Re: [leaf-user] Help with Openvpn setup update

Mon, 27 Feb 2006 11:57:02 -0800 

Andrew


Andrew Gray (Gil) wrote:



...


After some fiddling and more research into the configuration I can now ping from
either firewall to the opposite end of the tunnel on the 10.8.0.0 network.   I
can ping from firewall 2 to the 192.168.2.0 network (server and internal
interface) but not from the server at this site.

From firewall 1 I can ping firewall 2 tun0 interface but nothing else at the
other site.   This makes me think my problem is a routing problem rather than an
openvpn problem and the order of the routing entries is different on each
firewall.  Routing entries are as follows:

Firewall 1

FIREWALLESP# ip r
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 192.168.1.0/30 dev eth0 proto kernel scope link src 192.168.1.3 192.168.3.0/24 via 10.8.0.2 dev tun0 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 10.8.0.0/24 via 10.8.0.2 dev tun0 default via 192.168.1.1 dev eth0 

FIREWALL 2

FIREWALLPIA# ip r
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.1 192.168.2.0/24 via 10.8.0.5 dev tun0 10.8.0.0/24 via 10.8.0.5 dev tun0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.4 default via 192.168.1.1 dev eth0 

Can anyone tell me if I am on the right track or not?   Any help would be
greatly appreciated.


Which one of firewalls 1/2 is the server?
The server will have to push the route to the subnet behind it to the client with the push directive, the client will notify the server using the iroute directive.
For your set up a subnet to subnet connection appears more logical than a client/server set up, although it can be done.
Use your favorite network monitoring tool to follow the track of your packets, you will quickly see where they get stuck. I recommend using tcpdump on the tun interfaces and the internal interfaces of the firewalls. 

cheers

Erich


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to