Hallo ich versuche schon seit mehreren Tagen eine VPN Verbindung zur einer Endian-FW aufzubauen, aber ohne Erfolg.
Versucht habe ich ich es mit einem Windows XP Client und OpenVPN 2.2.0.
- EndianFW: 192.168.1.251
- Grünes Netz: 192.168.1.0
- Bridge 192.168.1.220 - 192.168.1.249
- DHCP Antworten aus dem Tunnel blockieren
- Anlegen einer NAT-Regel auf die Endian FW und Port 1194
- VPN Firewall ist aus
- Anleitung für Zertikate aus dem Forum habe ich befolgt, hier dürfte auch das Problem nicht liegen.
server:
; daemon configuration
daemon
mode server
tls-server
proto udp
port 1194
multihome
user openvpn
group openvpn
cd /var/openvpn
client-config-dir clients
script-security 2 system; tunnel configuration
dev tap0; bridge to GREEN
server-bridge 192.168.1.251 255.255.255.0 192.168.1.220 192.168.1.249
push "route-gateway 192.168.1.251"passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30tun-mtu 1500
tun-mtu-extra 32
mssfix 1450persist-key
persist-tun
persist-local-ip
persist-remote-ip; logging and status
writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1client-connect "/usr/local/bin/dir.d-exec /etc/openvpn/client-connect.d/"
client-disconnect "/usr/local/bin/dir.d-exec /etc/openvpn/client-disconnect.d/"; certificates and authentication
dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12ns-cert-type client
Client.ovpn
client
dev tap
proto udp
remote 100.12.192.74 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 pc1.p12
ns-cert-type server
comp-lzo
verb 3
Log auf dem Client
Tue May 10 16:09:08 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Tue May 10 16:09:08 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 10 16:09:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 10 16:09:14 2011 LZO compression initialized
Tue May 10 16:09:14 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 10 16:09:14 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue May 10 16:09:14 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue May 10 16:09:14 2011 Local Options hash (VER=V4): 'd79ca330'
Tue May 10 16:09:14 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue May 10 16:09:14 2011 UDPv4 link local: [undef]
Tue May 10 16:09:14 2011 UDPv4 link remote: 100.12.192.74:1194
Tue May 10 16:09:14 2011 TLS: Initial packet from 100.12.192.743:1194, sid=01d459eb e6f3c1a4
Tue May 10 16:09:15 2011 VERIFY OK: depth=1, /C=DE/ST=THU/L=Stadt/O=Firma/OU=IT/CN=name/emailAddress=imail
Tue May 10 16:09:15 2011 VERIFY OK: nsCertType=SERVER
Tue May 10 16:09:15 2011 VERIFY OK: depth=0, /C=DE/ST=THU/O=Firma/OU=IT/CN=endian/emailAddress=imail
Tue May 10 16:09:16 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 16:09:16 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 16:09:16 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 16:09:16 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 16:09:16 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 10 16:09:16 2011 [endian] Peer Connection Initiated with 100.12.192.743:1194
Tue May 10 16:09:18 2011 SENT CONTROL [endian]: 'PUSH_REQUEST' (status=1)
Tue May 10 16:09:18 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.251,route-gateway 192.168.1.251,ping 8,ping-restart 30,ifconfig 192.168.1.220 255.255.255.0'
Tue May 10 16:09:18 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 10 16:09:18 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 10 16:09:18 2011 OPTIONS IMPORT: route-related options modified
Tue May 10 16:09:18 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{FA1233E1-00B6-4331-A5E9-20332A213B70}.tap
Tue May 10 16:09:18 2011 TAP-Win32 Driver Version 9.8
Tue May 10 16:09:18 2011 TAP-Win32 MTU=1500
Tue May 10 16:09:18 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.220/255.255.255.0 on interface {FA1233E1-00B6-4331-A5E9-20332A213B70} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Tue May 10 16:09:18 2011 Successful ARP Flush on interface [65541] {FA1233E1-00B6-4331-A5E9-20332A213B70}
Tue May 10 16:09:23 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:23 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:28 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:28 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:29 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:29 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:30 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:30 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:31 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:31 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:32 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:32 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:33 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:33 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:34 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:34 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:35 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:35 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:36 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:36 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:37 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:37 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:38 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:38 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:39 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:39 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:40 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Tue May 10 16:09:40 2011 Route: Waiting for TUN/TAP interface to come up...
Tue May 10 16:09:41 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Tue May 10 16:09:41 2011 Initialization Sequence Completed
Tue May 10 16:10:01 2011 TCP/UDP: Closing socket
Tue May 10 16:10:01 2011 Closing TUN/TAP interface
Tue May 10 16:10:01 2011 SIGTERM[hard,] received, process exiting
ich hoffe Ihr könnt mir helfen.