Topic: Site to Site Tunnel

[compsos]

Hi
Has anyone got a working Site to Site on 7.4 Smesever boxes?

openvpn-2.0.9-1.el4.rf
lzo-1.08-4.2.el4.rf
smeserver-openvpn-0.0.1-2

We have the tun0 working and can ping internal IP address of the remote server, but that is as far as it goes. Not able to use and resources.

Suspect not being unable to add any local Networks at each end is the clue, even though the route -add command works but not the server-manager page.

Tried to add
192.168.47.0 255.255.255.0 10.4.0.1
"Operation status report
Error: router address is not accessible from local network. Did not add network."

We can ping 10.4.0.1 and 192.168.47.1 and likewise from the other end to their remote addresses.

If someone has a working link, would love to be able to compare route tables etc.

TIA

[David Harper]

Someone else was posting about difficulties with OpenVPN the other day ... perhaps there is a bug that prevents it from working with 7.4?

[jumba]

We maintain one such link, created from the instructions on http://wiki.contribs.org/Ipsec and it works still with both servers upgraded to 7.4.

You should try that.

[soprom]

I have one working fine between SME7 (openvpn-fs server) and openWrt (openvpn "permanent" client) with 2 workstations on the router..

It survived reboot and internet losses.

All there would be to ask more is sharing https and openvpn on port 443!

[p-jones]

Jumba

Does your IPSEC tunnel survive all updates, reboots etc etc ??

P

[jumba]

No, sometimes I have to issue the command

Code: [Select]

#/sbin/ifup ipsec0
manually, but for some reason ONLY from the very same end every time!

(One end of the tunnel is connected to a T1 line, the other end to an ADSL line.

The command above has to be executed on the ADSL side...

[compsos]

Still no luck

Tried IPSEC and got no device in ifconfig, so have gone back to openvpn routed mode.

Basically have a tun device that can ping either end. Server to Server but unable to share resources. On checking the IPTables log packets were being denied and we can not add a new local network from server manager to suit.

We have a tunnel
TLS: tls_multi_process: untrusted session promoted to trusted Mar 29 17:35:57
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Have added the networks via the console
db networks set "other network IP" network Mask 255.255.255.0 Router "this server's end of the tunnel"

Now iptables -L | grep "other network IP" returns
LAN A: ACCEPT     all  --  192.168.121.0/24     anywhere
and
LAN B: ACCEPT     all  --  192.168.47.0/24      anywhere

var/log/iptables/current
But to ping a device on LAN A from LAN B  No log recorded
But to ping a device on LAN A from LAN B 
Server B:  denylog: IN=tun0 OUT=eth0 MAC= SRC=10.4.0.1 DST=192.168.121.2 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=58405 SEQ=3

So it appears to be maybe the iptables commands in openvpn.up are not being applied? If we pull down the firewall it does work (on a test platform).

Appreciate any ideas anyone might have. TIA

[Stefano]

So it appears to be maybe the iptables commands in openvpn.up are not being applied? If we pull down the firewall it does work (on a test platform).

if so, I think it's time to raise a bug.

ciao
Stefano

[compsos]

Hi Stefano

No problems we will raise a bug. If I am reading other comments right it is not an isolated issue. Would I be right in thinking it is in the IPTables configuration that is stopping it? Perhaps a missing chain link?

Does anyone have a working 7.4 to 7.4 tunnel to which we an compare settings? Would like to narrow done the bug report to an identified error area.

[compsos]

Bug Raised
http://bugs.contribs.org/show_bug.cgi?id=5115

[compsos]

This works but it may not be the correct way

• create the directory

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

• create a template fragment

nano /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/41AllowOpenVpn

• enter
  
       # Allows communications between SME LANs
       /sbin/iptables -A INPUT -i tun+ -j ACCEPT
       /sbin/iptables -A FORWARD -i tun+ -j ACCEPT
  
  
• expand-template /etc/rc.d/init.d/masq
• reload the firewall
  /etc/rc7.d/S36masq restart

The issue is in the number and has to be between 40 to 45 otherwise it fails. The openvpn.up script has the same commands so maybe they are not needed in the script if loaded as part of the firewall?