Road Warrior setup

[gian]

hello All,

I have few but confused ideas about vpn, so please be gentle...

Here is the situation.
I have two sites, connected by an ipsec vpn beween two Zyxel routers.
The two segments are 192.168.1.* and 192.168.2.*

When I am on Lan, I can see the two segments transparently: mail server, webcams, etc.

One server has an OpenVpn service for road warriors.
It works fine, except when the local network is numbered 192.168.1*, which is quite a common situation.

In this case the laptop tries to find the mail server on the lan instead of routing to the vpn.

How can I fix the setup?

Here is the road warrior conf file:
gian@server2007:/etc/openvpn$ cat road-warriors.conf
local 192.168.1.125
port 1194
proto udp
dev tun
user nobody
group nogroup
daemon
secret /etc/openvpn/key/static.key
up /etc/openvpn/up-rw.sh
ifconfig 10.10.10.1 10.10.10.2
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
#script-security 2
comp-lzo
persist-key
persist-tun
status openvpn-status-rw.log
keepalive 10 60
log-append /var/log/openvpn/openvpn-rw.log
verb 3

Should I remove the two Zyxels, replace them with an Ipfire (for example) router, and use Openvpn to connect site1 with site2?

Thanks for reading,
-Gian

[maikcat]

why dont you use server directive on your openvpn server instead of
point-to-point mode?

also can you post the client config?

there is a problem though,

old zywalls (zywall 2,5) DONT create a new interface for ipsec based vpns
means that ,if your openvpn server relies on 1.x network you can
tell zywall on 192.168.1.x side that there is 10.10.10.x network (using static route)
on openvpn server,BUT
you CANT tell zywall located in 192.168.2.x side to pass traffic for 10.10.10.x network
THROUGH the ipsec tunnel towards openvpn server...

maybe it could be better to concetrate all vpns on one software (openvpn maybe?)

Michael.

[gian]

Maikcat,

thanks for your kind reply.

why dont you use server directive on your openvpn server instead of
point-to-point mode?

You're running too fast. Can you please explain?

Here is the client config:

remote *.*.*.*
dev tun0
port 1194
ifconfig 10.10.10.2 10.10.10.1
secret secret.key
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
comp-lzo
persist-key
persist-tun
keepalive 10 60
verb 3

maybe it could be better to concentrate all vpns on one software (openvpn maybe?)

Yes, I would like to do so... my only regret is wasting the two USG100 Zyxels...
I need to open a third site soon, so I would like to link the three offices with Openvpn.

-G

[maikcat]

usg100 is a very good appliance with a lot capabilities,

check it out about the routing issue i mentioned earlier..

ifconfig 10.10.10.2 10.10.10.1

you are using openvpn in point to point mode ,
take a look at example section the server directive...
openvpn can use certificates ,use them

also you can setup openvpn as server in one location,
use the other 2 as clients and create lan-to-lan connectivity..

Michael.

[gian]

usg100 is a very good appliance with a lot capabilities

but cannot use Openvpn...

also you can setup openvpn as server in one location,
use the other 2 as clients and create lan-to-lan connectivity..

I would like to use Ipfire because it looks easy to setup Openvpn on each segment.
I do not know if it can be setup as "client", though.