Page 1 of 1
Windows 2003 - Server cannot ping client.
Posted: Fri Sep 09, 2011 5:30 am
by Philip87
I have been banging my head for some time now, and I am hoping someone can assist with my config. Here is the info;
Site 1 - Server Side
-----------
OpenVPN 2.1 running on Win 2K3
Two interfaces
Lan A - 10.214.85.134 on 10.214.85.128/27
Lan B - 10.214.85.164 on 10.214.85.160/28
Site 2 - Client Side
-----------
OpenVPN 2.1 running on Win 2K3
One interface, multiple LANs
Lan C - 10.28.63.131 on 10.28.63.0/24
Lan D - 10.28.120.0/24
Lan E - 10.28.150.0/24
What works
--------------
- Client can ping server.
- With RRAS enabled at Site1 (server), 10.28.63.131(client) @ Site 2 can ping/connect to Server A and all nodes on LAN A & B.
- With RRAS disabled at server, client node can only connect to/see Server
What doesn't work.
-------------------
- No hosts behind client at site 2 can see anything at site 1.
- Server and hosts behind server (Site 1) cannnot ping/see hosts at site 2, including 10.28.63.131.
- Server can ping client at VPN IP address (10.8.0.6)
Re: Windows 2003 - Server cannot ping client.
Posted: Fri Sep 09, 2011 5:35 am
by Philip87
Server config
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.214.85.128 255.255.255.224"
push "route 10.214.85.160 255.255.255.240"
client-config-dir ccd
route 10.28.0.0 255.255.0.0
;route 10.28.63.0 255.255.255.0
;route 10.28.120.0 255.255.255.0
;route 10.28.150.0 255.255.255.0
client-to-client
keepalive 3 15
cipher BF-CBC # Blowfish (default)
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute
Re: Windows 2003 - Server cannot ping client.
Posted: Fri Sep 09, 2011 5:40 am
by Philip87
Client CCD file
iroute 10.28.0.0 255.255.0.0
Client Config
client
dev tun
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 3 10
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
mute 20
Re: Windows 2003 - Server cannot ping client.
Posted: Fri Sep 09, 2011 5:44 am
by Philip87
Client routing table
Code: Select all
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.28.63.232 10.28.63.131 1
10.8.0.0 255.255.255.0 10.8.0.5 10.8.0.6 1
10.8.0.4 255.255.255.252 10.8.0.6 10.8.0.6 30
10.8.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30
10.214.85.128 255.255.255.224 10.8.0.5 10.8.0.6 1
10.214.85.160 255.255.255.240 10.8.0.5 10.8.0.6 1
10.28.63.0 255.255.255.0 10.28.63.131 10.28.63.131 10
10.28.63.131 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 30
10.255.255.255 255.255.255.255 10.28.63.131 10.28.63.131 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.8.0.6 10.8.0.6 30
224.0.0.0 240.0.0.0 10.28.63.131 10.28.63.131 10
255.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 1
255.255.255.255 255.255.255.255 10.8.0.6 3 1
255.255.255.255 255.255.255.255 10.28.63.131 10.28.63.131 1
Default Gateway: 10.28.63.232
===========================================================================
Persistent Routes:
None
Server Routing Table
Code: Select all
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.214.85.129 10.214.85.134 10
10.8.0.0 255.255.255.252 10.8.0.1 10.8.0.1 30
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.1 1
10.8.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.214.85.128 255.255.255.224 10.214.85.134 10.214.85.134 10
10.214.85.134 255.255.255.255 127.0.0.1 127.0.0.1 10
10.214.85.160 255.255.255.240 10.214.85.164 10.214.85.164 10
10.214.85.164 255.255.255.255 127.0.0.1 127.0.0.1 10
10.28.0.0 255.255.0.0 10.8.0.2 10.8.0.1 1
10.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 30
10.255.255.255 255.255.255.255 10.214.85.134 10.214.85.134 10
10.255.255.255 255.255.255.255 10.214.85.164 10.214.85.164 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.8.0.1 10.8.0.1 30
224.0.0.0 240.0.0.0 10.214.85.134 10.214.85.134 10
224.0.0.0 240.0.0.0 10.214.85.164 10.214.85.164 10
255.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 1
255.255.255.255 255.255.255.255 10.214.85.134 10.214.85.134 1
255.255.255.255 255.255.255.255 10.214.85.164 10.214.85.164 1
Default Gateway: 10.214.85.129
===========================================================================
Persistent Routes:
None
Re: Windows 2003 - Server cannot ping client.
Posted: Tue Sep 13, 2011 7:14 pm
by Philip87
Bump. No one has any ideas?
Re: Windows 2003 - Server cannot ping client.
Posted: Tue Sep 13, 2011 9:29 pm
by janjust
the statement
is required on the server side - uncomment it.
change the CCD file to
use an absolute path for the 'client-config-dir' directory and add
to the server log file; restart the openvpn service and reconnect the client; make sure the CCD file is read when the client connects.
Re: Windows 2003 - Server cannot ping client.
Posted: Tue Sep 13, 2011 9:40 pm
by Philip87
janjust wrote:
the statement
is required on the server side - uncomment it.
change the CCD file to
I'll try that. I think that I had the more specific route (as you suggested) earlier. But I've changed it around trying so many time I've forgotten.
janjust wrote:
use an absolute path for the 'client-config-dir' directory and add
to the server log file; restart the openvpn service and reconnect the client; make sure the CCD file is read when the client connects.
Thanks. I'll do both of those.
Re: Windows 2003 - Server cannot ping client.
Posted: Wed Sep 14, 2011 12:22 pm
by Philip87
Oddly, now it connects but neither client or server can ping each other, even using the link IPs. I'm combing through the logs now. I see no entries referencing CCD, either positive or negative.
Routes are definitely being pushed, but I can't determine if iroutes are. Evem so, should I not be able to ping thhe virtual interface IPs?
Windows RRAS has been on and off on both ends, and firewalls have been verified off.
Re: Windows 2003 - Server cannot ping client.
Posted: Wed Sep 14, 2011 2:12 pm
by janjust
try adding
if the CCD file is not picked up the connection is rejected.
Re: Windows 2003 - Server cannot ping client.
Posted: Wed Sep 14, 2011 5:00 pm
by Philip87
Thank you very much, that was very helpful. For the record, the problem appears to have been.
1. CCD with relative path was not getting picked up.
2. Windows path with space was not configured correctly.
C:\\program files\\openvpn\ccd should have had quotes like this
"C:\\program files\\openvpn\ccd"
Now I'm off to do some more testing.