site-to-site between Securepoint UTM & Debian - problems with routing

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
andydld
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 25, 2020 9:28 am

site-to-site between Securepoint UTM & Debian - problems with routing

Post by andydld » Thu Jun 25, 2020 10:06 am

Hi together,

since about three or four days i tried to get the following work properly:

A site-to-site OpenVPN between a Securepoint UTM (commercial german firewall router, as client) and a debian (as server).

Atm this is a test-scenario.

Site 1:

Securepoint UTM - 192.168.0.166
LAN 192.168.1.0/24

Site 2:

Debian 10 Buster - 192.168.0.144
LAN 192.168.2.10/24

Because there is no config-file on UTM-site (only a GUI or OEM-CLI) i can only edit/post the debian server-site:

Server config
port 1195

proto udp

dev tun

tls-server
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key

dh dh2048.pem

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig 10.8.0.1 10.8.0.2

keepalive 10 120

cipher BF-CBC

comp-noadapt

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

auth SHA1

route 192.168.1.0 255.255.255.0

client-config-dir /etc/openvpn/csc


And the /etc/openvpn/csc/OpenVPN-Client:

Client config
push "route 192.168.2.0 255.255.255.0"
iroute 192.168.1.0 255.255.255.0


So far, so good i got the vpn-connection up & stable. I can ping both ends (10.8.0.1, 10.8.0.2) on both sites.
But from the debian-site i cannot e.g. ping a server behind the UTM (e.g. 192.168.1.10).

Here's the "tcpdump -i tun0" (Debian) output, when i ping:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:52:18.467273 IP 10.8.0.1 > 192.168.1.10: ICMP echo request, id 906, seq 1, length 64
So it seems the ping goes into the tunnel, but on the UTM-site tcpdump show's nothing.
Maybe the packets doesnt really go into the tunnel or being encrypted.

Firewall-Rules are set up on the UTM-site and the Securepoint-Support says it's fine (and they cannot debug another product, the meaning is debian).
On debian-site there is atm no firewall active.

Here are the routes:

Securepoint UTM:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
Debian:

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 enp0s3
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
192.168.1.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
The next strange thing is, when i use this openvpn-server config on an pfSense (instead of debian) everything works.

Maybe someone have an idea whats happen or whats wrong.

Thanks forward.

Andy
Last edited by Pippin on Thu Jun 25, 2020 1:02 pm, edited 1 time in total.
Reason: Formatting

andydld
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 25, 2020 9:28 am

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Post by andydld » Thu Jun 25, 2020 2:49 pm

Just tried the current stable of openvpn & another config, but still no joy.

Server config
dev tun

mode server

tls-server

proto udp

tun-mtu 1500

ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key

server 10.8.0.0 255.255.255.0

topology subnet

port 1195

dh dh2048.pem

keepalive 10 120

# cipher BF-CBC
cipher AES-256-CBC

comp-noadapt

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

verb 4

explicit-exit-notify 1

auth SHA256

route 192.168.1.0 255.255.255.0

client-config-dir /etc/openvpn/csc/server
Last edited by Pippin on Thu Jun 25, 2020 3:30 pm, edited 1 time in total.
Reason: Formatting

User avatar
Pippin
Forum Team
Posts: 882
Joined: Wed Jul 01, 2015 8:03 am

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Post by Pippin » Thu Jun 25, 2020 3:30 pm

Would you be so kind and use the Preview button before posting?

Thanks.

andydld
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 25, 2020 9:28 am

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Post by andydld » Fri Jun 26, 2020 5:09 am

I did and used the "oconf=" and "olog", too.
Please let me know what's wrong, so i can do it better in the future.
Thanks.

User avatar
Pippin
Forum Team
Posts: 882
Joined: Wed Jul 01, 2015 8:03 am

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Post by Pippin » Fri Jun 26, 2020 4:46 pm

olog never worked, don't use it.

Configuration files:
oconf=Client config (<in brackets)
client
dev tun
proto udp
etc.
/oconf (<in brackets)

Logs, routes, etc.
code (<in brackets)
Fri Jun 26 17:22:42 2020 us=149684 Current Parameter Settings:
Fri Jun 26 17:22:42 2020 us=149813 config = 'nl1.conf'
Fri Jun 26 17:22:42 2020 us=149847 mode = 0
etc.
/code (<in brackets)

andydld
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 25, 2020 9:28 am

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Post by andydld » Tue Jun 30, 2020 11:03 am

I found the reason why it doesnt worked with the latest posted config. I just forgot to change the subnets (iroute, push route) within the csc after i got this config out of an UTM. So here's the current working configuration:

Server-Config

dev tun
mode server
tls-server
proto udp
tun-mtu 1500
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key
server 10.8.0.0 255.255.255.0
topology subnet
port 1195
dh dh2048.pem
keepalive 10 120
cipher AES-256-CBC
comp-noadapt
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA256
route 192.168.1.0 255.255.255.0
client-config-dir /etc/openvpn/csc/server


OpenVPN-Client CSC

iroute 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
ifconfig-push 10.8.0.2 255.255.255.0

Post Reply