OpenVPN Support Forum
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Ubuntu lan-to-lan configuration
Post by evildani » Wed Dec 14, 2011 11:54 am
Hello fellow openVPN users,
I need a little help. I have configured a lan-to-lan configuration using ubuntu linux on both ends, both use the same version. All were installed from the ubuntu kernel. 2.6.32-36-generic #79-Ubuntu SMP x86_64.
Any way I have two networks 192.168.50.0/24 and 192.168.40.0/24 one is server the other is client.
My problem is that the client network can see the server network, but the other way around does not work.
I can ping any machine from 192.168.50.X to 192.168.40.X, yet when done from 192.168.40.X the ICMP packet gets lost (according to traces) between internal eth0 and tun0.
I have tried many iptable configurations.
RIght now I am using as a base this:
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth1 -o eth0 -m conntrack —ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i tun0 -o tun0 -j ACCEPT
This works on both ends. All kernel modules load at boot. The clients navigate the internet without problems.
I have done extensive traces on both ends and the problem seems to be on the server side.
The tunnel authentication is done via PKI where the CA is located on a network appliance.
I have run out of ideas, any help? any ideas? any suggestions?
Thanks for taking the time to read my post.
janjust Forum Team Posts: 2703 Joined: Fri Aug 20, 2010 2:57 pm Location: Amsterdam Contact:
Re: Ubuntu lat-to-lan configuration
Post by janjust » Wed Dec 14, 2011 12:00 pm
if you want the reverse you either need to masquerade in the other direction as well and/or you need to read the HOWTO http://openvpn.net/index.php/open-sourc . html#scope
for details on how to do subnet-to-subnet routing.
Re: Ubuntu lat-to-lan configuration
Post by evildani » Wed Dec 14, 2011 12:21 pm
Thanks for the quick replay.
The communication is working one way, from client lan to server lan. But from server lan to client lan is not working.
The same script config is applied to both «routers». Yet only one-way communication is achieved.
I did follow the subnet-to-subnet guide. My configuration includes ccd, iroute, push route.
janjust Forum Team Posts: 2703 Joined: Fri Aug 20, 2010 2:57 pm Location: Amsterdam Contact:
Re: Ubuntu lat-to-lan configuration
Post by janjust » Wed Dec 14, 2011 12:39 pm
the most common error with ccd files is that the file is not picked up correctly; did you specify a full path for the ‘client-config-dir’ option? for debugging, try adding
ccd-exclusive
to the server config and then try to connect the client — if the CCD file is not picked up correctly the client will be refused access.
If the CCD file *IS* picked up correctly then check the routing tables on both machines, and check that IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
maikcat Forum Team Posts: 4200 Joined: Wed Jan 12, 2011 9:23 am Location: Athens,Greece Contact:
Re: Ubuntu lat-to-lan configuration
Post by maikcat » Wed Dec 14, 2011 1:21 pm
can you post your configs to simply validate them.
>from client lan to server lan. But from server lan to client lan is not working.
if you ping from a client lan to a pc located on the server subnet and not the opposite
maybe there is a firewall on the client side.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
«objects in mirror are losing»
Re: Ubuntu lat-to-lan configuration
Post by evildani » Wed Dec 14, 2011 2:45 pm
Here is the server.conf and client.conf also some logs.
Server config:
local 190.Z.X.Y
port 1194
proto udp
dev tun
ca root.cert
cert bog.cer
key bog.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist /etc/openvpn/ipp.txt
route 192.168.40.0 255.255.255.0
route 192.168.50.0 255.255.255.0
push «route 192.168.40.0 255.255.255.0»
push «route 192.168.50.0 255.255.255.0»
push client-to-client
client-config-dir ccd
client-to-client
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /etc/openvpn/openvpn.log
verb 6
client
dev tun
proto udp
remote 190.Z.X.Y
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ns-root.cert
cert cur-client.cer
key cur.key
verb 3
ccd file:
iroute 192.168.50.0 255.255.255.0
openvpn.log
Wed Dec 14 09:39:47 2011 us=449743 cur.air/190. 33032 UDPv4 WRITE [53] to [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:48 2011 us=782040 cur.air/190. 33032 UDPv4 READ [53] from [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:57 2011 us=985608 cur.air/190. 33032 UDPv4 WRITE [53] to [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
Wed Dec 14 09:39:59 2011 us=322807 cur.air/190. 33032 UDPv4 READ [53] from [AF_INET]190.88.36.143:33032: P_DATA_V1 kid=0 DATA len=52
status log:
Updated,Wed Dec 14 09:40:35 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
cur.air,190. 33032,20842,22669,Wed Dec 14 08:44:02 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.50.0/24,cur.air,190.88.36.143:33032,Wed Dec 14 08:44:04 2011
10.8.0.2,cur.air,190. 33032,Wed Dec 14 08:44:04 2011
GLOBAL STATS
Max bcast/mcast queue length,0
LAN vpn LAN
Нужно объединить две локальные сети. Назовем их LAN1 и LAN2. На удаленной стороне (LAN1) есть действующий vpn канал, реализован на такой железке TP-LINK TL-ER6120. Что в нем крутится я не знаю. LAN2 ходит через проксю, на котором стоит линукс. Что ставить, openvpn или pptpd?
Обычно стоковая прошивка TP-Link’ов не умеет openvpn, так что pptp.
в туполинке есть ipsec. strongswan ставь. да посвежее!
Поставил strongswap. Получил настройки того самого ТП-Линка
IKE: IKE Proposal - MD5 3DES DH2 preshare key: 12342345 IPSec Proposal: Protocol ESP - ESP Auth MD5 - ESP Encr 3DES IPSec Policy: lan-to-lan IP ХХ.ХХ.ХХХ.ХХХ ЛАН 192.168.50.0
Моя сторона IP YYY.YYY.YY.YY ЛАН 192.168.30.0
# ipsec.conf - strongSwan IPsec configuration file config setup charondebug=all conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 dpdaction=restart dpddelay=30s dpdtimeout=120s conn alice keyexchange=ikev1 authby=psk auto=start left=%defaultroute leftsubnet=192.168.30.0/24 right=ХХ.ХХ.ХХХ.ХХХ rightsubnet=192.168.50.0/24
Ессесено ничего не заработало. Что пропустил? Ключи куда прописывать, сертификат создавать? Iptables ходит всё через нат.
Humaxoid ★ ( 05.10.15 21:01:23 MSK )
Последнее исправление: Humaxoid 05.10.15 21:02:38 MSK (всего исправлений: 1)
Так а public ip есть или что?
На удаленной стороне (LAN1) есть действующий vpn канал
conn site2site authby=psk keyexchange=ikev1 ike=3des-md5-modp1024 esp=3des-md5 keyingtries=%forever rekey=no dpdaction=hold dpddelay=30 dpdtimeout=150 auto=add left= leftsubnet=192.168.2.0/24 # leftfirewall=yes lefthostaccess=yes righthostaccess=yes right=%any rightid=192.168.10.248 rightsubnet=192.168.1.0/24,192.168.10.0/24
этот конфиг работает как раз с туполинком.
left — strongswan, right = туполинк. psk.
rightid пришлось указать, так как он за натом (там всё сложно..).
в /etc/ipsec.secrets у меня
192.168.10.248 (id правой стороны, то бишь) : PSK "тутпароль"
Молодец, пароль спалил свой. А он у вас очень «сложный».
Спасибо, завтра буду попробовать.
С чего ты взял что тут светят реальными паролями или айпишниками?
да, по моему конфигу: если хочешь, чтобы strongswan инициировал подключение, смени auto=add на auto=start
думаю, это и так понятно 🙂 но на всякий случай решил уточнить
С того, что айпишник на иксы заменен, а тут циферки 🙂
Что то не получается. Ключи не генерировал?
Это тебе не Битва эктрасенсов. Логи давай, strongswan сравнительно адекватно их пишет.
нет. PSK же, какие ключи?
да, логи давай и конфиг
Попробую дать наиболее полную картину. Это настройки туполинка на удаленной стороне.
IKE Proposal: Authentification - MD5 Encryption - 3DES HD Group -DH2 preshare key 12345678 -------------------------------- IPSec Proposal: Security Protocol - ESP ESP Authentification - MD5 ESP Encryption - 3DES -------------------------------- IPSec Policy: Mode - "lan-to-lan"
# ipsec.conf - strongSwan IPsec configuration file config setup conn site2site authby=psk keyexchange=ikev1 ike=3des-md5-modp1024 esp=3des-md5 keyingtries=%forever rekey=no dpdaction=hold dpddelay=30 dpdtimeout=150 auto=start left=XX.XXX.XX.XXX leftsubnet=192.168.66.0/24 leftfirewall=yes rightfirewall=yes lefthostaccess=yes righthostaccess=yes right=YYY.YYY.YY.YYY rightid=YYY.YYY.YY.YYY rightsubnet=192.168.50.0/24 # # Где XX.XXX.XX.XXX мой внешний ip Strongswan # YYY.YYY.YY.YYY ip Внешний ip удаленного ТП-Линка
# /etc/ipsec.secrets - strongSwan IPsec secrets file XX.XXX.XX.XXX YYY.YYY.YY.YYY : PSK 12345678
# strongswan.conf - strongSwan configuration file charon < load_modular = yes plugins < include strongswan.d/charon/*.conf >> include strongswan.d/*.conf
ipsec statusall Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64): uptime: 8 minutes, since Oct 09 22:43:12 2015 malloc: sbrk 270336, mmap 0, used 207552, free 62784 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: XX.XXX.XX.XXX 192.168.66.1 Connections: site2site: XX.XXX.XX.XXX. YYY.YYY.YY.YYY IKEv1, dpddelay=30s site2site: local: [XX.XXX.XX.XXX] uses pre-shared key authentication site2site: remote: [YYY.YYY.YY.YYY] uses pre-shared key authentication site2site: child: 192.168.66.0/24 === 192.168.50.0/24 TUNNEL, dpdaction=hold Security Associations (1 up, 0 connecting): site2site[1]: CONNECTING, XX.XXX.XX.XXX[%any]. YYY.YYY.YY.YYY[%any] site2site[1]: IKEv1 SPIs: 451cbbeb8f1be377_i* 0000000000000000_r site2site[1]: Tasks queued: QUICK_MODE site2site[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
Oct 9 22:43:12 proxy ipsec_starter[2250]: Starting strongSwan 5.3.2 IPsec [starter]. Oct 9 22:43:13 proxy ipsec_starter[2260]: charon (2261) started after 160 ms Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYY
Oct 9 22:43:12 proxy charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64) Oct 9 22:43:13 proxy charon: 00[KNL] received netlink error: Address family not supported by protocol (97) Oct 9 22:43:13 proxy charon: 00[KNL] unable to create IPv6 routing table rule Oct 9 22:43:13 proxy charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Oct 9 22:43:13 proxy charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Oct 9 22:43:13 proxy charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Oct 9 22:43:13 proxy charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Oct 9 22:43:13 proxy charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Oct 9 22:43:13 proxy charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Oct 9 22:43:13 proxy charon: 00[CFG] loaded IKE secret for XX.XXX.XX.XXX YYY.YYY.YY.YYY Oct 9 22:43:13 proxy charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs$ Oct 9 22:43:13 proxy charon: 00[JOB] spawning 16 worker threads Oct 9 22:43:13 proxy charon: 05[CFG] received stroke: add connection 'site2site' Oct 9 22:43:13 proxy charon: 05[CFG] added configuration 'site2site' Oct 9 22:43:13 proxy charon: 06[CFG] received stroke: initiate 'site2site' Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYY Oct 9 22:43:13 proxy charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ] Oct 9 22:43:13 proxy charon: 06[NET] sending packet: from XX.XXX.XX.XXX[500] to YYY.YYY.YY.YYY[500] (188 bytes)
Humaxoid ★ ( 09.10.15 23:07:08 MSK )
Последнее исправление: Humaxoid 09.10.15 23:09:59 MSK (всего исправлений: 2)