« previous next »
Pages: [1]

Author Topic: Openvpn site2site - routes are not always created  (Read 1557 times)

Bluestone

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Openvpn site2site - routes are not always created
« on: June 22, 2010, 01:21:15 pm »
Hi,
I'm having an issue on eBox 1.4 openvpn site2site connections. Basically everything works as expected,
but after a reboot or new start of the eBox-client machine only 1 route of 3 networks is created on eBox-server.

eBox-client networks: 10.0.0.0/24, 10.0.99.0/24, 10.0.100.0/24
vpn net: 192.168.160.0/24
eBox-client vpn address: 192.168.160.2
eBox-server vpn address: 192.168.160.1
eBox-server network: 10.1.0.0/24

After reboot or new start of the eBox-client machine, the tunnel will be created successfully, but lan-client machines within the 10.0.0.0/24 and 10.0.100.0/24 nets can't ping the eBox-server (10.1.0.1). Ping works from eBox-client to eBox-server.
Checking the routes on eBox-server shows that only route 10.0.99.0 has been created. All routes on eBox-client are available. So the ping from a lan-client in 10.0.x.x to 10.1.0.1 doesn't get answered.

Sometimes it helps also to restart the openvpn service at eBox-client machine, but not necessarily.

It seams the client networks don't get advertised reliably.


Bluestone
« Last Edit: June 22, 2010, 02:16:37 pm by Bluestone »
Logged
Zentyal 3.0, eBox 1.4.3

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: Openvpn site2site - routes are not always created
« Reply #1 on: June 24, 2010, 10:12:35 am »
You mean that /etc/init.d/ebox openvpn restart on the client fixes the issue ? Did you configure everything from eBox interface or did you anything by hand ?
Logged

Bluestone

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Openvpn site2site - routes are not always created
« Reply #2 on: June 25, 2010, 11:12:29 am »
Hi,
the restart of the openvpn service is done using the dashboard interface. I guess it's the same as /etc/init.d/openvpn restart. All configuration is untouched and made by/with eBox/eBox bundle. After restart of the openvpn service on eBox-client, about 3-4 ping attempts to the eBox-server from a lan-client within one of the client networks will do it and the ping get echoed.

Bluestone
Logged
Zentyal 3.0, eBox 1.4.3

Bluestone

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Openvpn site2site - routes are not always created
« Reply #3 on: July 05, 2010, 04:30:29 pm »
Hi,
I just want to inform you about the topic. The described setup was just a proof of concept, having eBox as firewall and gateway with a multiple network setup in a xen 3.3 Dom0 with PV-Guests on older hardware (P4, Intel 82845).

For each network a xen bridge was set up. Basically everything worked as expected. Issues came up with the openvpn site2site advertised routes like described and some undefined Dom0 crashes. To start the server machine several reboots were necessary. During boot system hung with different memory allocation errors, as well as problems while registering devices and resources, which I didn't investigate to much.

The hardware itself is o.k.! Running eBox services on the same machine without xen works pretty good and none of the above issues occurred. Running the same xen installation w/o the eBox services like described, worked also w/o any problems.

I was just curious to run xen with eBox services on older hardware with different setups. The xen 3.3 packages were taken from the backports repos..


Bluestone
Logged
Zentyal 3.0, eBox 1.4.3
Pages: [1]
« previous next »