[Solved] OpenVPN with VIP
-
Hi,
I have tested this with a few firmwares, also the firmware from yesterday. OpenVPN works perfectly when assigned to the WAN interface. But when I change it to the VIP100 interface, which is an ip loadbalanced between two firewall it doesn't work. A connection is initiated, but nothing happens, the client says it is still down (site to site with vpn).
Is this not supported or possible? Or a bug?
-
That should be supported. Can you post the contents of the openvpn server config that gets put in /var/etc when you set this up?
-
Hi,
I forgot to mention something, the vip100 exists on the lagg0 interface. Here is my config, the xx.xx.xx.xx is my public carp ip (vip100) on lagg0 interface.
$ cat /var/etc/openvpn/server1.conf dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xx.xx.xx.xx tls-server ifconfig 10.1.3.1 10.1.3.2 lport 1194 management 127.0.0.1 1194 max-clients 4 push "route 10.1.0.0 255.255.255.0" route 10.0.0.0 255.255.255.0 ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 -
I have a CARP pair setup in VMware I can test this against on Monday to see what happens. That looks like it should be ok.
-
That looks fine as long as the x.x.x.x IP in the 'local' line is the correct IP.
-
the local line is fine…
I have a site to site working on the WAN interface (which is on a lagg0). When I switch to the carp ip, the client can establish a connection, but nothing happens and the client saids it is still down.
any idea on debug?
-
any idea on debug?
Follow the encapsulated and unencapsulated traffic with tcpdump, increase the verbosity on the openvpn processes.
-
Oh my… I feel stupid... I only allowed traffic to the WAN interface ip and not traffic to the carp ip.
So sorry for this...
tommie
