since about three or four days i tried to get the following work properly:
A site-to-site OpenVPN between a Securepoint UTM (commercial german firewall router, as client) and a debian (as server).
Atm this is a test-scenario.
Site 1:
Securepoint UTM - 192.168.0.166
LAN 192.168.1.0/24
Site 2:
Debian 10 Buster - 192.168.0.144
LAN 192.168.2.10/24
Because there is no config-file on UTM-site (only a GUI or OEM-CLI) i can only edit/post the debian server-site:
Server config
port 1195
proto udp
dev tun
tls-server
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
keepalive 10 120
cipher BF-CBC
comp-noadapt
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA1
route 192.168.1.0 255.255.255.0
client-config-dir /etc/openvpn/csc
proto udp
dev tun
tls-server
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
keepalive 10 120
cipher BF-CBC
comp-noadapt
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA1
route 192.168.1.0 255.255.255.0
client-config-dir /etc/openvpn/csc
And the /etc/openvpn/csc/OpenVPN-Client:
Client config
push "route 192.168.2.0 255.255.255.0"
iroute 192.168.1.0 255.255.255.0
iroute 192.168.1.0 255.255.255.0
So far, so good i got the vpn-connection up & stable. I can ping both ends (10.8.0.1, 10.8.0.2) on both sites.
But from the debian-site i cannot e.g. ping a server behind the UTM (e.g. 192.168.1.10).
Here's the "tcpdump -i tun0" (Debian) output, when i ping:
Code: Select all
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:52:18.467273 IP 10.8.0.1 > 192.168.1.10: ICMP echo request, id 906, seq 1, length 64
Maybe the packets doesnt really go into the tunnel or being encrypted.
Firewall-Rules are set up on the UTM-site and the Securepoint-Support says it's fine (and they cannot debug another product, the meaning is debian).
On debian-site there is atm no firewall active.
Here are the routes:
Securepoint UTM:
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
Code: Select all
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 enp0s3
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Maybe someone have an idea whats happen or whats wrong.
Thanks forward.
Andy