Windows 2003 - Server cannot ping client.

Philip87 · Post by **Philip87** » Fri Sep 09, 2011 5:30 am

I have been banging my head for some time now, and I am hoping someone can assist with my config. Here is the info;

Site 1 - Server Side
-----------
OpenVPN 2.1 running on Win 2K3
Two interfaces
Lan A - 10.214.85.134 on 10.214.85.128/27
Lan B - 10.214.85.164 on 10.214.85.160/28

Site 2 - Client Side
-----------
OpenVPN 2.1 running on Win 2K3
One interface, multiple LANs
Lan C - 10.28.63.131 on 10.28.63.0/24
Lan D - 10.28.120.0/24
Lan E - 10.28.150.0/24

What works
--------------
- Client can ping server.
- With RRAS enabled at Site1 (server), 10.28.63.131(client) @ Site 2 can ping/connect to Server A and all nodes on LAN A & B.
- With RRAS disabled at server, client node can only connect to/see Server

What doesn't work.
-------------------
- No hosts behind client at site 2 can see anything at site 1.
- Server and hosts behind server (Site 1) cannnot ping/see hosts at site 2, including 10.28.63.131.
- Server can ping client at VPN IP address (10.8.0.6)

Philip87 · Post by **Philip87** » Fri Sep 09, 2011 5:35 am

Server config

Code: Select all

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 10.214.85.128 255.255.255.224"
push "route 10.214.85.160 255.255.255.240"

client-config-dir ccd
route 10.28.0.0  255.255.0.0

;route 10.28.63.0  255.255.255.0
;route 10.28.120.0  255.255.255.0
;route 10.28.150.0  255.255.255.0

client-to-client
keepalive 3 15


cipher BF-CBC        # Blowfish (default)
comp-lzo

persist-key
persist-tun

status openvpn-status.log

log         openvpn.log
verb 3

mute

Philip87 · Post by **Philip87** » Fri Sep 09, 2011 5:40 am

Client CCD file

iroute 10.28.0.0 255.255.0.0

Client Config

client

dev tun
proto udp

remote 1.2.3.4 1194
resolv-retry infinite

nobind
persist-key
persist-tun

keepalive 3 10

ca ca.crt
cert client.crt
key client.key

ns-cert-type server
comp-lzo

verb 3
mute 20

Philip87 · Post by **Philip87** » Fri Sep 09, 2011 5:44 am

Client routing table

Code: Select all

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    10.28.63.232   10.28.63.131       1
         10.8.0.0    255.255.255.0         10.8.0.5        10.8.0.6       1
         10.8.0.4  255.255.255.252         10.8.0.6        10.8.0.6       30
         10.8.0.6  255.255.255.255        127.0.0.1       127.0.0.1       30
    10.214.85.128  255.255.255.224         10.8.0.5        10.8.0.6       1
    10.214.85.160  255.255.255.240         10.8.0.5        10.8.0.6       1
      10.28.63.0    255.255.255.0    10.28.63.131   10.28.63.131       10
    10.28.63.131  255.255.255.255        127.0.0.1       127.0.0.1       10
   10.255.255.255  255.255.255.255         10.8.0.6        10.8.0.6       30
   10.255.255.255  255.255.255.255    10.28.63.131   10.28.63.131       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0         10.8.0.6        10.8.0.6       30
        224.0.0.0        240.0.0.0    10.28.63.131   10.28.63.131       10
  255.255.255.255  255.255.255.255         10.8.0.6        10.8.0.6       1
  255.255.255.255  255.255.255.255         10.8.0.6               3       1
  255.255.255.255  255.255.255.255    10.28.63.131   10.28.63.131       1
Default Gateway:     10.28.63.232
===========================================================================
Persistent Routes:
  None

Server Routing Table

Code: Select all

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    10.214.85.129    10.214.85.134     10
         10.8.0.0  255.255.255.252         10.8.0.1         10.8.0.1     30
         10.8.0.0    255.255.255.0         10.8.0.2         10.8.0.1      1
         10.8.0.1  255.255.255.255        127.0.0.1        127.0.0.1     30
    10.214.85.128  255.255.255.224    10.214.85.134    10.214.85.134     10
    10.214.85.134  255.255.255.255        127.0.0.1        127.0.0.1     10
    10.214.85.160  255.255.255.240    10.214.85.164    10.214.85.164     10
    10.214.85.164  255.255.255.255        127.0.0.1        127.0.0.1     10
       10.28.0.0      255.255.0.0         10.8.0.2         10.8.0.1      1
   10.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1     30
   10.255.255.255  255.255.255.255    10.214.85.134    10.214.85.134     10
   10.255.255.255  255.255.255.255    10.214.85.164    10.214.85.164     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0         10.8.0.1         10.8.0.1     30
        224.0.0.0        240.0.0.0    10.214.85.134    10.214.85.134     10
        224.0.0.0        240.0.0.0    10.214.85.164    10.214.85.164     10
  255.255.255.255  255.255.255.255         10.8.0.1         10.8.0.1      1
  255.255.255.255  255.255.255.255    10.214.85.134    10.214.85.134      1
  255.255.255.255  255.255.255.255    10.214.85.164    10.214.85.164      1
Default Gateway:     10.214.85.129
===========================================================================
Persistent Routes:
  None

Philip87 · Post by **Philip87** » Tue Sep 13, 2011 7:14 pm

Bump. No one has any ideas?

Post by **janjust** » Tue Sep 13, 2011 9:29 pm

the statement

Code: Select all

route 10.28.63.0  255.255.255.0

is required on the server side - uncomment it.

change the CCD file to

Code: Select all

iroute 10.28.63.0 255.255.255.0

use an absolute path for the 'client-config-dir' directory and add

Code: Select all

verb 6

to the server log file; restart the openvpn service and reconnect the client; make sure the CCD file is read when the client connects.

Philip87 · Post by **Philip87** » Tue Sep 13, 2011 9:40 pm

janjust wrote: the statement
Code: Select all
route 10.28.63.0  255.255.255.0
is required on the server side - uncomment it.

change the CCD file to
Code: Select all
iroute 10.28.63.0 255.255.255.0

I'll try that. I think that I had the more specific route (as you suggested) earlier. But I've changed it around trying so many time I've forgotten.

janjust wrote: use an absolute path for the 'client-config-dir' directory and add
Code: Select all
verb 6
to the server log file; restart the openvpn service and reconnect the client; make sure the CCD file is read when the client connects.

Thanks. I'll do both of those.

Philip87 · Post by **Philip87** » Wed Sep 14, 2011 12:22 pm

Oddly, now it connects but neither client or server can ping each other, even using the link IPs. I'm combing through the logs now. I see no entries referencing CCD, either positive or negative.

Routes are definitely being pushed, but I can't determine if iroutes are. Evem so, should I not be able to ping thhe virtual interface IPs?

Windows RRAS has been on and off on both ends, and firewalls have been verified off.

Post by **janjust** » Wed Sep 14, 2011 2:12 pm

try adding

Code: Select all

ccd-exclusive

if the CCD file is not picked up the connection is rejected.

Philip87 · Post by **Philip87** » Wed Sep 14, 2011 5:00 pm

Thank you very much, that was very helpful. For the record, the problem appears to have been.

1. CCD with relative path was not getting picked up.
2. Windows path with space was not configured correctly.
C:\\program files\\openvpn\ccd should have had quotes like this
"C:\\program files\\openvpn\ccd"

Now I'm off to do some more testing.

OpenVPN Support Forum

Windows 2003 - Server cannot ping client.

Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.

Re: Windows 2003 - Server cannot ping client.