Hi David
It's true that all IP addresses are in the 10.x.x.x private address
space that isn't supposed to be routed on the Internet, but in all the
connections over the Internet the only visible addresses are the
public ones (otherwise the VPNs wouldn't be working): Main and branch
office public IP addresses and what ever the road warriors receive when
connecting their laptops, either at home or at a client's site.
The branch's firewall NATs the branch office 10.x.x.x address space
on its external interface, but I don't see how that would cause routing
problems between the 2 VPNs.
TIA
Paolo
David Newman wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/3/07 2:15 PM, Paolo Supino wrote:
Hi
I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's OpenVPN to reach the main office servers (and filter
traffic to). Both VPNs are working so the appropriate routing entries
exist in the firewall's routing table. Even if I disable all the
firewall rules and just let everything pass through the firewall the
OpenVPN clients still cannot reach the main office servers. What am
I missing?
One possible issue is that the default config for OpenVPN uses
"unroutable" addresses out of RFC 1918 space. I believe the default
config file uses 172.16.111.0/29 or something like that.
Routers should never forward packets to RFC 1918 addresses across the
public Internet; it's a best practice to filter them. Remote OpenVPN
traffic looks like it comes from from 172.16.111.something, and the main
office router will quite properly drop traffic destined there.
You're either going to need to NAT your VPN traffic or (far better, if
you can) get enough public IPv4 or IPv6 addresses not to mess with NAT.
dn
iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb
9hQTU1zRm18kxf/K6vHpYv4=
=4YME
-----END PGP SIGNATURE-----
