From: Marco C. <mab...@gm...> - 2008-02-12 18:21:09
|
Dear list: I'm using OpenVPN 2.0.9 in a site-to-site scenario. I have one linux box with OpenVPN. This box serves as the main gateway for all the network. This linux box has an OpenVPN port published in the internet. All the other sites uses a ADSL home connection to connect to this box. We're using TAP devices, because the machines in the remotes sites uses Windows XP as OS. Using these infrastructure we have almost 50 sites connected. Everything works fine, except for one remote site. In the case of this remote site, within the main linux box I can ping all the network machines in the remote site, also the machines in the remote site can ping the main linux box. So, as far as the main linux box concerns, the site is up and ok. But the problem is that all the machines behind the main linux box can't ping any of the machines in the remote site. This is not a route problem, all the routes are correctly set. If I do a traceroute from a machine behind the main linux box, it correctly send the packet to the main linux box. It seems that the main linux box can't properly route the packet to the TAP device. I was making a tcpdump to see if the packet is forwarded correctly to the TAP interface in the main linux box, but it is not. The packets just arrives to the eth0 interface. Follow the configuration of the network: main linux box: eth0 172.18.128.129 mask 255.255.128.0 tap0 192.168.200.1 mask 255.255.255.0 remote site machine Local Area Connection 172.17.12.1 mask 255.255.255.0 TAP0 192.168.200.3 mask 255.255.255.0 A machine behind the main linux box belongs to the network 172.18.128.0 mask 255.255.128.0. For example the machine 172.18.128.136 mask 255.255.128.0 has the main linux box (172.18.128.129) as its default gateway. For example this machine can't ping the 172.17.12.1 machine. Within the main linux box we have the following route (this taken from the route command): 172.17.12.0 192.168.200.3 255.255.255.0 UG 0 0 0 tap0 >From the main linux box, I can ping the 172.17.12.0 network and the 192.168.200.3 address of the tap device in the remote site. The firewall in the main linux box is disabled, also is disabled SELinux. The main linux box is a RedHat ES 4 update 3. The main linux box has the following configuration file for OpenVPN: port 1194 proto udp dev tap mode server tls-server ca /usr/share/doc/openvpn-2.0.9/easy-rsa/keys/ca.crt cert /usr/share/doc/openvpn-2.0.9/easy-rsa/keys/MP-SERVER.crt key /usr/share/doc/openvpn-2.0.9/easy-rsa/keys/MP-SERVER.key dh /usr/share/doc/openvpn-2.0.9/easy-rsa/keys/dh1024.pem ifconfig 192.168.200.1 255.255.255.0 route 172.17.12.0 255.255.255.0 192.168.200.3 management 10.1.1.2 7505 client-to-client keepalive 10 120 it in the client config file. comp-lzo persist-key persist-tun status openvpn-status.log verb 5 The remote site that has the problem has the following configuration: client dev tap dev-node TAP0 proto udp remote 168.234.198.198 1194 ifconfig 192.168.200.3 255.255.255.0 route 172.18.128.0 255.255.128.0 192.168.200.1 keepalive 10 60 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert MP-CLIENT-002.crt key MP-CLIENT-002.key comp-lzo verb 3 mute 20 Thanks in advance for any suggestion or reply. Regards Marco |