Auteur Sujet: ping dans le tunnel vpn (Lu 3635 fois)

mouitido · « **le:** 22 janvier 2015 à 15:00:22 »

Bonjour,

Context : cadre labo test. (Donc pour test) alixboard 256ram, compactflash 4go
Server vpn utilisé :Openvpn
client vpn utilisé : Openvpn

Besoin :
Ping de l’interface virtuelle du server et autres clients dans le vpn, à partir du client vpn sur pc.

Question et schéma actuelle :

Pour le moment j’ai un server Vpn qui tourne avec 3 sites distants qui si connectent.

J’ai bien une réponse des 3 sites, quand je ping du server.

Inversement j’ai bien une réponse du server, quand je ping des clients.

Les ping sont effectués directement des différent pfsense, avec outil ping

Les différents sites ne répondent pas au ping entre eux, ça ne me dérange pas, même ça m’arrange.

C’est pour le schéma actuelle.

Pfsense 00(server) 172.32.32.0/20

Pfsense 01(client) 172.32.32.0/20 ip dans le vpn 172.32.32.14
Pfsense 02(client) 172.32.32.0/20 ip dans le vpn 172.32.32.6
Pfsense 03(client) 172.32.32.0/20 ip dans le vpn 172.32.32.10

QUESTION

Maintenant J’ai un client openvpn sur mon pc, j’ai rajouté les certificats adéquats. La connexion au serveur se fait comme il faut. De windows je n’arrive pas, à pinger le server, il faudrait que cette machine puisse aussi pinger le autre client dans le tunnel vpn.

Voici mon code . ovpn

client
dev-node openvpnnetwork
proto udp
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
resolv-retry infinite
remote ipforme 9876
route 172.32.32.0 255.255.240.0 172.32.32.1
ca serversiteca.crt
cert remoteserver.crt
key remoteserver.key
dev tap

nobind
auth-nocache
---------------------------
Voici mes logs

Thu Jan 22 12:01:11 2015 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Thu Jan 22 12:01:11 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Thu Jan 22 12:01:11 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 22 12:01:11 2015 UDPv4 link local: [undef]
Thu Jan 22 12:01:11 2015 UDPv4 link remote: [AF_INET]80.236.245.228:9876
Thu Jan 22 12:01:13 2015 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Thu Jan 22 12:01:13 2015 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'
Thu Jan 22 12:01:13 2015 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Thu Jan 22 12:01:13 2015 [serversite] Peer Connection Initiated with [AF_INET]80.236.245.228:9876
Thu Jan 22 12:01:15 2015 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Thu Jan 22 12:01:15 2015 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Jan 22 12:01:15 2015 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.32.32.1
Thu Jan 22 12:01:15 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 22 12:01:15 2015 open_tun, tt->ipv6=0
Thu Jan 22 12:01:15 2015 TAP-WIN32 device [openvpnnetwork] opened: \\.\Global\{0411304C-7D24-4F6A-9F90-9298986ED077}.tap
Thu Jan 22 12:01:15 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.32.32.18/172.32.32.17 on interface {0411304C-7D24-4F6A-9F90-9298986ED077} [DHCP-serv: 172.32.32.16, lease-time: 31536000]
Thu Jan 22 12:01:15 2015 Successful ARP Flush on interface [23] {0411304C-7D24-4F6A-9F90-9298986ED077}

Log complet

Thu Jan 22 12:01:11 2015 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Thu Jan 22 12:01:11 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Enter Management Password:
Thu Jan 22 12:01:11 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 22 12:01:11 2015 UDPv4 link local: [undef]
Thu Jan 22 12:01:11 2015 UDPv4 link remote: [AF_INET]80.236.245.228:9876
Thu Jan 22 12:01:13 2015 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Thu Jan 22 12:01:13 2015 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'
Thu Jan 22 12:01:13 2015 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Thu Jan 22 12:01:13 2015 [serversite] Peer Connection Initiated with [AF_INET]80.236.245.228:9876
Thu Jan 22 12:01:15 2015 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Thu Jan 22 12:01:15 2015 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Jan 22 12:01:15 2015 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.32.32.1
Thu Jan 22 12:01:15 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 22 12:01:15 2015 open_tun, tt->ipv6=0
Thu Jan 22 12:01:15 2015 TAP-WIN32 device [openvpnnetwork] opened: \\.\Global\{0411304C-7D24-4F6A-9F90-9298986ED077}.tap
Thu Jan 22 12:01:15 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.32.32.18/172.32.32.17 on interface {0411304C-7D24-4F6A-9F90-9298986ED077} [DHCP-serv: 172.32.32.16, lease-time: 31536000]
Thu Jan 22 12:01:15 2015 Successful ARP Flush on interface [23] {0411304C-7D24-4F6A-9F90-9298986ED077}
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 192.168.1.1 p=0 i=11 t=4 pr=3 a=7961 h=0 m=10/0/0/0/0
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=7972 h=0 m=306/0/0/0/0
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=7972 h=0 m=306/0/0/0/0
127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=7972 h=0 m=306/0/0/0/0
128.0.0.0 128.0.0.0 172.32.32.18 p=0 i=23 t=3 pr=3 a=34 h=0 m=276/0/0/0/0
169.254.0.0 255.255.0.0 169.254.167.55 p=0 i=17 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
169.254.0.0 255.255.0.0 169.254.251.44 p=0 i=16 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
169.254.167.55 255.255.255.255 169.254.167.55 p=0 i=17 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
169.254.251.44 255.255.255.255 169.254.251.44 p=0 i=16 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
169.254.255.255 255.255.255.255 169.254.167.55 p=0 i=17 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
169.254.255.255 255.255.255.255 169.254.251.44 p=0 i=16 t=3 pr=3 a=7953 h=0 m=276/0/0/0/0
172.32.32.0 255.255.240.0 172.32.32.1 p=0 i=23 t=4 pr=3 a=0 h=0 m=20/0/0/0/0
172.32.32.18 255.255.255.255 172.32.32.18 p=0 i=23 t=3 pr=3 a=34 h=0 m=276/0/0/0/0
192.168.1.0 255.255.255.0 192.168.1.176 p=0 i=11 t=3 pr=3 a=7961 h=0 m=266/0/0/0/0
192.168.1.176 255.255.255.255 192.168.1.176 p=0 i=11 t=3 pr=3 a=7961 h=0 m=266/0/0/0/0
192.168.1.255 255.255.255.255 192.168.1.176 p=0 i=11 t=3 pr=3 a=7961 h=0 m=266/0/0/0/0
224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=3 a=7972 h=0 m=306/0/0/0/0
224.0.0.0 240.0.0.0 192.168.1.176 p=0 i=11 t=3 pr=3 a=7963 h=0 m=266/0/0/0/0
224.0.0.0 240.0.0.0 172.32.32.18 p=0 i=23 t=3 pr=3 a=7963 h=0 m=276/0/0/0/0
224.0.0.0 240.0.0.0 169.254.251.44 p=0 i=16 t=3 pr=3 a=7963 h=0 m=276/0/0/0/0
224.0.0.0 240.0.0.0 169.254.167.55 p=0 i=17 t=3 pr=3 a=7963 h=0 m=276/0/0/0/0
255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=3 a=7972 h=0 m=306/0/0/0/0
255.255.255.255 255.255.255.255 192.168.1.176 p=0 i=11 t=3 pr=3 a=7963 h=0 m=266/0/0/0/0
255.255.255.255 255.255.255.255 169.254.251.44 p=0 i=16 t=3 pr=3 a=7963 h=0 m=276/0/0/0/0
255.255.255.255 255.255.255.255 169.254.167.55 p=0 i=17 t=3 pr=3 a=7963 h=0 m=276/0/0/0/0
255.255.255.255 255.255.255.255 172.32.32.18 p=0 i=23 t=3 pr=3 a=34 h=0 m=276/0/0/0/0
SYSTEM ADAPTER LIST
TAP-Windows Adapter V9
Index = 23
GUID = {0411304C-7D24-4F6A-9F90-9298986ED077}
IP = 172.32.32.18/128.0.0.0
MAC = 00:ff:04:11:30:4c
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV = 172.32.32.16/255.255.255.255
DHCP LEASE OBTAINED = Thu Jan 22 12:01:16 2015
DHCP LEASE EXPIRES = Fri Jan 22 12:01:16 2016
DNS SERV =
Carte réseau Fast Ethernet Realtek RTL8139/810x Family
Index = 18
GUID = {EE0FFD8F-00E8-4D00-980A-F2D00D8F8EA0}
IP = 0.0.0.0/0.0.0.0
MAC = 00:50:bf:e0:cd:ff
GATEWAY = 0.0.0.0/255.255.255.255
DHCP SERV =
DHCP LEASE OBTAINED = Thu Jan 22 12:01:50 2015
DHCP LEASE EXPIRES = Thu Jan 22 12:01:50 2015
DNS SERV =
Broadcom NetXtreme Gigabit Ethernet
Index = 11
GUID = {581D3E1D-9323-4A97-924C-B80DAE180E8A}
IP = 192.168.1.176/255.255.255.0
MAC = 00:1f:29:d6:ec:26
GATEWAY = 192.168.1.1/255.255.255.255
DHCP SERV = 192.168.1.1/255.255.255.255
DHCP LEASE OBTAINED = Thu Jan 22 11:49:08 2015
DHCP LEASE EXPIRES = Thu Jan 22 13:49:08 2015
DNS SERV = 192.168.1.1/255.255.255.255
VMware Virtual Ethernet Adapter for VMnet1
Index = 16
GUID = {A0DEDFDE-29F2-4821-8143-4A4FAB74FFE4}
IP = 169.254.251.44/255.255.0.0
MAC = 00:50:56:c0:00:01
GATEWAY = 0.0.0.0/255.255.255.255
DNS SERV =
VMware Virtual Ethernet Adapter for VMnet8
Index = 17
GUID = {966B24D3-CF1F-42C8-BD35-1E3B5D68AD78}
IP = 169.254.167.55/255.255.0.0
MAC = 00:50:56:c0:00:08
GATEWAY = 0.0.0.0/255.255.255.255
DNS SERV =
Thu Jan 22 12:01:50 2015 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Thu Jan 22 12:57:58 2015 SIGTERM[hard,] received, process exiting

Source
http://serverfault.com/questions/236171/problems-setting-up-a-vpn-can-connect-but-cant-ping-anyone
https://forums.openvpn.net/topic9262.html
http://linuxconfig.org/vpn-virtual-private-network-and-openvpn

Raisonnement
Je présume que je dois rajouter les routes, mais après de nombreux essaye je n’arrive a rien.

Remarque
Il possible que ma configuration soit perfectible, ses mes débuts dans le vpn.

Bàv
Mouitido

mouitido · « **Réponse #1 le:** 23 janvier 2015 à 12:49:11 »

ca progresse

voici ma rechercher

voici le log.

Fri Jan 23 10:49:51 2015 OpenVPN 2.3.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 28 2014
Fri Jan 23 10:49:51 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.05
Enter Management Password:
Fri Jan 23 10:49:51 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 23 10:49:51 2015 UDPv4 link local (bound): [undef]
Fri Jan 23 10:49:51 2015 UDPv4 link remote: [AF_INET]80.236.215.208:9876
Fri Jan 23 10:49:53 2015 [serversite] Peer Connection Initiated with [AF_INET]80.236.215.208:9876
Fri Jan 23 10:49:56 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jan 23 10:49:56 2015 open_tun, tt->ipv6=0
Fri Jan 23 10:49:56 2015 TAP-WIN32 device [openvpnnetwork] opened: \\.\Global\{0411304C-7D24-4F6A-9F90-9298986ED077}.tap
Fri Jan 23 10:49:56 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.32.32.18/255.255.255.252 on interface {0411304C-7D24-4F6A-9F90-9298986ED077} [DHCP-serv: 172.32.32.17, lease-time: 31536000]
Fri Jan 23 10:49:56 2015 Successful ARP Flush on interface [23] {0411304C-7D24-4F6A-9F90-9298986ED077}
Fri Jan 23 10:49:58 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri Jan 23 10:49:58 2015 Initialization Sequence Completed

voici le fichier .ovpn

client

dev tun
proto udp
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
resolv-retry infinite
remote mouitido.mouitido.com 9876

ca serversiteca.crt
cert remoteserver.crt
key remoteserver.key
route-method exe
route-delay 2

Maintenant

ce que j'arrive à faire:

j'arrive a pingé le server qui est 172.32.32.1 et j'arrive bien sur le webgui de l'interface et tout ca dans le vpn, c'est super.

Ce que je n'arrive pas à faire

de ping sur:

Pfsense 01(client) 172.32.32.0/20 ip dans le vpn 172.32.32.14
Pfsense 03(client) 172.32.32.0/20 ip dans le vpn 172.32.32.10

Résonnement

le problème vient d'un route que je ne rajoute pas, ou qui manque.
Je remarque aussi que mon interface réseau openvpn à prit comme ip
ip172.32.32.18
mask255.255.255.252

alors que la mask devrait être de 255.255.240.0

L'objectif

Est toujours de ping les autre clients dans le vpn

Merci de votre aide

Mouitido