Page 1 of 1

site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Thu Jun 25, 2020 10:06 am
by andydld
Hi together,

since about three or four days i tried to get the following work properly:

A site-to-site OpenVPN between a Securepoint UTM (commercial german firewall router, as client) and a debian (as server).

Atm this is a test-scenario.

Site 1:

Securepoint UTM - 192.168.0.166
LAN 192.168.1.0/24

Site 2:

Debian 10 Buster - 192.168.0.144
LAN 192.168.2.10/24

Because there is no config-file on UTM-site (only a GUI or OEM-CLI) i can only edit/post the debian server-site:

Server config
port 1195

proto udp

dev tun

tls-server
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key

dh dh2048.pem

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig 10.8.0.1 10.8.0.2

keepalive 10 120

cipher BF-CBC

comp-noadapt

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

auth SHA1

route 192.168.1.0 255.255.255.0

client-config-dir /etc/openvpn/csc


And the /etc/openvpn/csc/OpenVPN-Client:

Client config
push "route 192.168.2.0 255.255.255.0"
iroute 192.168.1.0 255.255.255.0


So far, so good i got the vpn-connection up & stable. I can ping both ends (10.8.0.1, 10.8.0.2) on both sites.
But from the debian-site i cannot e.g. ping a server behind the UTM (e.g. 192.168.1.10).

Here's the "tcpdump -i tun0" (Debian) output, when i ping:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:52:18.467273 IP 10.8.0.1 > 192.168.1.10: ICMP echo request, id 906, seq 1, length 64
So it seems the ping goes into the tunnel, but on the UTM-site tcpdump show's nothing.
Maybe the packets doesnt really go into the tunnel or being encrypted.

Firewall-Rules are set up on the UTM-site and the Securepoint-Support says it's fine (and they cannot debug another product, the meaning is debian).
On debian-site there is atm no firewall active.

Here are the routes:

Securepoint UTM:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
Debian:

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 enp0s3
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s3
192.168.1.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0
The next strange thing is, when i use this openvpn-server config on an pfSense (instead of debian) everything works.

Maybe someone have an idea whats happen or whats wrong.

Thanks forward.

Andy

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Thu Jun 25, 2020 2:49 pm
by andydld
Just tried the current stable of openvpn & another config, but still no joy.

Server config
dev tun

mode server

tls-server

proto udp

tun-mtu 1500

ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key

server 10.8.0.0 255.255.255.0

topology subnet

port 1195

dh dh2048.pem

keepalive 10 120

# cipher BF-CBC
cipher AES-256-CBC

comp-noadapt

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

verb 4

explicit-exit-notify 1

auth SHA256

route 192.168.1.0 255.255.255.0

client-config-dir /etc/openvpn/csc/server

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Thu Jun 25, 2020 3:30 pm
by Pippin
Would you be so kind and use the Preview button before posting?

Thanks.

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Fri Jun 26, 2020 5:09 am
by andydld
I did and used the "oconf=" and "olog", too.
Please let me know what's wrong, so i can do it better in the future.
Thanks.

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Fri Jun 26, 2020 4:46 pm
by Pippin
olog never worked, don't use it.

Configuration files:
oconf=Client config (<in brackets)
client
dev tun
proto udp
etc.
/oconf (<in brackets)

Logs, routes, etc.
code (<in brackets)
Fri Jun 26 17:22:42 2020 us=149684 Current Parameter Settings:
Fri Jun 26 17:22:42 2020 us=149813 config = 'nl1.conf'
Fri Jun 26 17:22:42 2020 us=149847 mode = 0
etc.
/code (<in brackets)

Re: site-to-site between Securepoint UTM & Debian - problems with routing

Posted: Tue Jun 30, 2020 11:03 am
by andydld
I found the reason why it doesnt worked with the latest posted config. I just forgot to change the subnets (iroute, push route) within the csc after i got this config out of an UTM. So here's the current working configuration:

Server-Config

dev tun
mode server
tls-server
proto udp
tun-mtu 1500
ca ca.crt
cert OpenVPN-Server.crt
key OpenVPN-Server.key
server 10.8.0.0 255.255.255.0
topology subnet
port 1195
dh dh2048.pem
keepalive 10 120
cipher AES-256-CBC
comp-noadapt
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA256
route 192.168.1.0 255.255.255.0
client-config-dir /etc/openvpn/csc/server


OpenVPN-Client CSC

iroute 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
ifconfig-push 10.8.0.2 255.255.255.0