Route and OpenVPN problem
Hi,
I meet an terrible issue with routes and OpenVPN. Below is my design: Network 172.16.2.0/24<====>Linux Box<====>Vyatta<====>Network 172.16.4.0/24 My goal is to create the communication between network 172.16.2.0/24 and network 172.16.4.0/24 so I created a VPN between the Linux Box and Vyatta. I used an OpenVPN server on Linux Box with this config: Code:
port 1197 Code:
openvpn vtun3 { Now when I try the connectivity, I have some troubles: Test 1 - from Vyatta to network 172.16.2.0/24: it works Test 2 - from Linux Box to network 172.16.4.0/24: it doesn't work Test 3 - from network 172.16.4.0/24 to network 172.16.2.0/24: it doesn't work I did some trace in order to find out the issue. Test 1: tcpdump on Vyatta Code:
13:50:51.540985 IP 10.8.24.6 > 172.16.2.66: ICMP echo request, id 12158, seq 1, length 64 Code:
12:52:32.288776 IP 10.8.24.1 > 172.16.4.2: ICMP echo request, id 18473, seq 1, length 64 Test 3: tcpdump on Vyatta Code:
13:55:01.533122 IP 172.16.4.2 > 172.16.2.1: ICMP echo request, id 51096, seq 1, length 64 On the Linux Box, I have the correct route: (I removed all unnecessary routes on the output below) Code:
[root@LinuxBox openvpn]# ip route Code:
root@vyatta:/# ip route I really don't understand why I cannot see anything on the opposite side when I do test 2 and test 3. Do you have any idea? Thank you for your help PS: sorry for the long post. |
Use traceroute from both ends to test the round-trip connection to IP addresses on the other side of the tunnel.
Connection issues are usually traceable to omitted routing rules, because a successfully-connected tunnel-mode OpenVPN behaves just like any other router. With your setup, check both 10.8.0.x and 172.16.4.x addresses. Expect to see traceroute to "drop dead and start printing rows of asterisks," indicating a return-routing problem at that "hop." |
Thanks sundialsvcs for your answer.
I tried to do a traceroute as you suggested: - From the Linux Box: Code:
traceroute 172.16.4.1 So I tried a traceroute to the other end of the tunnel and everything is fine: Code:
traceroute 10.8.24.6 Code:
traceroute 172.16.2.66 Do you have any other ideas? |
Hi,
I think you need to have specific routes on hosts on your networks. On hosts on network 172.16.4.0/24 to 172.16.2.0/24 via Vyatta On hosts on network 172.16.2.0/24 to 172.16.4.0/24 via Linux Box |
The first part of the puzzle is to be sure that the OpenVPN client/server processes are able to send and receive encrypted packets with one another. Every computer along any possible route must have routing commands to cover both the outbound and return routes, or they might simply all throw the packets up through the default-route to a central router that knows what to do.
The second part is to make sure that packets from the "VPN-to-VPN network" (usually 10.8.0.x) will be correctly routed back to the OpenVPN machines "as a gateway." The third step (which is common with any other type of router) is to be sure that remote subnet addresses are also set to use the appropriate OpenVPN machine as a gateway ... and that you have a ccd directory with iroute commands to enable OpenVPN to know about these subnets and to know which remote is responsible for each of them. In all cases, it isn't enough to make sure that traffic gets to the proper destination: the replies must also get back. (If traceroute "drops dead" at some hop and starts printing asterisks, then it means that the reply from that hop didn't make it home. A route was found to that hop, but the reply that should have been sent back was lost. It probably defaulted to a router which sent it to the Internet, which promptly squashed it as it does to all "non-routable addresses.") |
All times are GMT -5. The time now is 05:05 AM. |