OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

forwarding issue

https://forums.openvpn.net/viewtopic.php?t=7596

Page 1 of 1

forwarding issue

Posted: Thu Feb 03, 2011 9:20 pm
by hansaplast
I have two firewalls. Both running on a different IP.
I forward udp openvpn traffic to a OpenVpn server on the LAN.

When connecting via fw1.domain.dom to the OpenVpn it works fine. However if I change my client config from "remote fw1.domain.dom" to "remote fw2.domain.dom" The connection hangs at:

Code: Select all

Thu Feb 03 22:16:22 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Thu Feb 03 22:16:22 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Feb 03 22:16:22 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 03 22:16:26 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 03 22:16:26 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Feb 03 22:16:26 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 03 22:16:26 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 03 22:16:26 2011 LZO compression initialized
Thu Feb 03 22:16:26 2011 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Feb 03 22:16:27 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 03 22:16:27 2011 Local Options hash (VER=V4): '123f4b88'
Thu Feb 03 22:16:27 2011 Expected Remote Options hash (VER=V4): '1123458f'
Thu Feb 03 22:16:27 2011 UDPv4 link local: [undef]
Thu Feb 03 22:16:27 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
.... nothing happens here. It just waits ....
This is odd...

Re: forwarding issue

Posted: Fri Feb 04, 2011 7:33 am
by maikcat
hi there,

can you please post configs/ips for openvpn server,firewalls etc..

what default gw the openvpn server has?

cheers,

michael.

Re: forwarding issue

Posted: Thu Feb 10, 2011 10:37 am
by hansaplast
Turned out to be the gateway on the VPN server. Thanks for pointing that out.

This however poses a problem. I have two firewalls, one primary and one fall-back/backup. On the LAN side the FW's reside in the same LAN segment. Some customers want VPN redundancy. So I configured two VPN tunnels one via FW1 and a backup via FW2. Since the default gw on the VPN server points to FW1, OpenVPN doesn't establish a tunnel via FW2 and just sits there waiting... Is there a way get around this?

Regards

Re: forwarding issue

Posted: Thu Feb 10, 2011 10:43 am
by maikcat
hi there,

i dont think that this is openvpn problem but the host os that openvpn runs..
if the OS loses its internet connection then the openvpn (which is simple a service)
what can really do about it?..

also there are open source products that both have openvpn + firewall + failover support
(untangle,zeroshell,pfsense).

cheers,

michael.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/