RoadWarrior shutdown a shared key infrastructure

[bajamen]

Hi guys, I got a really strange case, maybe is my mistake or didn't read the manual.

We got 3 servers running ovpn 2.3.8.

The infrastructure is shared key.

First tunnel, this let both clients access server1 network and vice versa.

server1-ovpn-srv <-->server2-ovpn-client/server3-ovpn-client

Second tunnel:
server2-ovpn-srv<-->server3-ovpn-client.

This allow server2 and server3 see each other resources.

Done, with this our 3 sites can see each other ring close, shared key no issue.

Latter, we want to add a road warrior setup in server3, we chose a tunnel not used in the current setup 10.0.99.0/29.

This server3 is just a client, does't do any ovpn servers stuff, this was his first setup as server in a road warrior mode.

We setup everything, we install windows app and download certs and setup config file.

Run the connection on a external site, we could connect to the network on server3 and access the resources no issue.

But..alarm, we lost all connection to our others servers, our vpn's from the shared-key setup went down.

Exist a conflict in this scenario?

Can a shared key setup work with a road-warrior?

My brain said, YES???

[ordex]

There is no built-in conflict that can be created by OpenVPN. My suggestion is to check the log of the processes that have no connectivity anymore to see if something is going off in there. If logs are fine, to me this smells like a routing issue: i.e. when setting up the new connection you are somehow cutting off the routing to the other sites.

If you ant further help you should at least post the logs, the configs and possibly the output of 'ip route' on the server when everything works and when things stop working.

p.s. 2.3.8 is very ancient. You should definitely upgrade. Several security and non bugfixes have been merged since then.

[bajamen]

One of my biggest doubt was that shared-key and road-warrior could not exist on the same server.
My little experience tell me what u have confirm, there is no problem.

I will them check the logs and see if I can see where is the issue, thanks ordex.

About the version, 1 of the sysadm of one side doesn't want to upgrade(old person), but we are pushing this.

[ordex]

About the version, 1 of the sysadm of one side doesn't want to upgrade(old person), but we are pushing this.

just tell him that this version can be easily crashed by any random client sending an appropriate malicious packet
This argument is often fairly convincing

[ordex]

I moved this topic into the Community Edition section as this is not about Access Server (commercial product by OpenVPN, Inc.)

[bajamen]

Thanks, sorry, I had understand the case, thanks ordex.