[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] site to site vpn - routing issues


  • Subject: Re: [Openvpn-users] site to site vpn - routing issues
  • From: "Iad Scoot" <iad.scoot@xxxxxxxxx>
  • Date: Thu, 9 Aug 2007 19:30:08 -0400

Forgot to mention that I already have ip forwarding enabled on the boxes....
 
Thanks...

 
On 8/9/07, Iad Scoot <iad.scoot@xxxxxxxxx> wrote:
Hi, sorry for the long post but I need advice - also sorry if this got double-posted, I'm having some address book issues...
 
Trying to set up a site-to-site vpn between 2 openvpn (CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn system configured as "server". Fortinet firewall sitting in front of the corp office lan; vpn server in DMZ and static route set for incoming vpn traffic to go to the vpn box. Site 2 (remote office) has vpn box configured as "client" for routing traffic from several laptops at the remote office to the corp office. Second Fortinet firewall sitting in front of the remote office lan; laptops connected to the internal interface (GREEN segment) and vpn box connected to the DMZ. Static routes have been set on the firewall to pass any traffic destined for the pushed remote subnets to the vpn box.
 
Using routing, TLS w/ certs, etc. I can establish a tunnel but cannot access resources on the pushed subnets. On the remote office side, I can ping from the vpn box to the subnet at the corp office that the vpn server is on but not any of the other subnets that are "pushed" to the client vpn box. Here's the server config (corp office):
 
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
client-config-dir ccd
route 192.168.100.0 255.255.255.0
keepalive 10 120
tls-auth hmac.key 0
cipher AES-256-CBC   # AES
comp-lzo
max-clients 4
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 5
mute 20
 
The server config includes a file within the "ccd" directory with the appropriate "iroute" command. Here is the client config:

client
dev tun
proto tcp
remote my_external_ip 443
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-256-CBC
comp-lzo
log client.log
verb 6
 
Any thoughts? Could really use some help on this - need to do a couple of remote offices in this manner.
 
 
Thanks...