<Andrew Gray (Gil) wrote: >> >... > >> After some fiddling and more research into the configuration I can now ping >from >> either firewall to the opposite end of the tunnel on the 10.8.0.0 network. >I >> can ping from firewall 2 to the 192.168.2.0 network (server and internal >> interface) but not from the server at this site. >> >> From firewall 1 I can ping firewall 2 tun0 interface but nothing else at the >> other site. This makes me think my problem is a routing problem rather than >an >> openvpn problem and the order of the routing entries is different on each >> firewall. Routing entries are as follows: >> >> Firewall 1 >> >> FIREWALLESP# ip r >> 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 >> 192.168.1.0/30 dev eth0 proto kernel scope link src 192.168.1.3 >> 192.168.3.0/24 via 10.8.0.2 dev tun0 >> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 >> 10.8.0.0/24 via 10.8.0.2 dev tun0 >> default via 192.168.1.1 dev eth0 >> >> >> FIREWALL 2 >> >> FIREWALLPIA# ip r >> 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 >> 192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.1 >> 192.168.2.0/24 via 10.8.0.5 dev tun0 >> 10.8.0.0/24 via 10.8.0.5 dev tun0 >> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.4 >> default via 192.168.1.1 dev eth0 >> >> >> Can anyone tell me if I am on the right track or not? Any help would be >> greatly appreciated. > >Which one of firewalls 1/2 is the server? > >The server will have to push the route to the subnet behind it to the >client with the push directive, the client will notify the server using >the iroute directive. > >For your set up a subnet to subnet connection appears more logical than >a client/server set up, although it can be done. > >Use your favorite network monitoring tool to follow the track of your >packets, you will quickly see where they get stuck. I recommend using >tcpdump on the tun interfaces and the internal interfaces of the firewalls. > >cheers > >Erich > > Ferewall 1 is the server end of the setup. I have solved the problem however by adding a statement to the Shorewall Masq file. This was mentioned in documentation I read somewhere but not emphasised at all. Perhaps it should be included in the main configuration document as are many of the other settings. On adding this statement, everything started to work as I expected. Thank you for the suggestions and help with this problem. I am very impressed with the product.
Andrew Gray ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
