Menu
▾
▴
Re: [Openvpn-users] Redundant vpn-setup for connecting two networks
|
From: Jan J. K. <ja...@ni...> - 2008-08-26 21:37:27
|
Hi Till,
Till Neudecker wrote:
> Hi,
>
> I'm trying to set up a redundant VPN system to connect the networks of two
> places. My idea was to have 2 client maschines in the first network that
> both connect to the same server in the other network. The clients both have
> their own ccd directive on the server that set up a Route for the client's
> network on the server.
>
> Now I set up ifstated on the gateway(OpenBSD) of the clients network to
> automatically route the traffic to the server's network through one of the
> VPN-clients. The server routes the traffic to the client's network back over
> the client that connected at last. The Problem is that the clients announce
> IP-addresses from their local network to the server and the server rejects
> packets from these IPs if they come from the other client. ("MULTI: bad
> source address from client [%s], packet dropped")
>
> I looked at the source and found these lines of code in multi.c (line 1627):
>
> --------------------------
> /* make sure that source address is associated with this client */
> else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending)
> {
> msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s],
> packet dropped",
> mroute_addr_print (&src, &gc));
> c->c2.to_tun.len = 0;
> }
> ---------------------------
>
> I felt free to solve my problem by just removing the lines and it worked
> fine. The server accepts every packet and it doesn't hurt if one client
> fails.
>
> But now my question: This obviously isn't _the_ way to realize a
> redundant/failover setup, is there a better one?
> If not, can someone tell me, if removing these lines may cause other
> problems? I only see the risk of "spoofed" packets which other clients send
> to the server's network.
>
>
>
these lines are in there for a very good reason indeed ;-)
read up on how to connect subnets to subnets and add a statement like
route <remote-subnet> <remote-subnet-mask>
to the server config file.
HTH,
JJK
|
