[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Watchguard Remote Site Routing Issues with OpenVPN Clients


  • Subject: Re: [Openvpn-users] Watchguard Remote Site Routing Issues with OpenVPN Clients
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Fri, 08 Feb 2008 11:27:36 +0100

Hi Jeremy,

so you have an openvpn server in bridged mode on your local LAN. The 
openvpn server IP address is 10.0.0.0/24 address and it is handing out 
10.0.0.0/24 addresses to clients. Right? Or is your openvpn subnet 
something different again (which would defeat the purpose of bridging, I 
guess) ?

IF your openvpn server is handing out 10.0.0.0/24 addresses to clients 
then how would the watchguard know which packets need to be encapsulated 
by openvpn and which packets can go through without any problems?

Also, this is one of my recurring questions in posts here, why do you 
need bridging? If you'd chosen a routed vpn setup this problem should 
not have occurred (but you get other nice routing issues to deal with ;-)).

I agree with Erich that posting a config file (client+server) would 
certainly help.

HTH,

JJK

Jeremy Cheng wrote:
> Hi Erich,
>
> Thanks for your reply. Here's a shot at what I think might be "relevant":
>
> say 10.0.0.0/24 is our local lan behind the watchguard where the openvpn 
> server sits. The watchguard builds an ipsec tunnel with unknown cisco 
> device at our colo managed by a different entity where the local subnet 
> is 10.0.1.0/24. The watchguard some how automagically knows to route 
> traffic coming from 10.0.0.0/24 to 10.0.1.0/24 through the IPSEC tunnel 
> for everything but OpenVPN clients. The servers at colo also have 
> persistent routes setup to know where the return path gateway is for 
> 10.0.0.0/24.
>
> I don't think it's a firewall issue because why would all other nodes work?
>
> Any other info I can provide? Other ideas?
>
> Thanks,
>
> -J
>
> Erich Titl wrote:
>   
>> Jeremy
>>
>> Jeremy Cheng schrieb:
>>     
>>> Hi all,
>>>
>>> I have a watchguard firebox at work connected to our colo's cisco by 
>>> IPSEC and an openvpn server running in bridge mode behind the 
>>> watchguard. Everything works perfectly except for the watchguard 
>>> doesn't seem to want to route openvpn client traffic to our colo. 
>>> Anyone have any ideas why that is? 
>>>       
>> Firewall rules?
>>
>> The thing that puzzles me is how openvpn assigned
>>     
>>> IPs are any different from manually set static IPs inside the 
>>> network... cause traffic from static IP's are being routed properly.
>>>       
>> It might help if you gave a detailed description of the relevant parts 
>> of your network.
>>
>>     

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users