[Shorewall-users] Problems with the OpenVPN

snf snf at apdo.com
Mon Jun 9 17:11:26 PDT 2003


Hi,
 
I'm trying to configure an OpenVPN, but I have a slight problem. I follow all
the instructions which are explained in the shorewall information, but when
doing a ping to the other side machine an error occurs. My configuration is
the following:
--- 
zones 
net Net Internet 
loc Local Local networks 
vpn VPN Remote Subnet IPSec 
colt COLT OpenVPN COLT 

interfaces 
net eth0 detect routefilter,norfc1918 
loc eth1 detect dhcp 
loc ppp0 
vpn ipsec0 
colt tun0 

hosts 
loc eth1:192.168.1.0/24 
loc ppp0:192.168.1.0/24 

policy 
loc net ACCEPT 
fw net ACCEPT 
loc loc ACCEPT 
loc vpn ACCEPT 
vpn loc ACCEPT 
loc colt ACCEPT 
colt loc ACCEPT 
net all DROP 
all all REJECT 

tunnels 
pptpserver net 0.0.0.0/0 
ipsec net 81.202.xx.xx 
openvpn:5001 net 62.97.aa.bb 

/etc/openvpn/colt.conf 
dev tun 
local 217.127.46.153 
remote 62.97.78.98 
ifconfig 192.168.99.3 192.168.99.4 
up ./colt.up 
secret ./static.key 
port 5001 
verb 5 

/etc/openvpn/colt.up 
#!/bin/bash 
route add -net 192.168.15.0 netmask 255.255.255.0 gw $5 
------ 

When I try a VPN connection everything seems to be right. The routes table
shows the following:

Kernel IP routing table 
Destination Gateway Genmask Flags Metric Ref Use
Iface 
192.168.99.4 * 255.255.255.255 UH 0 0 0 tun0 
localnet * 255.255.255.0 U 0 0 0 eth1 
217.xx.xx.0 * 255.255.255.0 U 0 0 0 eth0 
192.168.15.0 192.168.99.4 255.255.255.0 UG 0 0 0 tun0 
default xx.Red-217-xx 0.0.0.0 UG 0 0 0 eth0 

But if I try to do a ping, it provokes the following error:
 
PING 192.168.15.30 (192.168.15.30): 56 data bytes 
ping: sendto: Operation not permitted 
ping: wrote 192.168.15.30 64 chars, ret=-1 
ping: sendto: Operation not permitted 
ping: wrote 192.168.15.30 64 chars, ret=-1 
ping: sendto: Operation not permitted 

I've tried with the testing that is published in the web about OpenVPN
openvpn --dev null --verb 9 --ping 1 --remote host and it works perfectly.-

Any idea about which is the problem? 

Thks!

   Sergio Navarro



More information about the Shorewall-users mailing list