From owner-freebsd-questions@FreeBSD.ORG Wed Sep 21 16:56:04 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CFA216A41F for ; Wed, 21 Sep 2005 16:56:04 +0000 (GMT) (envelope-from Frank.Mueller@emendis.de) Received: from mail.emendis.de (85-10-201-197.clients.your-server.de [85.10.201.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1229743D49 for ; Wed, 21 Sep 2005 16:55:55 +0000 (GMT) (envelope-from Frank.Mueller@emendis.de) Received: from localhost (mail [10.2.1.4]) by mail.emendis.de (Postfix) with ESMTP id 9B50F60668B; Sat, 17 Sep 2005 02:21:29 +0200 (CEST) Received: from mail.emendis.de ([10.2.1.4]) by localhost (mail.emendis.de [10.2.1.4]) (amavisd-new, port 10024) with ESMTP id 09138-04; Sat, 17 Sep 2005 02:21:27 +0200 (CEST) Received: from [192.168.9.1] (dsl-084-057-127-242.arcor-ip.net [84.57.127.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.emendis.de (Postfix) with ESMTP id AF2C1606686; Sat, 17 Sep 2005 02:21:26 +0200 (CEST) Message-ID: <432B61A1.30700@emendis.de> Date: Sat, 17 Sep 2005 02:21:53 +0200 From: Frank Mueller - emendis GmbH Organization: emendis GmbH User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050829) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: dave References: <001501c5bb1a$f7eb8b80$0200a8c0@satellite> In-Reply-To: <001501c5bb1a$f7eb8b80$0200a8c0@satellite> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: SPAM/Virenfilter at emendis.de Cc: freebsd-questions@freebsd.org, openvpn-users@lists.sourceforge.net Subject: Re: routed vpn between two freebsd machines X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank.Mueller@emendis.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2005 16:56:04 -0000 10.8.0.1 is your servers IP! According to the manpage the parameter "server 10.8.0.0 255.255.255.0" sets therouter to 10.8.0.1. Why do you push a route to 192.168.2.0/24 ??? Do you have such a subnet? Greetz, Ice dave schrieb: > Hello, > My apologies if this is a repost i didn't see it go through. > I'm trying to set up a routed vpn between two freebsd 5.4 machines. > Currently they're on the same physical subnet, 192.168.0.x to make testing > easier and for vpn they're using 10.8.0.x. My first problem, although both > server and client start, i can only ping the client's ip address 10.8.0.6, > not the server's of 10.8.0.5, and an IP of 10.8.0.1 is also showing up. > Eventually i'd like to add windows boxes accessing the vpn via samba and > remote clients from beyound the firewall, but i'd like to know if my basic > configuration looks good. > Any help appreciated. > Thanks. > Dave. > > client: > openvpn.conf: > client > dev tun > proto udp > remote 192.168.0.3 1194 > resolv-retry infinite > nobind > user nobody > group nobody > persist-key > persist-tun > mute-replay-warnings > ca keys/ca.crt > cert keys/client1.crt > key keys/client1.key > ns-cert-type server > tls-auth keys/ta.key 1 > comp-lzo > status openvpn-status.log > log openvpn.log > verb 3 > mute 20 > > server: > openvpn.conf: > local 192.168.0.3 > port 1194 > proto udp > dev tun > ca keys/ca.crt > cert keys/vpn.crt > dh keys/dh2048.pem > server 10.8.0.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > push "route 192.168.2.0 255.255.255.0" > client-to-client > keepalive 10 120 > comp-lzo > max-clients 100 > user nobody > group nobody > persist-key > persist-tun > status openvpn-status.log > log openvpn.log > verb 3 > mute 20 > > server: > OpenVPN CLIENT LIST > Updated,Fri Sep 16 11:09:42 2005 > Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since > client1,192.168.0.4:53537,75321,75571,Fri Sep 16 08:18:50 2005 > ROUTING TABLE > Virtual Address,Common Name,Real Address,Last Ref > 10.8.0.6,client1,192.168.0.4:53537,Fri Sep 16 10:34:37 2005 > GLOBAL STATS > Max bcast/mcast queue length,0 > END > > server: > Fri Sep 16 00:10:50 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO] > built on Aug 30 2005 > Fri Sep 16 00:10:50 2005 Diffie-Hellman initialized with 2048 bit key > Fri Sep 16 00:10:50 2005 Control Channel Authentication: using 'keys/ta.key' > as a OpenVPN static key file > Fri Sep 16 00:10:50 2005 Outgoing Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 00:10:50 2005 Incoming Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 00:10:50 2005 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 > EL:0 ] > Fri Sep 16 00:10:50 2005 gw 192.168.0.254 > Fri Sep 16 00:10:50 2005 TUN/TAP device /dev/tun0 opened > Fri Sep 16 00:10:50 2005 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 > netmask 255.255.255.255 up > Fri Sep 16 00:10:50 2005 /sbin/route add -net 10.8.0.0 10.8.0.2 > 255.255.255.0 > add net 10.8.0.0: gateway 10.8.0.2 > Fri Sep 16 00:10:50 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 > ET:0 EL:0 AF:3/1 ] > Fri Sep 16 00:10:50 2005 GID set to nobody > Fri Sep 16 00:10:50 2005 UID set to nobody > Fri Sep 16 00:10:50 2005 UDPv4 link local (bound): 192.168.0.3:1194 > Fri Sep 16 00:10:50 2005 UDPv4 link remote: [undef] > Fri Sep 16 00:10:50 2005 MULTI: multi_init called, r=256 v=256 > Fri Sep 16 00:10:50 2005 IFCONFIG POOL: base=10.8.0.4 size=62 > Fri Sep 16 00:10:50 2005 IFCONFIG POOL LIST > Fri Sep 16 00:10:50 2005 Initialization Sequence Completed > Fri Sep 16 08:18:50 2005 MULTI: multi_create_instance called > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Re-using SSL/TLS context > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 LZO compression initialized > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Control Channel MTU parms [ > L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Data Channel MTU parms [ L:1542 > D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Local Options hash (VER=V4): > '14168603' > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Expected Remote Options hash > (VER=V4): '504e774e' > Fri Sep 16 08:18:50 2005 192.168.0.4:53537 TLS: Initial packet from > 192.168.0.4:53537, sid=c06f4d68 1e59a37e > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem > ehler.com > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Cipher > 'BF-CBC' initialized with 128 bit key > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Cipher > 'BF-CBC' initialized with 128 bit key > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Control Channel: TLSv1, cipher > TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA > Fri Sep 16 08:18:51 2005 192.168.0.4:53537 [client1] Peer Connection > Initiated with 192.168.0.4:53537 > Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: Learn: 10.8.0.6 -> > client1/192.168.0.4:53537 > Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: primary virtual IP > for client1/192.168.0.4:53537: 10.8.0.6 > Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 PUSH: Received control > message: 'PUSH_REQUEST' > Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 SENT CONTROL [client1]: > 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0 > 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' > (status=1) > Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in > mroute_extract_addr_from_packet > Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in > mroute_extract_addr_from_packet > Fri Sep 16 08:18:56 2005 client1/192.168.0.4:53537 Need IPv6 code in > mroute_extract_addr_from_packet > Fri Sep 16 08:19:02 2005 client1/192.168.0.4:53537 Need IPv6 code in > mroute_extract_addr_from_packet > Fri Sep 16 09:18:51 2005 client1/192.168.0.4:53537 TLS: soft reset sec=0 > bytes=37851/0 pkts=714/0 > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem > ehler.com > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: > Cipher 'BF-CBC' initialized with 128 bit key > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: > Using 160 bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: > Cipher 'BF-CBC' initialized with 128 bit key > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: > Using 160 bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1, > cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA > Fri Sep 16 10:18:51 2005 client1/192.168.0.4:53537 TLS: tls_process: killed > expiring key > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem > ehler.com > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: > Cipher 'BF-CBC' initialized with 128 bit key > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: > Using 160 bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: > Cipher 'BF-CBC' initialized with 128 bit key > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: > Using 160 bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1, > cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA > > client: > openvpn-status.log: > OpenVPN STATISTICS > Updated,Fri Sep 16 11:19:26 2005 > TUN/TAP read bytes,624 > TUN/TAP write bytes,168 > TCP/UDP read bytes,86618 > TCP/UDP write bytes,86078 > Auth read bytes,17512 > pre-compress bytes,0 > post-compress bytes,0 > pre-decompress bytes,0 > post-decompress bytes,0 > END > > client: > Fri Sep 16 08:16:05 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO] > built on Sep 16 2005 > Fri Sep 16 08:16:05 2005 IMPORTANT: OpenVPN's default port number is now > 1194, based on an official port number assignment by IANA. OpenVPN > 2.0-beta16 and earlier used 5000 as the default port. > Fri Sep 16 08:16:05 2005 Control Channel Authentication: using 'keys/ta.key' > as a OpenVPN static key file > Fri Sep 16 08:16:05 2005 Outgoing Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 08:16:05 2005 Incoming Control Channel Authentication: Using 160 > bit message hash 'SHA1' for HMAC authentication > Fri Sep 16 08:16:05 2005 LZO compression initialized > Fri Sep 16 08:16:05 2005 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 > ET:0 EL:0 ] > Fri Sep 16 08:16:05 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 > ET:0 EL:0 AF:3/1 ] > Fri Sep 16 08:16:05 2005 Local Options hash (VER=V4): '504e774e' > Fri Sep 16 08:16:05 2005 Expected Remote Options hash (VER=V4): '14168603' > Fri Sep 16 08:16:05 2005 NOTE: UID/GID downgrade will be delayed because > of --client, --pull, or --up-delay > Fri Sep 16 08:16:05 2005 UDPv4 link local: [undef] > Fri Sep 16 08:16:05 2005 UDPv4 link remote: 192.168.0.3:1194 > Fri Sep 16 08:16:05 2005 TLS: Initial packet from 192.168.0.3:1194, > sid=c6ba5ec8 98dac724 > Fri Sep 16 08:16:05 2005 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 08:16:05 2005 VERIFY OK: nsCertType=SERVER > Fri Sep 16 08:16:05 2005 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle > r.com > Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 08:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 2048 bit RSA > Fri Sep 16 08:16:06 2005 [vpn] Peer Connection Initiated with > 192.168.0.3:1194 > Fri Sep 16 08:16:07 2005 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1) > Fri Sep 16 08:16:07 2005 PUSH: Received control message: 'PUSH_REPLY,route > 192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart > 120,ifconfig 10.8.0.6 10.8.0.5' > Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: timers and/or timeouts modified > Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: --ifconfig/up options modified > Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: route options modified > Fri Sep 16 08:16:07 2005 gw 192.168.0.254 > Fri Sep 16 08:16:07 2005 TUN/TAP device /dev/tun0 opened > Fri Sep 16 08:16:07 2005 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 > netmask 255.255.255.255 up > Fri Sep 16 08:16:07 2005 /sbin/route add -net 192.168.2.0 10.8.0.5 > 255.255.255.0 > add net 192.168.2.0: gateway 10.8.0.5 > Fri Sep 16 08:16:07 2005 /sbin/route add -net 10.8.0.0 10.8.0.5 > 255.255.255.0 > add net 10.8.0.0: gateway 10.8.0.5 > Fri Sep 16 08:16:07 2005 GID set to nobody > Fri Sep 16 08:16:07 2005 UID set to nobody > Fri Sep 16 08:16:07 2005 Initialization Sequence Completed > Fri Sep 16 09:16:05 2005 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 09:16:05 2005 VERIFY OK: nsCertType=SERVER > Fri Sep 16 09:16:05 2005 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle > r.com > Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 09:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 2048 bit RSA > Fri Sep 16 10:16:06 2005 TLS: soft reset sec=0 bytes=37328/0 pkts=711/0 > Fri Sep 16 10:16:06 2005 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 10:16:06 2005 VERIFY OK: nsCertType=SERVER > Fri Sep 16 10:16:06 2005 VERIFY OK: depth=0, > /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle > r.com > Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 128 bit key > Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Fri Sep 16 10:16:07 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 2048 bit RSA > Fri Sep 16 11:16:06 2005 TLS: tls_process: killed expiring key > Fri Sep 16 11:16:07 2005 TLS: soft reset sec=0 bytes=37720/0 pkts=713/0 > Fri Sep 16 11:16:07 2005 VERIFY OK: depth=1, > /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= > webmaster@davemehler.com > Fri Sep 16 11:16:07 2005 NOTE: --mute triggered... > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Frank Mueller eMail: Frank.Mueller@emendis.de Mobil: +49.177.6858655 Fax: +49.951.3039342 emendis GmbH Hofmannstr. 89, 91052 Erlangen, Germany Fon: +49.9131.817361 Fax: +49.9131.817386 Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger Sitz Erlangen, Amtsgericht Fuerth HRB 10116