OpenVPN on FC4 - client and server cannot ping each other

["Khemera Lin" <lin.kh@xxxxxxxxxxxx>]

Dear All,

 

First, let me apologize as it may not be a right topic to ask here. I hope, some of you have come across and solved the same problem already.

 

I’ve been having problem with OpenVPN server on my FC4 box and client on my XP box. I could connect from the client to the server but could not ping.

 

My connection diagram looks like this:

 

 

Client1  <--->  Mikrotik (with NAT)  <---> FC4 (OpenVPN Server) <---> CISCO 7206  <---> Client2

                                                                           |                                           

                                                                        Client3

 

If I tried to connect from Client3 (without passing through the Router or Mikrotik NAT), it is fine; they can ping each other. However, when I try to connect from Client1 (through Mikrotik 2.9 with NAT) or Client2 (from outside through my border Router with IOS 12.0), they cannot ping each other.

 

For Client1, I’m quite sure, it is the problem of Mikrotik firewall/NAT rules. For Client2, it may be the Router access-list policy. I’m desperate in how to resolve this after searching through the Web for a while, esp. the OpenVPN web site. I hope, some of you have had the same experience and would help me out.

 

Here is my server config (on FC4):

---

port 1194

proto udp

dev tun

server 192.168.99.0 255.255.255.0

ifconfig 192.168.99.1 255.255.255.0

#ifconfig-pool-persist ipp.txt

mode server

ca   /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/vpnserver.crt

key  /etc/openvpn/easy-rsa/keys/vpnserver.key  # This file should be kept secret

dh   /etc/openvpn/easy-rsa/keys/dh1024.pem

#duplicate-cn

#client-config-dir /etc/openvpn/ccd

push "route 202.79.24.64 255.255.255.192"

push "route 202.79.24.128 255.255.255.192"

user nobody

group nobody

keepalive 10 120

comp-lzo

persist-key

persist-tun

log-append /etc/openvpn/openvpn.log

status /etc/openvpn/openvpn-status.log

verb 3

---

 

Here is a client config (on Windows XP):

---

client

dev tun

proto udp

remote 202.79.24.151 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca   ca.crt

cert client1.crt

key  client1.key

comp-lzo

verb 3

---

 

Here is the log on server when a client connects:

---

Fri Mar  3 10:28:49 2006 OpenVPN 2.0.5 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Nov  4 2005

Fri Mar  3 10:28:49 2006 Diffie-Hellman initialized with 1024 bit key

Fri Mar  3 10:28:49 2006 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Fri Mar  3 10:28:49 2006 TUN/TAP device tun0 opened

Fri Mar  3 10:28:49 2006 /sbin/ip link set dev tun0 up mtu 1500

Fri Mar  3 10:28:49 2006 /sbin/ip addr add dev tun0 local 192.168.99.1 peer 192.168.99.2

Fri Mar  3 10:28:50 2006 /sbin/ip route add 192.168.99.0/24 via 192.168.99.2

Fri Mar  3 10:28:50 2006 Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Mar  3 10:28:50 2006 GID set to nobody

Fri Mar  3 10:28:50 2006 UID set to nobody

Fri Mar  3 10:28:50 2006 UDPv4 link local (bound): [undef]:1194

Fri Mar  3 10:28:50 2006 UDPv4 link remote: [undef]

Fri Mar  3 10:28:50 2006 MULTI: multi_init called, r=256 v=256

Fri Mar  3 10:28:50 2006 IFCONFIG POOL: base=192.168.99.4 size=62

Fri Mar  3 10:28:50 2006 Initialization Sequence Completed

Fri Mar  3 10:29:08 2006 MULTI: multi_create_instance called

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Re-using SSL/TLS context

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 LZO compression initialized

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel MTU parms [ L:1542 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Local Options hash (VER=V4): '530fdded'

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Expected Remote Options hash (VER=V4): '41690919'

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 TLS: Initial packet from 202.79.24.158:1566, sid=e379c074 060c9d72

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 VERIFY OK: depth=1, /C=KH/ST=KD/L=PP/O=WICAM.NET/OU=Base/CN=vpnserver/emailAddress=vidol@xxxxxxxxxxxx

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 VERIFY OK: depth=0, /C=KH/ST=KD/O=WICAM.NET/OU=Base/CN=vidol/emailAddress=vidol@xxxxxxxxxxxx

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Mar  3 10:29:08 2006 202.79.24.158:1566 [vidol] Peer Connection Initiated with 202.79.24.158:1566

Fri Mar  3 10:29:08 2006 vidol/202.79.24.158:1566 MULTI: Learn: 192.168.99.6 -> vidol/202.79.24.158:1566

Fri Mar  3 10:29:08 2006 vidol/202.79.24.158:1566 MULTI: primary virtual IP for vidol/202.79.24.158:1566: 192.168.99.6

Fri Mar  3 10:29:09 2006 vidol/202.79.24.158:1566 PUSH: Received control message: 'PUSH_REQUEST'

Fri Mar  3 10:29:09 2006 vidol/202.79.24.158:1566 SENT CONTROL [vidol]: 'PUSH_REPLY,route 202.79.24.64 255.255.255.192,route 202.79.24.128 255.255.255.192,route 192.168.99.1,ping 10,ping-restart 120,ifconfig 192.168.99.6 192.168.99.5' (status=1)

---

 

 

Thank you,

Khem