[solved] Running OSPF on tun OpenVPN
this issue scratches different topics but I wanna put it in OpenVPN because I think there might be the trouble.
I have two routers running 2.3.4 AMD64. Both systems are directly connected via igb1:
fw1 192.168.141.2 <–> 192.168.141.1 fw2
There is also a VPN link both routers have setup over WAN. This is a tun VPN with mode Peer to Peer (SSL/TLS). I chose this mode because when I setup the tunnel with Shared Secret I didn't get IP addresses on the openvpn interfaces.
fw1 10.12.252.1 <–> 10.12.252.2 fw2
Over those two links I run OSPF. The idea behind it is that if the physical link goes down data can still run over the VPN link.
OSPF doesn't seem to be my problem because the routes are set fine. Since I set the metric to 50 for the VPN link all data between the routers run over the physical igb1. When I disconnect igb1 ospf set the routes so that data should run over the tunnel. The OSPF states are ok (Full) and the routes I checked manually.
Now comes the strange thing:
Of course there are regular clients connected to every firewall. fw1 is in 192.168.149.0/24 while fw2 is running 192.168.144.0/24.
I want to ping pc1 to pc2:
pc1 192.168.144.50 <–> 192.168.144.100 fw2 10.12.252.2 <–> 10.12.252.1 fw1 192.168.149.100 <–> 192.168.149.50 pc2
When the icmp packet arrives fw2 it's being send into the tunnel. I verified that via tcpdump. When I look at the other side of the tunnel on fw1 I do NOT receive the ICMP packet on that device. Still talking about the echo request packet.
That's why communication breaks down when traffic ought to run over VPN. :-[
Could someone point in into the right direction?
The Firewall is configured that all packets on the vpn links should pass. There is also no packet shown in filter.log.
I've also tried to create openvpn interfaces via interfaces -> assign and to use them in the quagga config, but that didn't work either.
ip ospf network point-to-point
ip ospf cost 50
ospf router-id 192.168.141.2
network 192.168.141.0/24 area 0.0.0.0
network 10.12.252.0/24 area 0.0.0.0
dev ovpns1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth RSA-SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <<public ip="">> tls-server server 10.12.252.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 ifconfig 10.12.252.1 10.12.252.2 lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 1 ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 topology subnet</public>
password test1234 interface igb1 interface ovpnc1 ip ospf network point-to-point ip ospf cost 50 router ospf ospf router-id 192.168.141.1 redistribute connected network 10.12.252.0/24 area 0.0.0.0
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth RSA-SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local <<public ip="">> tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <<public ip="" server="">> 1194 ifconfig 10.12.252.2 10.12.252.1 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key resolv-retry infinite topology subnet</public></public>
I switched to Shard Secret mode and now it's working just fine.