[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] openVPN through Cisco firewall!


  • Subject: Re: [Openvpn-users] openVPN through Cisco firewall!
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Sun, 08 Jul 2007 22:05:39 +0200

Peter Njiiri schrieb:
> Hi
> Again thanks for the feedback. Yes,you are correct with the
> interpretation of the network. The software I'm installing (LDAP client)
> that needs no NAT requires that the destination IP be 192.168.1.2. This
> is because the openVPN is running the LDAP server listening on
> eth0,192.168.1.2. 

Can't you make it listen also on the tun interface 10.8.0.1?

So in this scenarios should I
> 1. use the destination IP as the VPN IP, i.e 10.8.0.1 as it seems using
> 192.168.1.2 doesn't works as the communication back from the LDAP server
> is going through NAT.

You could do some tricky routing.

> 2. Is the 10.8.0.1 address bound to the eth0 IP thus use it as the
> destination IP??

No, it is bound to the tun interface.

> 3. I tried ethernet bridging but it didn't work

What can I say, I don't like bridging.

>  
> Please note that the remote IP the VPN client is referencing is
> configured on a switch behind the firewall which maps the internal nic
> to external access. Is this a problem?

Switches (most of the time) are layer 2, so they should be transparent
to IP.


> I did a traceroute from the remote client (10.30.7.100) to the openVPN
> internal nic (192.168.1.2) and it shows only one hop to the destination
> (the hop is the destination address 192.168.1.2) whereas a traceroute
> from 192.168.1.2 to 10.30.7.9 shows three hops (hops through
> firewall,remote router then remote destination). When I ping 192.168.1.2
> from 10.30.7.100, I can see tcpdump activity on tun0 on the
> openVPNserver but if I ping 10.30.7.9 from 192.168.1.2 I DO NOT see
> tcpdump activity on tun0 on the client, it's received on eth1 on the
> client interface. Why is happening???

Your routing is incomplete. iproute2 is your friend if needed, else try
to make your LDAP server also listen on the tun interface, for a try
make it listen on all interfaces.

cheers
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users