Remote VPN Problem

[ceegee32]

I have openVPN running between to sites working well. Site A ip 11.12.20.x site B ip 11.12.21.x. I am now trying to remotely vpn into site A to my vpn network 11.10.x.x and I'm having trouble reaching nodes on the site B network. I can ping the site B gateway 11.12.21.1 but that is as far as I can get. I suspect that there may be some conflict between my remote ip and the openVPN ip. Can someone suggest a fix for this.

[maikcat]

hi there,

can you please post configs , ips for both nodes (client and server)?
also can you tell os versions, openvpn versions ,any extra info regarding your setup
will help us to assist you...

cheers,

michael.

[ceegee32]

Michael,
Thanks for the reply. See configs from the client PC and the server. Also note the network is 10.x.x.x and not 11.x.x.x . Let me know if you need more info.

Regards

CeeGee32


C:\>ipconfig /all

Windows IP Configuration

Ethernet adapter MyTap:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-D5-15-AA-F1
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.66
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.65
Lease Obtained. . . . . . . . . . : Thursday, February 03, 2011 2:20:02
PM
Lease Expires . . . . . . . . . . : Friday, February 03, 2012 2:20:02 PM


Ethernet adapter Wireless Network Connection 5:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1450 Dual-band (802.11
a/b/g) USB2.0 Adapter #4
Physical Address. . . . . . . . . : 00-14-A5-53-3D-B3
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.15.20.126
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.15.20.1
DHCP Server . . . . . . . . . . . : 10.15.20.1
DNS Servers . . . . . . . . . . . : 64.83.0.10
209.137.160.3
Lease Obtained. . . . . . . . . . : Thursday, February 03, 2011 2:05:30
PM
Lease Expires . . . . . . . . . . : Friday, February 04, 2011 2:05:30 PM

----------------------------------------------------------------------------------
Server Info:


openVPN version 2.0


[root@localhost ~]# cat /proc/version
Linux version 2.6.18-164.11.1.el5 (mockbuild@builder10.centos.org) (gcc version 4.1.2

20080704 (Red Hat 4.1.2-46)) #1 SMP Wed Jan 20 07:32:21 EST 2010
[root@localhost ~]#



[root@localhost ~]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.15.21.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.15.20.0 0.0.0.0 255.255.255.0 U 0 0 0 seth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 seth0
0.0.0.0 10.15.20.1 0.0.0.0 UG 0 0 0 seth0
---------------------------------------------------------------------------------
dev tun

;dev-node MyTap

# Configure server mode and supply a VPN subnet
server 10.8.0.0 255.255.255.0

# Configure server mode for ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 10.15.20.0 255.255.255.0"
push "route 10.15.21.0 255.255.255.0"

client-config-dir /etc/openvpn/2.0
route 10.15.21.0 255.255.255.0

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

client-to-client

[maikcat]

hi there,

lets see if iam correct..

you have site a (10.15.20.0/24 subnet) and site b(10.15.21.0/24)
the openvpn server is located on site a with vpn ip 10.8.0.1

the site b is client right? what vpn ip it recieves?

you mention that the above lan-to-lan works ,
ip forwarding is enabled in both ends and works..
firewall rules are configured properly...(if any)

then you connect using windows and you get 10.8.0.66 ip on vpn interface.
are you receiving correctly the static routes from vpn server in your windows pc?

am i right so far?

cheers,

michael.

[ceegee32]

Michael,
When I connect remotely to site A I get the 10.8.0.66 IP and I can only ping the 10.15.21.1 address in site B nothing else, we have a server with a 10.15.21.24 address which is unreachable. I've attached the "ipconfig/all" and "netstat -nr" output from that server for you to see. Please take a look and let me know if routing is incorrect.

See output below.

Thank you
CG

C:\>
C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DEMO-SERVER-2
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) - Virtual Network
Physical Address. . . . . . . . . : 84-2B-2B-62-B7-6E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c042:a258:716a:35cc%19(Preferred)
IPv4 Address. . . . . . . . . . . : 10.15.21.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.15.21.1
DHCPv6 IAID . . . . . . . . . . . : 428092203
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-87-D7-99-00-1B-21-7A-F5-3C

DNS Servers . . . . . . . . . . . : 10.15.21.1
71.252.0.12
NetBIOS over Tcpip. . . . . . . . : Enabled

C:\>
C:\>
C:\>
C:\>
C:\>
C:\>netstat -nr
===========================================================================
Interface List
19 ...84 2b 2b 62 b7 6e ...... Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Cl
ient) - Virtual Network
18 ...84 2b 2b 62 b7 70 ...... Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Cl
ient) #2 - Virtual Network
12 ...00 1b 21 7a f5 3d ...... Intel(R) Gigabit ET Dual Port Server Adapter #2
11 ...00 1b 21 7a f5 3c ...... Intel(R) Gigabit ET Dual Port Server Adapter
1 ........................... Software Loopback Interface 1
15 ...00 00 00 00 00 00 00 e0 isatap.{D7EE1F88-2F7E-4509-AEEE-B647944685C2}
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 isatap.{0209B135-6A8D-4C92-A7FB-458B6371A78F}
20 ...00 00 00 00 00 00 00 e0 isatap.{BEFE7F70-D6AE-40CA-BEBB-4B095505A2FE}
21 ...00 00 00 00 00 00 00 e0 isatap.{8CB15FC7-3D4E-47D3-B4CD-5611B050A172}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.15.21.1 10.15.21.24 261
10.15.21.0 255.255.255.0 On-link 10.15.21.24 261
10.15.21.24 255.255.255.255 On-link 10.15.21.24 261
10.15.21.255 255.255.255.255 On-link 10.15.21.24 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.125.108 261
169.254.125.108 255.255.255.255 On-link 169.254.125.108 261
169.254.255.255 255.255.255.255 On-link 169.254.125.108 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 169.254.125.108 261
224.0.0.0 240.0.0.0 On-link 10.15.21.24 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 169.254.125.108 261
255.255.255.255 255.255.255.255 On-link 10.15.21.24 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.15.21.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
18 261 fe80::/64 On-link
19 261 fe80::/64 On-link
19 261 fe80::c042:a258:716a:35cc/128
On-link
18 261 fe80::c563:a502:c0cf:7d6c/128
On-link
1 306 ff00::/8 On-link
18 261 ff00::/8 On-link
19 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

C:\>

[ceegee32]

Michael,

To add to my post, I believe I am having ip conflicts with the 10.8.0.0 network. When I remote into site A I get a 10.8.0.66 address and when I ping site B 10.15.21.24 it somehow does not know how to get back through site A (openVPN 10.8.0.0) to my remote laptop. It seems that I somehow have to extend the tunnel.

[ceegee32]

Michael,

Also in the client vpn startup log I got a message "WARNING: Potential route subnet conflict between local LAN (10.15.20.0) and remote VPN (10.15.20.0)

[maikcat]

hi there,

because i am confused a little bit,

can you post also the contents of any CCD files you are using..?

ps:a simple diagram would greatly help

cheers,

michael.

[ceegee32]

Hello,
I have a small visio diagram but I'm not sure how to get it in the forum. any ideas.
Thanks

[ceegee32]

I tried to attach a diagram but was unsuccessful.
My configuration is as follows.
Site A
--Linux V2.6.18 Red Hat server IP 10.15.20.2/24 (VPN IP 10.8.0.x/24) connected to a Linksys router (10.15.20.1/24)

Site B Linksys router (10.15.21.2/24) connects to Linksys v2.6.18 Red Hat server (VPN 10.8.0.x/24) Then we have a WIN machine connected to it (10.15.21.24/24) From site A I can reach the WIN machine, but whenI remote into site A I cannot reach the WIN machine. My remote Ethernet MyTap adapter gets an address of 10.8.0.66 255.255.255.252.

I wil try to find a way to post the diagram if needed, let me know if you need more info.
thanks
CG