22.05 - DCO and OpenVPN issue
-
I mean can clients other than .2 ping the server tunnel IP?
-
J jimp moved this topic from Plus 22.05 Development Snapshots (Retired) on
-
I've been unable to replicate this so far. Did you test disabling AES-NI?
-
@stephenw10 said in 22.05 - DCO and OpenVPN issue:
I mean can clients other than .2 ping the server tunnel IP?
Ah that's what you meant! I just switched DCO back on and tested for you:
- VPN net: 192.168.45.0/24
- LAN net: 192.168.40.0/24
When DCO is on:
-
Client 1 connected as .45.2:
- ping to .45.1 (VPN GW) -> works
- ping to 40.1 (FW IP in LAN) -> works
- ping to 40.x (any other IP then Firewall) -> works
- can connect to e.g. Server on 192.168.40.10
-
Client 2 connected as .45.3:
- ping to .45.1 (VPN GW) -> works
- ping to 40.1 (FW IP in LAN) -> works
- ping to 40.x (any other IP then Firewall) -> DOESN'T work
- no connect to any other device on the LAN is working
As there are IPsec tunnels currently in use I couldn't disable crypto but it is set to QAT - not AES-NI - as it's a 6100 :)
Cheers
-
Ah, OK I was testing to the LAN IP. Retesting....
-
Ok, replicated it. Let me see if I can narrow it down....
-
@stephenw10 Whew! Glad this was tracked down.
-
OK, this looks like an internal routing issue. As a workaround applying outbound NAT to traffic leaving the LAN appears to allow it to route replies as expected. If you want to test DCO that is.
Steve
-
@stephenw10 Would that be subject to a patch via "System Patches" or is the routing issue deeper than the patch system can go and requires a new build/version of some files? Just asking if that'd be hotfix'able.
-
It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.
Steve
-
@stephenw10 said in 22.05 - DCO and OpenVPN issue:
It's probably not something that can be fixed with a run-time patch unfortunately. It looks to be in OpenVPN so something in the binary.
Steve
Thanks for clarifying - thus we know to currently not roll it out enabled per default :)
