EFW Support

Support => VPN Support => Topic started by: e-telligent on Sunday 19 September 2010, 09:54:39 pm



Title: endian community 2.4 VPN Gw2Gw problem
Post by: e-telligent on Sunday 19 September 2010, 09:54:39 pm
Hi,

I successfully configure endian community 2.4 VPN Gw2Gw  with this configuration:


network1 -----> endian VPN server ----->  INTERNET -------> endian Gw2Gw Client -------> network2


PLEASE PASTE HERE YOUR :
-----> route -n  output if your vpn connection have problem.
-----> cat /etc/sudoers | grep 'openvpn'


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Sunday 19 September 2010, 10:14:28 pm
Thank you e-telligent for your help availability.
I have no means at the moment to upload what you are asking for, but tomorrow I will certainly upload what you need.

By the way, I have upgraded one of the 2 EFW from 2.2 to 2.4 (by efw-upgrade from a ssh session), with no errors, but I've noticed to have lost my "proxy" and "port forwarding" configurations... Could this have some consequences on the OpenVPN side too?

Thank you again,
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: e-telligent on Sunday 19 September 2010, 11:03:04 pm
Hi,

VPN is different from port forward and proxy config


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Monday 20 September 2010, 08:05:08 pm
Here are the outputs of the "route -n" and "cat /etc/sudoers" for both EFW.

root@fw01:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
78.4.160.48     0.0.0.0         255.255.255.248 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap2
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         78.4.160.49     0.0.0.0         UG    0      0        0 eth1
root@fw01:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
openvpn  ALL=NOPASSWD: /usr/local/bin/setdnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
root@fw01:~ #

root@efw-1283440485:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
93.64.140.112   0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 tap1
0.0.0.0         93.64.140.113   0.0.0.0         UG    0      0        0 eth1
root@efw-1283440485:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
root@efw-1283440485:~ #

I see that the last one have not "openvpn" (but "nobody") on the "setdnat" and "remoteroute" lines: I'll put in it "openvpn" and I'll make you know.

Thank you for your help,
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Tuesday 21 September 2010, 07:02:27 pm
I've posted the last trials on this thread: "OpenVPN gw2gw tunnel packet loss"
Thank you
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: e-telligent on Thursday 23 September 2010, 11:26:26 pm
Hi,


Add this in sudoers:


openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py

and restart your vpn server


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Saturday 25 September 2010, 02:12:45 am
Thank you Leonil for your hints.
In the next days I will be out of office: I'll try your suggestion not before September the 29th.
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: jzola on Thursday 30 September 2010, 06:44:09 am
hmm Please check out how do i set. because its not working :(

This is a test network with esxi. GW 192.168.6.1 not exist.


CLIENT(192.168.1.1/24) --- (192.168.1.72/24) EFW1 (192.168.6.72) --- (192.168.6.71) EFW2 ( 192.168.1.71/24) --- Client(192.168.1.153/24)


Default configured Endians 2.4, no extra settings.. only just all allowed outgoing firewall etc.

EFW1:
-Enabled OpenVPN with one user

EFW2:
-Gw2Gw established to EFW1  bridged to GREEN


EFW1(in ssh):
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.71
-cant ping 192.168.1.153
-can ping 192.168.1.1



in EFW2:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.72
-cant ping 192.168.1.1
-can ping 192.168.1.153


192.168.1.153 cant ping 192.168.1.1
-and if i run  "tcpdump src host 192.168.1.153" when pinging i see this:
20:18:42.586765 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:43.586865 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:44.587448 arp who-has 192.168.1.1 tell 192.168.1.153



Both endian:   I added you suggested lines.
cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn ALL=NOPASSWD: /usr/local/bin/setdnat.py


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Thursday 30 September 2010, 07:51:18 pm
Hi everybody,

I've finally tried the "single VPN connection" suggested to me and in fact... it's WORKING now :) and there is NO MORE packets loss.

What to pay attention to (in my opinion):
1. with two VPN connections (from client to server and vice versa) there ARE routing problems (not better identiified);
2. it is necessary to start "VPN firewall" (Firewall - VPN traffic) at both sites (and configuring an "any to any" rule for test purposes, for example);
3. it is necessary to configure a "Source NAT" rule (Firewall - Port Forwarding / NAT - Source NAT) at both sites.
N.B. with NO "VPN firewall" and "Source NAT" configured, there is NO communication between the two end sites (100 % packet loss with "ping")

There is, however, a last problem. Everything is working right but only in one direction (let's say from the EFW acting as "OpenVPN client" to the EFW acting as "OpenVPN server"), but I would need a bidirectional link.
At the moment only the LAN PCs behind the "OpenVPN client" can connect to the LAN PCs behind the "OpenVPN Server".

I've also tried to "ping" the LAN behind the "OpenVPN client" from an SSH session on the "OpenVPN server", but there is NO ROUTE to the remote LAN. I cannot "ping" the remote EFW acting as "OpenVPN client" itself.

How is it possible to obtain a bidirectional tunnel???

Thank you very much,
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: jzola on Thursday 30 September 2010, 10:48:21 pm
What's your SNAT rule?


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Thursday 30 September 2010, 11:38:48 pm
What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: jzola on Friday 01 October 2010, 12:12:11 am
What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Friday 01 October 2010, 12:16:31 am
What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.

Hmmm, from what I know, this is NOT possible.
It seems, from Endian documentation, that the two LAN MUST have different IP addresses...
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: jzola on Friday 01 October 2010, 12:47:46 am
You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: logicasrl on Friday 01 October 2010, 02:16:18 am
You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..

Sorry, I fear I can't help you on this subject: I'm not so skilled in Endian "way of working"...
Luca


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: jzola on Friday 01 October 2010, 07:35:12 am

The problem is fixed.

My fault.
in ESXi  needs to configure vSwitches to "Allow Promiscuous"

Now working everything.  Without SNAT rules!
My question is answared "yes" bridge working with same ip subnet on sites.


Title: Re: endian community 2.4 VPN Gw2Gw problem
Post by: e-telligent on Wednesday 27 October 2010, 01:27:38 am
Hi Jzola you are using same ip block in your network, this will cause conflict..... change the ip block on the the other network