From owner-freebsd-questions@FreeBSD.ORG Sat Sep 17 00:06:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72AFD16A41F for ; Sat, 17 Sep 2005 00:06:12 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04-eri0.ohiordc.rr.com (ms-smtp-04-smtplb.ohiordc.rr.com [65.24.5.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFC9A43D6B for ; Sat, 17 Sep 2005 00:06:05 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-187.woh.res.rr.com [65.31.44.187]) by ms-smtp-04-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id j8H061HH014969; Fri, 16 Sep 2005 20:06:02 -0400 (EDT) Message-ID: <001501c5bb1a$f7eb8b80$0200a8c0@satellite> From: "dave" To: Date: Fri, 16 Sep 2005 20:01:34 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: freebsd-questions@freebsd.org Subject: routed vpn between two freebsd machines X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dave List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2005 00:06:12 -0000 Hello, My apologies if this is a repost i didn't see it go through. I'm trying to set up a routed vpn between two freebsd 5.4 machines. Currently they're on the same physical subnet, 192.168.0.x to make testing easier and for vpn they're using 10.8.0.x. My first problem, although both server and client start, i can only ping the client's ip address 10.8.0.6, not the server's of 10.8.0.5, and an IP of 10.8.0.1 is also showing up. Eventually i'd like to add windows boxes accessing the vpn via samba and remote clients from beyound the firewall, but i'd like to know if my basic configuration looks good. Any help appreciated. Thanks. Dave. client: openvpn.conf: client dev tun proto udp remote 192.168.0.3 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun mute-replay-warnings ca keys/ca.crt cert keys/client1.crt key keys/client1.key ns-cert-type server tls-auth keys/ta.key 1 comp-lzo status openvpn-status.log log openvpn.log verb 3 mute 20 server: openvpn.conf: local 192.168.0.3 port 1194 proto udp dev tun ca keys/ca.crt cert keys/vpn.crt dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.2.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 mute 20 server: OpenVPN CLIENT LIST Updated,Fri Sep 16 11:09:42 2005 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since client1,192.168.0.4:53537,75321,75571,Fri Sep 16 08:18:50 2005 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.8.0.6,client1,192.168.0.4:53537,Fri Sep 16 10:34:37 2005 GLOBAL STATS Max bcast/mcast queue length,0 END server: Fri Sep 16 00:10:50 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO] built on Aug 30 2005 Fri Sep 16 00:10:50 2005 Diffie-Hellman initialized with 2048 bit key Fri Sep 16 00:10:50 2005 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file Fri Sep 16 00:10:50 2005 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 00:10:50 2005 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 00:10:50 2005 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Fri Sep 16 00:10:50 2005 gw 192.168.0.254 Fri Sep 16 00:10:50 2005 TUN/TAP device /dev/tun0 opened Fri Sep 16 00:10:50 2005 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up Fri Sep 16 00:10:50 2005 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.2 Fri Sep 16 00:10:50 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri Sep 16 00:10:50 2005 GID set to nobody Fri Sep 16 00:10:50 2005 UID set to nobody Fri Sep 16 00:10:50 2005 UDPv4 link local (bound): 192.168.0.3:1194 Fri Sep 16 00:10:50 2005 UDPv4 link remote: [undef] Fri Sep 16 00:10:50 2005 MULTI: multi_init called, r=256 v=256 Fri Sep 16 00:10:50 2005 IFCONFIG POOL: base=10.8.0.4 size=62 Fri Sep 16 00:10:50 2005 IFCONFIG POOL LIST Fri Sep 16 00:10:50 2005 Initialization Sequence Completed Fri Sep 16 08:18:50 2005 MULTI: multi_create_instance called Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Re-using SSL/TLS context Fri Sep 16 08:18:50 2005 192.168.0.4:53537 LZO compression initialized Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Local Options hash (VER=V4): '14168603' Fri Sep 16 08:18:50 2005 192.168.0.4:53537 Expected Remote Options hash (VER=V4): '504e774e' Fri Sep 16 08:18:50 2005 192.168.0.4:53537 TLS: Initial packet from 192.168.0.4:53537, sid=c06f4d68 1e59a37e Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 08:18:51 2005 192.168.0.4:53537 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem ehler.com Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:18:51 2005 192.168.0.4:53537 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Fri Sep 16 08:18:51 2005 192.168.0.4:53537 [client1] Peer Connection Initiated with 192.168.0.4:53537 Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: Learn: 10.8.0.6 -> client1/192.168.0.4:53537 Fri Sep 16 08:18:51 2005 client1/192.168.0.4:53537 MULTI: primary virtual IP for client1/192.168.0.4:53537: 10.8.0.6 Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 PUSH: Received control message: 'PUSH_REQUEST' Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in mroute_extract_addr_from_packet Fri Sep 16 08:18:53 2005 client1/192.168.0.4:53537 Need IPv6 code in mroute_extract_addr_from_packet Fri Sep 16 08:18:56 2005 client1/192.168.0.4:53537 Need IPv6 code in mroute_extract_addr_from_packet Fri Sep 16 08:19:02 2005 client1/192.168.0.4:53537 Need IPv6 code in mroute_extract_addr_from_packet Fri Sep 16 09:18:51 2005 client1/192.168.0.4:53537 TLS: soft reset sec=0 bytes=37851/0 pkts=714/0 Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem ehler.com Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 09:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Fri Sep 16 10:18:51 2005 client1/192.168.0.4:53537 TLS: tls_process: killed expiring key Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=client1/emailAddress=webmaster@davem ehler.com Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 10:18:52 2005 client1/192.168.0.4:53537 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA client: openvpn-status.log: OpenVPN STATISTICS Updated,Fri Sep 16 11:19:26 2005 TUN/TAP read bytes,624 TUN/TAP write bytes,168 TCP/UDP read bytes,86618 TCP/UDP write bytes,86078 Auth read bytes,17512 pre-compress bytes,0 post-compress bytes,0 pre-decompress bytes,0 post-decompress bytes,0 END client: Fri Sep 16 08:16:05 2005 OpenVPN 2.0.2 i386-portbld-freebsd5.4 [SSL] [LZO] built on Sep 16 2005 Fri Sep 16 08:16:05 2005 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Fri Sep 16 08:16:05 2005 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file Fri Sep 16 08:16:05 2005 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:16:05 2005 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:16:05 2005 LZO compression initialized Fri Sep 16 08:16:05 2005 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Fri Sep 16 08:16:05 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri Sep 16 08:16:05 2005 Local Options hash (VER=V4): '504e774e' Fri Sep 16 08:16:05 2005 Expected Remote Options hash (VER=V4): '14168603' Fri Sep 16 08:16:05 2005 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Fri Sep 16 08:16:05 2005 UDPv4 link local: [undef] Fri Sep 16 08:16:05 2005 UDPv4 link remote: 192.168.0.3:1194 Fri Sep 16 08:16:05 2005 TLS: Initial packet from 192.168.0.3:1194, sid=c6ba5ec8 98dac724 Fri Sep 16 08:16:05 2005 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 08:16:05 2005 VERIFY OK: nsCertType=SERVER Fri Sep 16 08:16:05 2005 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle r.com Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 08:16:06 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 08:16:06 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 08:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Fri Sep 16 08:16:06 2005 [vpn] Peer Connection Initiated with 192.168.0.3:1194 Fri Sep 16 08:16:07 2005 SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1) Fri Sep 16 08:16:07 2005 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: timers and/or timeouts modified Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: --ifconfig/up options modified Fri Sep 16 08:16:07 2005 OPTIONS IMPORT: route options modified Fri Sep 16 08:16:07 2005 gw 192.168.0.254 Fri Sep 16 08:16:07 2005 TUN/TAP device /dev/tun0 opened Fri Sep 16 08:16:07 2005 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up Fri Sep 16 08:16:07 2005 /sbin/route add -net 192.168.2.0 10.8.0.5 255.255.255.0 add net 192.168.2.0: gateway 10.8.0.5 Fri Sep 16 08:16:07 2005 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.5 Fri Sep 16 08:16:07 2005 GID set to nobody Fri Sep 16 08:16:07 2005 UID set to nobody Fri Sep 16 08:16:07 2005 Initialization Sequence Completed Fri Sep 16 09:16:05 2005 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 09:16:05 2005 VERIFY OK: nsCertType=SERVER Fri Sep 16 09:16:05 2005 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle r.com Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 09:16:06 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 09:16:06 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 09:16:06 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Fri Sep 16 10:16:06 2005 TLS: soft reset sec=0 bytes=37328/0 pkts=711/0 Fri Sep 16 10:16:06 2005 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 10:16:06 2005 VERIFY OK: nsCertType=SERVER Fri Sep 16 10:16:06 2005 VERIFY OK: depth=0, /C=US/ST=OH/O=davemehler.com_OpenVPN/CN=vpn/emailAddress=webmaster@davemehle r.com Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 10:16:07 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Sep 16 10:16:07 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Sep 16 10:16:07 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Fri Sep 16 11:16:06 2005 TLS: tls_process: killed expiring key Fri Sep 16 11:16:07 2005 TLS: soft reset sec=0 bytes=37720/0 pkts=713/0 Fri Sep 16 11:16:07 2005 VERIFY OK: depth=1, /C=US/ST=OH/L=ENGLEWOOD/O=davemehler.com_OpenVPN/CN=OpenVPN-CA/emailAddress= webmaster@davemehler.com Fri Sep 16 11:16:07 2005 NOTE: --mute triggered...