It is currently 17.10.2017 20:20


All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: [Zerina/OpenVPN] Route: Waiting for TUN/TAP interface
PostPosted: 08.09.2012 10:48 
DES
DES

Joined: 07.09.2012 21:43
Posts: 2
Hello Team,

My IPCOP + Open VPN + Zerina Roadwarrior configuration worked well for years, until I decided to use the Orange I/F and the DMZ. There are apparently no problem in the FW. The following problem now occurs when the OpenVPN client starts a connection sequence:

Client GUI:
Mon Sep 03 18:30:26 2012 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Mon Sep 03 18:30:26 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Sep 03 18:30:26 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Sep 03 18:30:35 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 03 18:30:35 2012 LZO compression initialized
Mon Sep 03 18:30:35 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 03 18:30:35 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Sep 03 18:30:36 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 03 18:30:36 2012 Local Options hash (VER=V4): '41690919'
Mon Sep 03 18:30:36 2012 Expected Remote Options hash (VER=V4): '530fdded'
Mon Sep 03 18:30:36 2012 UDPv4 link local (bound): [undef]:1194
Mon Sep 03 18:30:36 2012 UDPv4 link remote: 85.93.24.35 :1194
Mon Sep 03 18:30:36 2012 TLS: Initial packet from 85.93.24.35 :1194, sid=16e6cf4c 9eee3fdc
Mon Sep 03 18:30:37 2012 VERIFY OK: depth=1, /C=UK/ST=England/L=Bedford /O=Technologies/OU=IT/CN=Technologies_C ... @gmail.com
Mon Sep 03 18:30:37 2012 VERIFY OK: nsCertType=SERVER
Mon Sep 03 18:30:37 2012 VERIFY OK: depth=0, /C=UK/ST=England/O=Technologies/OU=IT/CN=si18665.domain.net
Mon Sep 03 18:30:37 2012 VERIFY OK: nsCertType=SERVER
Mon Sep 03 18:30:37 2012 VERIFY OK: depth=0, /C=UK/ST=England/O=Technologies/OU=IT/CN=si18665.domain.net
Mon Sep 03 18:30:40 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 03 18:30:40 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 03 18:30:40 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 03 18:30:40 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 03 18:30:40 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Sep 03 18:30:40 2012 [ilasa01.plus.com] Peer Connection Initiated with 85.93.24.35 :1194
Mon Sep 03 18:30:42 2012 SENT CONTROL [si18665.domain.net]: 'PUSH_REQUEST' (status=1)
Mon Sep 03 18:30:42 2012 PUSH: Received control message: 'PUSH_REPLY,route 172.16.1.0 255.255.255.0,route 10.0.10.1,ping 10,ping-restart 60,ifconfig 10.0.10.6 10.0.10.5'
Mon Sep 03 18:30:42 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Sep 03 18:30:42 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Sep 03 18:30:42 2012 OPTIONS IMPORT: route options modified
Mon Sep 03 18:30:42 2012 ROUTE default_gateway=192.168.1.1
Mon Sep 03 18:30:42 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{2B984017-F000-4190-8F47-B7523391AD03}.tap
Mon Sep 03 18:30:42 2012 TAP-Win32 Driver Version 9.8
Mon Sep 03 18:30:42 2012 TAP-Win32 MTU=1500
Mon Sep 03 18:30:42 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.10.6/255.255.255.252 on interface {2B984017-F000-4190-8F47-B7523391AD03} [DHCP-serv: 10.0.10.5, lease-time: 31536000]
Mon Sep 03 18:30:42 2012 Successful ARP Flush on interface [17] {2B984017-F000-4190-8F47-B7523391AD03}
Mon Sep 03 18:30:47 2012 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Mon Sep 03 18:30:47 2012 Route: Waiting for TUN/TAP interface to come up...

The OpenVPN client error:

OK!
Mon Sep 03 18:50:20 2012 C:\WINDOWS\system32\route.exe ADD 10.0.10.1 MASK 255.255.255.255 10.0.10.5
Mon Sep 03 18:50:20 2012 Warning: route gateway is not reachable on any active network adapters: 10.0.10.5
Mon Sep 03 18:50:20 2012 Route addition via IPAPI failed [adaptive]
Mon Sep 03 18:50:20 2012 Route addition fallback to route.exe
OK!
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=11 t=4 pr=3 a=118951 h=0 m=281/0/0/0/0
10.0.10.1 255.255.255.255 10.0.10.5 p=0 i=11 t=4 pr=3 a=0 h=0 m=26/0/0/0/0
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=118967 h=0 m=306/0/0/0/0
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=118967 h=0 m=306/0/0/0/0
127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=118967 h=0 m=306/0/0/0/0
159.254.0.0 255.255.0.0 159.254.234.55 p=0 i=17 t=3 pr=3 a=4814 h=0 m=286/0/0/0/0
159.254.234.55 255.255.255.255 159.254.234.55 p=0 i=17 t=3 pr=3 a=4814 h=0 m=286/0/0/0/0
159.254.255.255 255.255.255.255 159.254.234.55 p=0 i=17 t=3 pr=3 a=4814 h=0 m=286/0/0/0/0
172.16.1.0 255.255.255.0 10.0.10.5 p=0 i=11 t=4 pr=3 a=0 h=0 m=26/0/0/0/0
192.168.1.0 255.255.255.0 192.168.1.109 p=0 i=11 t=3 pr=3 a=118942 h=0 m=281/0/0/0/0
192.168.1.109 255.255.255.255 192.168.1.109 p=0 i=11 t=3 pr=3 a=118942 h=0 m=281/0/0/0/0
192.168.1.255 255.255.255.255 192.168.1.109 p=0 i=11 t=3 pr=3 a=118942 h=0 m=281/0/0/0/0
192.168.56.0 255.255.255.0 192.168.56.1 p=0 i=14 t=3 pr=3 a=118955 h=0 m=276/0/0/0/0
192.168.56.1 255.255.255.255 192.168.56.1 p=0 i=14 t=3 pr=3 a=118955 h=0 m=276/0/0/0/0
192.168.56.255 255.255.255.255 192.168.56.1 p=0 i=14 t=3 pr=3 a=118955 h=0 m=276/0/0/0/0
224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=118967 h=0 m=306/0/0/0/0
224.0.0.0 240.0.0.0 192.168.56.1 p=0 i=14 t=3 pr=3 a=118958 h=0 m=276/0/0/0/0
224.0.0.0 240.0.0.0 192.168.1.109 p=0 i=11 t=3 pr=3 a=118951 h=0 m=281/0/0/0/0
224.0.0.0 240.0.0.0 159.254.234.55 p=0 i=17 t=3 pr=3 a=38280 h=0 m=286/0/0/0/0
255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=118967 h=0 m=306/0/0/0/0
255.255.255.255 255.255.255.255 192.168.56.1 p=0 i=14 t=3 pr=3 a=118958 h=0 m=276/0/0/0/0
255.255.255.255 255.255.255.255 192.168.1.109 p=0 i=11 t=3 pr=3 a=118951 h=0 m=281/0/0/0/0
255.255.255.255 255.255.255.255 159.254.234.55 p=0 i=17 t=3 pr=3 a=38280 h=0 m=286/0/0/0/0
SYSTEM ADAPTER LIST
Microsoft Virtual WiFi Miniport Adapter
Index = 19
GUID = {5401A059-6064-487B-938B-6D0168A6D8B0}
IP = 0.0.0.0/0.0.0.0

It's strange that the TAP-Win32 Adapter V9 picks up the following address, which is not assigned to any of my subnets or cards:

TAP-Win32 adapter V9
IP = 169.254.148.53/255/255/255/0
Gateway = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASED Obtained = the computer date
DNS SERV =

The client connects with error and the server side shows a green box as connected. No ping works between the VPN client and the green zone.

/sbin/ifconfig shows that IPSEC0 and TUN0 have no packets.

Configurations

FW:
Interfaces:
85.93.24.35 Eth2 Red Interface
10.0.0.1 Eth1 Orange Interface
172.16.1.1 Eth0 Green Interface
85.93.24.35 IPSec0

Routing table:

destination gw netmask dev
ipcop.domain.net user.isp.net 255.255.255.255 eth0
user.isp.net * 255.255.255.255 eth2
172.16.1.0 172.16.1.1 255.255.255.255 eth0
10.0.10.2 * 255.255.255.255 tun0
10.0.0.0 * 255.255.255.0 eth1
172.16.1.0 * 255.255.255.0 eth0
10.0.10.0 10.0.10.2 255.255.255.0 tun0
10.0.10.0 ipcop.domain.net 255.255.255.0 eth0
default user.isp.net 0.0.0.0 eth2

Note: The IPcop automatically resolves the addresses in the routing table in the following way:
ipcop.domain.net means the IPCOp green interface 172.16.1.1
user.isp.net means any address of my ISP subnet.

OPenVPN server.conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare ZERINA for listening on blue and orange
;local 85.93.24.35.user.domain.net
dev tun
tun-mtu 1500
proto udp
port 1194
tls-server
ca /var/ipcop/ovpn/ca/cacert.pem
cert /var/ipcop/ovpn/certs/servercert.pem
key /var/ipcop/ovpn/certs/serverkey.pem
dh /var/ipcop/ovpn/ca/dh1024.pem
server 10.0.10.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher BF-CBC
comp-lzo
max-clients 100
tls-verify /var/ipcop/ovpn/verify
crl-verify /var/ipcop/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3


To open the DMZ pinhole 1194 has no effect. I have tried many configurations and routing tables but with no success. The impression I have is that the problem is related to an incorrect routing table either of the TUN0 or the IPSec0, which is missing in the list, and the tunnel assigns an incorrect TCP-IP address 169.X.X.X which route the client to nowhere.
I would greatly appreciate some help, please.

Regards
Sal


Top
Offline Profile  
Reply with quote  
 Post subject: [Solved] [Zerina/OpenVPN] Route: Waiting for TUN/TAP interfa
PostPosted: 17.09.2012 15:00 
DES
DES

Joined: 07.09.2012 21:43
Posts: 2
The problem has been solved.

The DHCP client of my OpenVPN client (Windows7) was in an unresponsive state. It's the service which allows the correct TCP-IP address assignment to the TAP I/F.


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net