[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Problem: Two tunnels, one firewall


  • Subject: [Openvpn-users] Problem: Two tunnels, one firewall
  • From: "Tibbs, Richard" <rwtibbs@xxxxxxxxxxx>
  • Date: Mon, 13 Dec 2004 14:36:10 -0500

Dear list,
I am struggling with a two tunnel configuration on a firewall.
I have two instances of openvpn running, but the second one to come up
(oddly tun0 comes up after tun1) fails due to a route conflict. 
With this arrangement:
winxp -- WLAN -- homefw -- Internet -- officefw
  <--- tun 1 -----> <---- tun0 ---------->
 route 216.x.y.z       route 216.x.y.z = external iface of homefw.
The above route commands are identical in both openvpn configs on
homefw.
This causes the second tunnel to come up, tun0 to fail the route
command.
I could change the route command in tun0's config to my ISP's default
gateway and see if that works.
I have attached as much volume as I dare below, -- sorry to clog you
mailboxes.  See the daemon.log segment for the error.
Any thoughts?
TIA
Rick.

========== file openvp2.conf (comes up as tun0)============== 

dev tun
disable-occ
local 216.x.y.z
# Our remote peer (office firewall)
remote 137.p.q.r
route 216.x.y.z
secret static.key
verb 5
mute 10

========== file openvpn.conf (comes up as tun1, was tun0)==============
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
disable-occ
local 192.168.1.254
float
ifconfig 10.1.1.1 10.1.1.2
route 216.x.y.z
secret static.key

======================= home firewall interfaces and route table.

firewall: -root-
# ip addr sho
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
    inet 216.12.22.89/26 brd 216.12.22.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:12:7d:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1256 qdisc pfifo_fast qlen
10
    link/ppp 
    inet 10.1.10.1 peer 10.1.10.2/32 scope global tun0
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
10
    link/ppp 
    inet 10.1.1.1 peer 10.1.1.2/32 scope global tun1
7: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
    inet 216.12.22.89/26 brd 216.12.22.127 scope global ipsec0
8: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 
9: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 
10: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 

firewall: -root-
#  ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
216.12.22.89 via 10.1.10.2 dev tun0 
10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.12.22.89 
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.12.22.89 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
default via 216.12.22.65 dev eth0 

============================ daemon.log from bering. ===================

Dec 13 11:31:30 firewall openvpn[29658]: TUN/TAP device tun0 opened
Dec 13 11:31:30 firewall openvpn[29658]: ip link set dev tun0 up mtu
1256
Dec 13 11:31:30 firewall openvpn[29658]: ip addr add dev tun0 local
10.1.10.1 peer 10.1.10.2
Dec 13 11:31:30 firewall openvpn[29658]: ip route add 216.12.22.89/32
via 10.1.10.2
Dec 13 11:31:30 firewall openvpn[29658]: Data Channel MTU parms [ L:1300
D:1300 EF:44 EB:0 ET:0 EL:0 ]
< .... segment deleted for brevity...>
Dec 13 11:31:31 firewall openvpn[1512]: OpenVPN 1.6.0 i686-pc-linux-gnu
[SSL] [LZO] built on Dec  1 2004
Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Dec 13 11:31:31 firewall openvpn[1512]: Static Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Dec 13 11:31:31 firewall openvpn[1512]: Static Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Dec 13 11:31:31 firewall openvpn[1512]: TUN/TAP device tun1 opened
Dec 13 11:31:31 firewall openvpn[1512]: ip link set dev tun1 up mtu 1500
Dec 13 11:31:31 firewall openvpn[1512]: ip addr add dev tun1 local
10.1.1.1 peer 10.1.1.2
Dec 13 11:31:31 firewall openvpn[1512]: ip route add 216.12.22.89/32 via
10.1.1.2
Dec 13 11:31:31 firewall openvpn[1512]: ERROR: Linux route add command
failed: shell command exited with error status: 2
Dec 13 11:31:31 firewall openvpn[1512]: Data Channel MTU parms [ L:1576
D:1450 EF:44 EB:0 ET:32 EL:0 ]



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users