Open VPN Gateway to Gateway (help...)

[Guest]

[tdgtech]

Hi,

I'm trying to set up a G-T-G connection with Open VPN between two endian units (1 UTM Mini and One Office 4i) between two office locations.

 Both offices are setup with different subnets (Office 1 is 192.168.22.x and Office 2 is 192.168.10.x)

I can get a connection up between them with Open VPN but it does not seem to pass traffic from one network to another UNLESS I choose enable NAT in the client side settings.  If i do this, it only passes traffic in one direction (from client to server).

I have tried every setting I can think of:  Global Push network, Don't block traffic between clients, etc...  Any Idea what I might be missing?  i feel like it should be something simple...
I have disabled the VPN firewall on both sides. 

Do i need to do anything under the main Port Forwarding/NAT for incoming/outgoing?  I feel like this might be the problem but I don't know enough about NAT to know for sure.

In the end I made two tunnels, one with office 1 as the server and another with office 2 as the server.  Both of these with NAT enabled on the client.  This is working now with traffic in two directions.  However, i have read that this is not a preferred option.  Also,  I have to connect in a third office next. 

I would prefer to just use one Endian box as OpenVPN server.  What's the right way to do this?


Any help would be MUCH appreciated.

Thanks!!

Trevor

[lo]

- does a ping from subnet A to subnet B works?
- which is the output of traceroute from both the 4i?

Thanks

Lo

[mrkroket]

Also try to not disable VPN firewall, instead create an allow all rule.

Next, check where the traffics are going thru.
 tracert and efw logs will give you an idea of where your traffic is going.

[Infidel]

Check your routing table on both sides. I have the same problem: automatic route pushing not working. Solved it by adding static route to remote network and used connected client address in VPN pool as a gateway. (Network>Routing. Example: If VPN address pool is 128.184.0.0, server-side IP is 128.184.0.1, client IP is 128.184.0.2. Add route to %client LAN% throughout gateway 128.184.0.2. It works for me. If you assign static IP for this client, connection will work every time client connects. it is possible, you should do same on client side. In my case, client received routes to server-side network) 
I'm testing this in virtualbox. ( efw & PDC in first network, efw & PC(winxp) in second). PC successfully joined domain. AD and other stuff functioning correctly.
 
IPsec net-to-net works fine in two clicks.

P.S. Sorry for my english 

[bytehd]

Clients behind the Master server no nothing about clients behind the other EFW/OpenVPN branch office gateways.
Esp if other devices or Win servers dole out your ips via DHCP. (or you are using static private IPs)
You need to create static routes for central users to see remote branch users.
AD can push them down in a login script, but sometime road warriors float between AD domains...

EFW/OPENVPN can push routes to other gateways, but workstations may not be getting these routes from endian.
Are your clients Default gateways the EFW boxes?