4. Не поднимается site-to-site OpenVPN (решено)

Не поднимается site-to-site OpenVPN (решено)

  • B

    Здравствуйте!
    Помогите, пожалуйста! Бьюсь второй день. Решение, видимо, на ладони, но я его не вижу.

    Имеется офис и филиал, в обоих pfsense 2.0.1
    Офис: LAN - 192.168.8.0, WAN 194.xxx.xxx.3
    Филиал: LAN 192.168.65.0, WAN 213.yyy.yyy.211

    Конфиги:

    Офис

    dev ovpns6
    dev-type tun
    dev-node /dev/tun6
    writepid /var/run/openvpn_server6.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 194.xxx.xxx.3
    ifconfig 10.0.8.1 10.0.8.2
    lport 1199
    management /var/etc/openvpn/server6.sock unix
    push "route 192.168.8.8 255.255.255.0"
    route 192.168.65.0 255.255.255.0
    secret /var/etc/openvpn/server6.secret

    Филиал
    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 213.yyy.yyy.211
    lport 1199
    management /var/etc/openvpn/client1.sock unix
    remote 194.xxx.xxx.3 1199
    ifconfig 10.0.8.2 10.0.8.1
    route 192.168.8.8 255.255.255.0
    secret /var/etc/openvpn/client1.secret

    Туннель не поднимается. Вот, что в логах:

    Офис

    Jun 7 11:45:38 openvpn[49604]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
    Jun 7 11:45:38 openvpn[49604]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 7 11:45:38 openvpn[49604]: TUN/TAP device /dev/tun6 opened
    Jun 7 11:45:38 openvpn[49604]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jun 7 11:45:38 openvpn[49604]: /sbin/ifconfig ovpns6 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Jun 7 11:45:38 openvpn[49604]: /usr/local/sbin/ovpn-linkup ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
    Jun 7 11:45:38 openvpn[51341]: UDPv4 link local (bound): [AF_INET]194.ххх.ххх.3:1199
    Jun 7 11:45:38 openvpn[51341]: UDPv4 link remote: [undef]
    Jun 7 11:48:49 openvpn[51341]: event_wait : Interrupted system call (code=4)
    Jun 7 11:48:49 openvpn[51341]: /usr/local/sbin/ovpn-linkdown ovpns6 1500 1560 10.0.8.1 10.0.8.2 init
    Jun 7 11:48:49 openvpn[51341]: SIGTERM[hard,] received, process exiting

    Филиал

    Jun 7 08:11:05 openvpn[38387]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 7 08:11:07 openvpn[38387]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 7 08:11:07 openvpn[38387]: Re-using pre-shared static key
    Jun 7 08:11:07 openvpn[38387]: Preserving previous TUN/TAP instance: ovpnc1
    Jun 7 08:11:07 openvpn[38387]: UDPv4 link local (bound): [AF_INET]213.ууу.ууу.211:1199
    Jun 7 08:11:07 openvpn[38387]: UDPv4 link remote: [AF_INET]194.ххх.ххх.3:1199

    0
  • B

    Вопрос закрыт. Оказалось, козлил один из пэкеджей (я их несколько понаставил, поиграться). Через некоторое время перестала работать маршрутизация и веб-интерфейс (причем, без действий с моей стороны). Разбираться долго не стал, выпилил из конфига раздел с пэкеджами и отресторился с него. Все тикает.

    0
  • S

    Приветствую, уважаемые!
    Не хочется плодить темы, проблема та же: не поднимается туннель OpenVPN.

    С одной стороны машинка на pfsense (ip 10.70.155.42)
    с другой стороны сервер на винде (ip 10.71.32.172)
    Вроде все настройки перенёс в pfsense, но канал не устанавливается.
    Вот настройки pfsense:

    
dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.70.155.42
lport 5001
management /var/etc/openvpn/client1.sock unix
remote 10.71.32.172 5001
secret /var/etc/openvpn/client1.secret 
comp-lzo
ifconfig 192.168.253.253 192.168.253.254
verb 4

    настройки openvpn виндового сервера:

    
remote 10.70.155.42 5001
local 10.71.32.172
lport 5001
proto udp 
cipher AES-128-CBC
dev tun
dev-node VPNZel
route-method exe
route-delay 10
ifconfig 192.168.253.254 192.168.253.253
route 192.168.31.0 255.255.255.0
secret static.txt
#ping 10
comp-lzo
verb 4
mute 10

    Вот логи на pfsense:

    
Jul 4 13:44:36 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:44:36 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:45:36 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:45:36 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:45:36 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:45:36 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:45:38 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:45:38 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:45:38 	openvpn[38464]: LZO compression initialized
Jul 4 13:45:38 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:45:38 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:45:38 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:45:38 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:45:38 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:45:38 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:45:38 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:45:38 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:46:38 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:46:38 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:46:38 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:46:38 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:46:40 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:46:40 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:46:40 	openvpn[38464]: LZO compression initialized
Jul 4 13:46:40 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:46:40 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:46:40 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:46:40 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:46:40 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:46:40 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:46:40 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:46:40 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001
Jul 4 13:47:40 	openvpn[38464]: Inactivity timeout (--ping-restart), restarting
Jul 4 13:47:40 	openvpn[38464]: TCP/UDP: Closing socket
Jul 4 13:47:40 	openvpn[38464]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 4 13:47:40 	openvpn[38464]: Restart pause, 2 second(s)
Jul 4 13:47:42 	openvpn[38464]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 4 13:47:42 	openvpn[38464]: Re-using pre-shared static key
Jul 4 13:47:42 	openvpn[38464]: LZO compression initialized
Jul 4 13:47:42 	openvpn[38464]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jul 4 13:47:42 	openvpn[38464]: Preserving previous TUN/TAP instance: ovpnc1
Jul 4 13:47:42 	openvpn[38464]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 4 13:47:42 	openvpn[38464]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jul 4 13:47:42 	openvpn[38464]: Local Options hash (VER=V4): '39a50059'
Jul 4 13:47:42 	openvpn[38464]: Expected Remote Options hash (VER=V4): 'ba89014a'
Jul 4 13:47:42 	openvpn[38464]: UDPv4 link local (bound): [AF_INET]10.70.155.42:5001
Jul 4 13:47:42 	openvpn[38464]: UDPv4 link remote: [AF_INET]10.71.32.172:5001

    Логи openvpn на виндовом сервере:

    
Wed Jul 04 13:31:02 2012 us=500000 Current Parameter Settings:
Wed Jul 04 13:31:02 2012 us=500000   config = 'zel.ovpn'
Wed Jul 04 13:31:02 2012 us=500000   mode = 0
Wed Jul 04 13:31:02 2012 us=500000   show_ciphers = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   show_digests = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   show_engines = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   genkey = DISABLED
Wed Jul 04 13:31:02 2012 us=500000   key_pass_file = '[UNDEF]'
Wed Jul 04 13:31:02 2012 us=500000   show_tls_ciphers = DISABLED
Wed Jul 04 13:31:02 2012 us=500000 Connection profiles [default]:
Wed Jul 04 13:31:02 2012 us=500000 NOTE: --mute triggered...
Wed Jul 04 13:31:02 2012 us=500000 213 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:31:02 2012 us=500000 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Wed Jul 04 13:31:02 2012 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 04 13:31:02 2012 us=500000 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jul 04 13:31:02 2012 us=500000 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 04 13:31:02 2012 us=500000 LZO compression initialized
Wed Jul 04 13:31:02 2012 us=500000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jul 04 13:31:02 2012 us=515000 ROUTE default_gateway=89.222.215.17
Wed Jul 04 13:31:02 2012 us=515000 TAP-WIN32 device [VPNZel] opened: \\.\Global\{52D930CD-275C-4B31-A784-61C7B4013BE0}.tap
Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 Driver Version 9.8 
Wed Jul 04 13:31:02 2012 us=515000 TAP-Win32 MTU=1500
Wed Jul 04 13:31:02 2012 us=531000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.253.254/255.255.255.252 on interface {52D930CD-275C-4B31-A784-61C7B4013BE0} [DHCP-serv: 192.168.253.253, lease-time: 31536000]
Wed Jul 04 13:31:02 2012 us=531000 NOTE: FlushIpNetTable failed on interface [65542] {52D930CD-275C-4B31-A784-61C7B4013BE0} (status=1413) : Неверный индекс.  
Wed Jul 04 13:31:02 2012 us=531000 Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 04 13:31:02 2012 us=531000 Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.253 192.168.253.254,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 192.168.253.254 192.168.253.253,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Wed Jul 04 13:31:02 2012 us=531000 Local Options hash (VER=V4): 'ba89014a'
Wed Jul 04 13:31:02 2012 us=531000 Expected Remote Options hash (VER=V4): '39a50059'
Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link local (bound): 10.71.32.172:5001
Wed Jul 04 13:31:02 2012 us=531000 UDPv4 link remote: 10.70.155.42:5001
Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:11 2012 us=437000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:21 2012 us=515000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:32 2012 us=93000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:42 2012 us=890000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:31:53 2012 us=234000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:32:04 2012 us=125000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:32:04 2012 us=125000 NOTE: --mute triggered...
Wed Jul 04 13:33:02 2012 us=406000 10 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:33:02 2012 us=406000 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (1360 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.
Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:05 2012 us=468000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:15 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:25 2012 us=546000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:35 2012 us=765000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:45 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:48876[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:33:57 2012 us=343000 NOTE: --mute triggered...
Wed Jul 04 13:36:18 2012 us=296000 9 variation(s) on previous 10 message(s) suppressed by --mute
Wed Jul 04 13:36:18 2012 us=296000 Peer Connection Initiated with 10.70.155.42:5001
Wed Jul 04 13:36:19 2012 us=62000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:19 2012 us=593000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:20 2012 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:28 2012 us=625000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:29 2012 us=859000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Jul 04 13:36:29 2012 us=859000 C:\WINDOWS\system32\route.exe ADD 192.168.31.0 MASK 255.255.255.0 192.168.253.253
Wed Jul 04 13:36:29 2012 us=984000 Initialization Sequence Completed
Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:38 2012 us=906000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:48 2012 us=390000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:36:58 2012 us=531000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:08 2012 us=640000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:20 2012 us=281000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:30 2012 us=921000 TCP/UDP: Incoming packet rejected from 10.70.155.42:25185[2], expected peer address: 10.70.155.42:5001 (allow this incoming source address/port by removing --remote or adding --float)
Wed Jul 04 13:37:30 2012 us=921000 NOTE: --mute triggered...

    Порты 5001 на обоих серверах открыты, пинги идут в обе стороны.
    Подскажите, чего я не учёл?

    0
  • S

    Всё, проблема решена. Человеческим же языком было написано "allow this incoming source address/port by removing –remote or adding --float"
    Добавил на виндовом клиенте опцию float, и соединение установилось.

    0
  • P

    Коллеги. Прошу помощи, ибо после 3 дней войны с openvpn мысли иссякли, а глаз замылился.
    В наличии имеются два пифа 2.0.1 (на 1.2.3 эту тему поднимал влёт). Настройки делаю только через веб-интерфейс. Пытаюсь поднять site-to-site на базе pki (с shared-keys тоже ничего не мог сделать).
    1. На сервере сгенерировал три связки ключей: ca (центр сертификации), serv (серверный сертификат) и cln (пользовательский сертификат).
    2. Настройки сервера:
    2.1.```
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 188.Х.Х.Х
    tls-server
    server 10.0.0.0 255.255.255.248
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.0.1 10.0.0.2
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0

    2.2\. Правила фаера:
Вкладка wan```
* 	* 	* 	WAN address 	1194 (OpenVPN) 	* 	none 	  	OpenVPN

    Вкладка openvpn```

              • none   OpenVPN ukk wizard
    2.3\. ifconfig вывел:

    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::201:2ff:fedb:e96a%ovpns1 prefixlen 64 scopeid 0x7
    inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
    nd6 options=3 <performnud,accept_rtadv>Opened by PID 39877
    tun2: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    options=80000 <linkstate></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

    **3\. Настройки клиента:**
3.1\. Скопировал сертификат СА
3.2\. Скопировал общий ключ tls
3.3.

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 79.y.y.y
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 188.x.x.x 1194
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1

    3.4\. ifconfig

    ovpnc1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
    options=80000 <linkstate></linkstate></pointopoint,multicast>

    3.5\. Вкладка openvpn

    * 	* 	* 	* 	* 	* 	none 	  	OpenVPN wizard  

    
И вот при всех этих настройках в логе клиента вижу:

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Где я накосячил?
    0
  • P

    Как не странно, пока не убрал в shared-key закомментированные строки тоннель не поднимался.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy