-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: > Hi > > I have a firewall that also acts as a VPN peer for 2 VPNs. One of > the VPNs is IPSEC that connects between the main office and a branch > office. The second VPN is OpenVPN that connects windows based road > warriors to the branch office. I want to enable employees that connect > to the branch's OpenVPN to reach the main office servers (and filter > traffic to). Both VPNs are working so the appropriate routing entries > exist in the firewall's routing table. Even if I disable all the > firewall rules and just let everything pass through the firewall the > OpenVPN clients still cannot reach the main office servers. What am > I missing?
One possible issue is that the default config for OpenVPN uses "unroutable" addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -----END PGP SIGNATURE-----
