Thanks janjust for reply. The error was in client's shorewall interfaces file:
Code: Select all
clients orig shorewall interfaces file
====================
#ZONE INTERFACE BROADCAST OPTIONS
bri br0 detect bridge,nosmurfs,blacklist,tcpflags,routeback,dhcp,routefilter
dmz br0:eth1 detect
vpn br0:tap0 detect
loc eth2 detect dhcp,tcpflags,routefilter
wr0 eth0 detect dhcp,tcpflags,routefilter
clients current shorewall interfaces file
====================
#ZONE INTERFACE BROADCAST OPTIONS
bri br0 detect bridge,nosmurfs,blacklist,tcpflags,routeback,dhcp,routefilter
dmz br0:eth1 detect
vpn tap0 detect <<-- changed tap0 from bridge port
loc eth2 detect dhcp,tcpflags,routefilter
wr0 eth0 detect dhcp,tcpflags,routefilter
One more question ... observed following in client's syslog during openvpn startup:
Code: Select all
Dec 22 04:51:02 client1 openvpn[1791]: Options error: remote: port number associated with host [my is out of range
Dec 22 04:51:02 client1 openvpn[1791]: Use --help for more information.
Client's openvpn.log shows both local and remote port in profile:
Code: Select all
Thu Dec 22 04:51:01 2011 us=663560 Current Parameter Settings:
Thu Dec 22 04:51:01 2011 us=909374 config = 'client.conf'
Thu Dec 22 04:51:01 2011 us=909425 mode = 0
Thu Dec 22 04:51:01 2011 us=909461 persist_config = DISABLED
Thu Dec 22 04:51:01 2011 us=909492 persist_mode = 1
Thu Dec 22 04:51:01 2011 us=909525 show_ciphers = DISABLED
Thu Dec 22 04:51:01 2011 us=909555 show_digests = DISABLED
Thu Dec 22 04:51:01 2011 us=909586 show_engines = DISABLED
Thu Dec 22 04:51:01 2011 us=909616 genkey = DISABLED
Thu Dec 22 04:51:01 2011 us=909648 key_pass_file = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=909678 show_tls_ciphers = DISABLED
Thu Dec 22 04:51:01 2011 us=909736 Connection profiles [default]:
Thu Dec 22 04:51:01 2011 us=909773 proto = udp
Thu Dec 22 04:51:01 2011 us=909805 local = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=909836 local_port = 2727
Thu Dec 22 04:51:01 2011 us=909867 remote = 'xx.xx.xx.101'
Thu Dec 22 04:51:01 2011 us=909898 remote_port = 2727
Thu Dec 22 04:51:01 2011 us=909929 remote_float = DISABLED
Thu Dec 22 04:51:01 2011 us=909959 bind_defined = DISABLED
Thu Dec 22 04:51:01 2011 us=909991 bind_local = ENABLED
Thu Dec 22 04:51:01 2011 us=910021 connect_retry_seconds = 5
Thu Dec 22 04:51:01 2011 us=910053 connect_timeout = 10
Thu Dec 22 04:51:01 2011 us=910083 connect_retry_max = 0
Thu Dec 22 04:51:01 2011 us=910115 socks_proxy_server = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=910147 socks_proxy_port = 0
Thu Dec 22 04:51:01 2011 us=910185 socks_proxy_retry = DISABLED
Thu Dec 22 04:51:01 2011 us=910226 Connection profiles END
-----------
Thu Dec 22 04:51:01 2011 us=917707 OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 17 2011
Thu Dec 22 04:51:01 2011 us=917949 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 22 04:51:01 2011 us=999071 Control Channel Authentication: using 'client/ta.key' as a OpenVPN static key file
Thu Dec 22 04:51:01 2011 us=999132 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:01 2011 us=999163 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:01 2011 us=999206 LZO compression initialized
Thu Dec 22 04:51:01 2011 us=999352 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 22 04:51:01 2011 us=999422 Socket Buffers: R=[524288->131072] S=[524288->131072]
Thu Dec 22 04:51:01 2011 us=999463 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Dec 22 04:51:01 2011 us=999508 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Dec 22 04:51:01 2011 us=999531 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-se
rver'
Thu Dec 22 04:51:01 2011 us=999571 Local Options hash (VER=V4): 'a7133b47'
Thu Dec 22 04:51:01 2011 us=999603 Expected Remote Options hash (VER=V4): 'c5677ab3'
Thu Dec 22 04:51:02 2011 us=3993 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Dec 22 04:51:02 2011 us=4172 UDPv4 link local (bound): [undef]:2727
Thu Dec 22 04:51:02 2011 us=4224 UDPv4 link remote: xx.xx.xx.101:2727
Thu Dec 22 04:51:02 2011 us=91178 TLS: Initial packet from xx.xx.xx.101:2727, sid=7db0d81f 40a185fa
Thu Dec 22 04:51:02 2011 us=676645 VERIFY OK: depth=1, /C=US/ST=CA/L=City/O=Company/CN=Org_CA/emailAddress=emailaddress
Thu Dec 22 04:51:02 2011 us=677180 VERIFY OK: nsCertType=SERVER
Thu Dec 22 04:51:02 2011 us=677210 VERIFY OK: depth=0, /C=US/ST=CA/L=City/O=Company/CN=server/emailAddress=emailaddress
Thu Dec 22 04:51:03 2011 us=895549 Data Channel Encrypt: Cipher 'AES-128-CBC' initialize
d with 128 bit key
Thu Dec 22 04:51:03 2011 us=895595 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:03 2011 us=895624 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Dec 22 04:51:03 2011 us=895652 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WThu Dec 22 04:51:03 2011 us=895767 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Dec 22 04:51:03 2011 us=895814 [server] Peer Connection Initiated with xx.xx.xx.101:2727
Thu Dec 22 04:51:06 2011 us=302784 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Dec 22 04:51:06 2011 us=379033 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 10.10.11.0 255.255.255.0,persist-key,persist-tun,route-gateway 10.10.12.254,ping 10,ping-
restart 120,ifconfig 10.10.12.80 255.255.255.0'
Thu Dec 22 04:51:06 2011 us=379187 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 22 04:51:06 2011 us=379212 OPTIONS IMPORT: --persist options modified
Thu Dec 22 04:51:06 2011 us=379234 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 22 04:51:06 2011 us=379256 OPTIONS IMPORT: route options modified
Thu Dec 22 04:51:06 2011 us=379278 OPTIONS IMPORT: route-related options modified
Thu Dec 22 04:51:06 2011 us=379616 ROUTE default_gateway=98.xxx.xxx.1
Thu Dec 22 04:51:06 2011 us=379743 TUN/TAP device tap0 opened
Thu Dec 22 04:51:06 2011 us=379782 TUN/TAP TX queue length set to 100
Thu Dec 22 04:51:06 2011 us=379843 /sbin/ip link set dev tap0 up mtu 1500
Thu Dec 22 04:51:06 2011 us=383604 /sbin/ip addr add dev tap0 10.10.12.80/24 broadcast 10.10.12.255
Thu Dec 22 04:51:06 2011 us=386077 /sbin/ip route add 10.10.10.0/24 via 10.10.12.254
Thu Dec 22 04:51:06 2011 us=388077 /sbin/ip route add 10.10.11.0/24 via 10.10.12.254
Thu Dec 22 04:51:06 2011 us=389830 GID set to nobody
Thu Dec 22 04:51:06 2011 us=389899 UID set to nobody
Thu Dec 22 04:51:06 2011 us=389937 Initialization Sequence Completed
In that client's openvpn.log indicates initialization complete with both remote and local ports configured can I safety ignore client's syslog openvpn startup message 'Options error: remote: port number associated with host'? I am still troubleshooting routing issues and thought maybe I need to know reason for this complaint before going further.
Regards
flash