     192.168.1.4
> 2
>   255.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2
> 1
>   255.255.255.255  255.255.255.255      192.168.1.4     192.168.1.4
> 1
> Default Gateway:     192.168.1.254
> ========================================================================
> ===
> Persistent Routes:
>   None
> 
> ======================== winxp openvpn 215beta config
> local 192.168.1.4
> remote 192.168.1.254
> port 5000
> dev tun
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1450
> ifconfig 10.1.1.2 10.1.1.1
> redirect-gateway
> #route 192.168.1.254

You are missing "secret static.key" in this config.

Also definitely don't add redirect-gateway until the config has been 
shown to work, and don't add it unless you really want it.  Using it is 
more likely to break a working config than it is to fix a non-working 
config.

I tested both of your configs on my local machines, using the same version
numbers that you are using, and I found that when I added "secret
static.key" to the beta15 config, everything worked fine.

James

>  
> 
> -----Original Message-----
> From: Davis Goodman [mailto:davis.goodman@xxxxxxxxxxxx] 
> Sent: Wednesday, December 08, 2004 10:32 AM
> To: Tibbs, Richard
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Re: Mystery of Openvpn
> 
> Hi Rick,
> 
> I have basically the same setup here and looking at your routing table 
> one thing seems strange. On my setup, when I connect to the openvpn 
> server the address for my default gateway is the address assigned by the
> 
> openvpn server and not the default gateway of my firewall. Try using the
> 
> "redirect-gateway" option in your client instead of route . Here is my 
> config file which I use for the wireless connection. Of course, my 
> server is 2.0beta15 as well as my client. But I think this is one of the
> 
> problem you are seeing. I've also included a "route print" of my laptop 
> once connected with openvpn on my wireless. As you can see I only have 
> one default route which is the IP assigned from the server.
> 
> Let me know if this make sense.
> 
> Davis
> 
> #########################################
> # Sample client-side OpenVPN config file
> # for connecting to multi-client server.
> #
> # The server can be pinged at 10.XX.21.1.
> #
> # This configuration can be used by multiple
> # clients, however each client should have
> # its own cert and key files.
> #
> # tun-style tunnel
> 
> port 1194
> proto tcp-client
> dev tun
> tun-mtu 1500
> mssfix 1400
> remote my.vpn.server
> comp-lzo
> 
> # TLS parms
> 
> tls-client
> ca ca.crt
> cert my.crt
> key my.key
> 
> # This parm is required for connecting
> # to a multi-client server. It tells
> # the client to accept options which
> # the server pushes to us.
> pull
> redirect-gateway
> verb 4
> 
> 
> 
> $ route print
> ========================================================================
> ===
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 0d 56 e9 4d 4a ...... Broadcom 440x 10/100 Integrated 
> Controller - Packet Scheduler Miniport
> 0x3 ...00 ff e1 05 f7 1f ...... TAP-Win32 Adapter V8 - Packet Scheduler 
> Miniport
> 0x4 ...00 04 23 a4 38 58 ...... Intel(R) PRO/Wireless LAN 2100 3A Mini 
> PCI Adapter - Packet Scheduler Miniport
> ========================================================================
> ===
> ========================================================================
> ===
> Active Routes:
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 10.51.21.17 10.51.21.18 1
> 10.16.0.0 255.255.0.0 10.51.21.17 10.51.21.18 1
> 10.16.0.1 255.255.255.255 10.20.0.1 10.20.0.21 1
> 10.20.0.0 255.255.255.0 10.20.0.21 10.20.0.21 30
> 10.20.0.21 255.255.255.255 127.0.0.1 127.0.0.1 30
> 10.51.21.1 255.255.255.255 10.51.21.17 10.51.21.18 1
> 10.51.21.16 255.255.255.252 10.51.21.18 10.51.21.18 30
> 10.51.21.18 255.255.255.255 127.0.0.1 127.0.0.1 30
> 10.255.255.255 255.255.255.255 10.20.0.21 10.20.0.21 30
> 10.255.255.255 255.255.255.255 10.51.21.18 10.51.21.18 30
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 172.16.0.0 255.255.0.0 10.51.21.17 10.51.21.18 1
> 224.0.0.0 240.0.0.0 10.20.0.21 10.20.0.21 30
> 224.0.0.0 240.0.0.0 10.51.21.18 10.51.21.18 30
> 255.255.255.255 255.255.255.255 10.20.0.21 10.20.0.21 1
> 255.255.255.255 255.255.255.255 10.20.0.21 2 1
> 255.255.255.255 255.255.255.255 10.51.21.18 10.51.21.18 1
> Default Gateway: 10.51.21.17
> ========================================================================
> ===
> Persistent Routes:
> None
> Tibbs, Richard wrote:
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users