|
Title: endian community 2.4 VPN Gw2Gw problem Post by: e-telligent on Sunday 19 September 2010, 09:54:39 pm Hi,
I successfully configure endian community 2.4 VPN Gw2Gw with this configuration: network1 -----> endian VPN server -----> INTERNET -------> endian Gw2Gw Client -------> network2 PLEASE PASTE HERE YOUR : -----> route -n output if your vpn connection have problem. -----> cat /etc/sudoers | grep 'openvpn' Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Sunday 19 September 2010, 10:14:28 pm Thank you e-telligent for your help availability.
I have no means at the moment to upload what you are asking for, but tomorrow I will certainly upload what you need. By the way, I have upgraded one of the 2 EFW from 2.2 to 2.4 (by efw-upgrade from a ssh session), with no errors, but I've noticed to have lost my "proxy" and "port forwarding" configurations... Could this have some consequences on the OpenVPN side too? Thank you again, Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: e-telligent on Sunday 19 September 2010, 11:03:04 pm Hi,
VPN is different from port forward and proxy config Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Monday 20 September 2010, 08:05:08 pm Here are the outputs of the "route -n" and "cat /etc/sudoers" for both EFW.
root@fw01:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 78.4.160.48 0.0.0.0 255.255.255.248 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2 192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 0.0.0.0 78.4.160.49 0.0.0.0 UG 0 0 0 eth1 root@fw01:~ # cat /etc/sudoers | grep 'openvpn' nobody ALL=NOPASSWD: /usr/bin/openvpn-user nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py openvpn ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py openvpn ALL=NOPASSWD: /usr/local/bin/remoteroute.py openvpn ALL=NOPASSWD: /usr/local/bin/setsnat.py openvpn ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py openvpn ALL=NOPASSWD: /usr/local/bin/setrouting.py nobody ALL=NOPASSWD: /etc/init.d/openvpnclient openvpn ALL=NOPASSWD: /usr/local/bin/setdnat.py openvpn ALL=NOPASSWD: /usr/local/bin/setvpnfw.py root@fw01:~ # root@efw-1283440485:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 93.64.140.112 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1 0.0.0.0 93.64.140.113 0.0.0.0 UG 0 0 0 eth1 root@efw-1283440485:~ # cat /etc/sudoers | grep 'openvpn' nobody ALL=NOPASSWD: /usr/bin/openvpn-user nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py nobody ALL=NOPASSWD: /etc/init.d/openvpnclient nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py openvpn ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py openvpn ALL=NOPASSWD: /usr/local/bin/setsnat.py openvpn ALL=NOPASSWD: /usr/local/bin/setvpnfw.py openvpn ALL=NOPASSWD: /usr/local/bin/setrouting.py openvpn ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py root@efw-1283440485:~ # I see that the last one have not "openvpn" (but "nobody") on the "setdnat" and "remoteroute" lines: I'll put in it "openvpn" and I'll make you know. Thank you for your help, Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Tuesday 21 September 2010, 07:02:27 pm I've posted the last trials on this thread: "OpenVPN gw2gw tunnel packet loss"
Thank you Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: e-telligent on Thursday 23 September 2010, 11:26:26 pm Hi,
Add this in sudoers: openvpn ALL=NOPASSWD: /usr/local/bin/remoteroute.py and restart your vpn server Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Saturday 25 September 2010, 02:12:45 am Thank you Leonil for your hints.
In the next days I will be out of office: I'll try your suggestion not before September the 29th. Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: jzola on Thursday 30 September 2010, 06:44:09 am hmm Please check out how do i set. because its not working :(
This is a test network with esxi. GW 192.168.6.1 not exist. CLIENT(192.168.1.1/24) --- (192.168.1.72/24) EFW1 (192.168.6.72) --- (192.168.6.71) EFW2 ( 192.168.1.71/24) --- Client(192.168.1.153/24) Default configured Endians 2.4, no extra settings.. only just all allowed outgoing firewall etc. EFW1: -Enabled OpenVPN with one user EFW2: -Gw2Gw established to EFW1 bridged to GREEN EFW1(in ssh): route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 0.0.0.0 192.168.6.1 0.0.0.0 UG 0 0 0 eth1 -able ping 192.168.1.71 -cant ping 192.168.1.153 -can ping 192.168.1.1 in EFW2: route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 0.0.0.0 192.168.6.1 0.0.0.0 UG 0 0 0 eth1 -able ping 192.168.1.72 -cant ping 192.168.1.1 -can ping 192.168.1.153 192.168.1.153 cant ping 192.168.1.1 -and if i run "tcpdump src host 192.168.1.153" when pinging i see this: 20:18:42.586765 arp who-has 192.168.1.1 tell 192.168.1.153 20:18:43.586865 arp who-has 192.168.1.1 tell 192.168.1.153 20:18:44.587448 arp who-has 192.168.1.1 tell 192.168.1.153 Both endian: I added you suggested lines. cat /etc/sudoers | grep 'openvpn' nobody ALL=NOPASSWD: /usr/bin/openvpn-user nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py nobody ALL=NOPASSWD: /etc/init.d/openvpnclient nobody ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py openvpn ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py openvpn ALL=NOPASSWD: /usr/local/bin/setsnat.py openvpn ALL=NOPASSWD: /usr/local/bin/setvpnfw.py openvpn ALL=NOPASSWD: /usr/local/bin/setrouting.py openvpn ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py openvpn ALL=NOPASSWD: /usr/local/bin/remoteroute.py openvpn ALL=NOPASSWD: /usr/local/bin/setdnat.py Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Thursday 30 September 2010, 07:51:18 pm Hi everybody,
I've finally tried the "single VPN connection" suggested to me and in fact... it's WORKING now :) and there is NO MORE packets loss. What to pay attention to (in my opinion): 1. with two VPN connections (from client to server and vice versa) there ARE routing problems (not better identiified); 2. it is necessary to start "VPN firewall" (Firewall - VPN traffic) at both sites (and configuring an "any to any" rule for test purposes, for example); 3. it is necessary to configure a "Source NAT" rule (Firewall - Port Forwarding / NAT - Source NAT) at both sites. N.B. with NO "VPN firewall" and "Source NAT" configured, there is NO communication between the two end sites (100 % packet loss with "ping") There is, however, a last problem. Everything is working right but only in one direction (let's say from the EFW acting as "OpenVPN client" to the EFW acting as "OpenVPN server"), but I would need a bidirectional link. At the moment only the LAN PCs behind the "OpenVPN client" can connect to the LAN PCs behind the "OpenVPN Server". I've also tried to "ping" the LAN behind the "OpenVPN client" from an SSH session on the "OpenVPN server", but there is NO ROUTE to the remote LAN. I cannot "ping" the remote EFW acting as "OpenVPN client" itself. How is it possible to obtain a bidirectional tunnel??? Thank you very much, Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: jzola on Thursday 30 September 2010, 10:48:21 pm What's your SNAT rule?
Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Thursday 30 September 2010, 11:38:48 pm What's your SNAT rule? In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0. On the client side I've got this SNAT rule: source = 192.168.0.0/24 Destination = 192.168.254.0/24 Service = <ANY> NAT to = "name of the openvpn gw2gw connection" Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: jzola on Friday 01 October 2010, 12:12:11 am What's your SNAT rule? In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0. On the client side I've got this SNAT rule: source = 192.168.0.0/24 Destination = 192.168.254.0/24 Service = <ANY> NAT to = "name of the openvpn gw2gw connection" Ahha but I want same subnet both site. Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Friday 01 October 2010, 12:16:31 am What's your SNAT rule? In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0. On the client side I've got this SNAT rule: source = 192.168.0.0/24 Destination = 192.168.254.0/24 Service = <ANY> NAT to = "name of the openvpn gw2gw connection" Ahha but I want same subnet both site. Hmmm, from what I know, this is NOT possible. It seems, from Endian documentation, that the two LAN MUST have different IP addresses... Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: jzola on Friday 01 October 2010, 12:47:46 am You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses. iam confused now.. Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: logicasrl on Friday 01 October 2010, 02:16:18 am You can set in openvpn gw2gw, that Bridge to your GREEN. and can traffic dhcp responses. iam confused now.. Sorry, I fear I can't help you on this subject: I'm not so skilled in Endian "way of working"... Luca Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: jzola on Friday 01 October 2010, 07:35:12 am The problem is fixed. My fault. in ESXi needs to configure vSwitches to "Allow Promiscuous" Now working everything. Without SNAT rules! My question is answared "yes" bridge working with same ip subnet on sites. Title: Re: endian community 2.4 VPN Gw2Gw problem Post by: e-telligent on Wednesday 27 October 2010, 01:27:38 am Hi Jzola you are using same ip block in your network, this will cause conflict..... change the ip block on the the other network
|