Community discussions

MikroTik App
  4. RouterOS
  5. General

OpenVPN and subnet 255.255.255.252

Post Reply
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

OpenVPN and subnet 255.255.255.252

Mon Aug 16, 2010 6:31 pm

Well, this is the very classic problem from OpenVPN.
And I'm experiencing it right now.

Here is my ROS 4.11 configuration:
Code: Select all
[admin@MikroTik] /ip address> print
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0 D 192.168.1.108/24   192.168.1.0     192.168.1.255   ether2                 
 1   192.168.10.1/24    192.168.10.0    192.168.10.255  ether1
Code: Select all
[admin@MikroTik] /ip route> print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1        0       
 1 ADC  192.168.1.0/24     192.168.1.108   ether2             0       
 2 ADC  192.168.10.0/24    192.168.10.1    ether1             0
Code: Select all
[admin@MikroTik] /ip pool> print
 # NAME                                         RANGES                         
 0 lan_pool                                     192.168.10.2-192.168.10.254    
 1 ovpn_pool1                                   192.168.11.34-192.168.11.38
Code: Select all
[admin@MikroTik] /ppp profile> print
 1   name="ovpn_profile1" local-address=192.168.11.33 remote-address=ovpn_pool1 
     use-compression=default use-vj-compression=default 
     use-encryption=required only-one=default change-tcp-mss=default
Code: Select all
[admin@MikroTik] /ppp secret> print
Flags: X - disabled 
 #   NAME        SERVICE CALLER-ID     PASSWORD     PROFILE     REMOTE-ADDRESS 
 0   ppp1        ovpn                  xxxxxxx. ovpn_profile1
Code: Select all
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=ovpn_profile1 enabled=yes keepalive-timeout=disabled \
    mac-address=xx:xx:xx:xx:xx:xx max-mtu=1500 mode=ip netmask=29 port=45645 \
    require-client-certificate=no
Next is windows client configuration:
Code: Select all
client
dev tun
proto tcp
remote aaa.bb.cc.ddd
port 45645
auth-user-pass
nobind
persist-tun
persist-key
#tls-auth static.key
ca ca.crt
cert rb493.crt
key rb493.key
dh dh2048.pem
cipher BF-CBC
comp-lzo
verb 3
keepalive 15 120
status openvpn-status.log
and the error log
Code: Select all
Mon Aug 16 23:25:40 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Mon Aug 16 23:25:48 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 16 23:25:48 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug 16 23:25:48 2010 LZO compression initialized
Mon Aug 16 23:25:48 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Aug 16 23:25:48 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Aug 16 23:25:48 2010 Local Options hash (VER=V4): '69109d17'
Mon Aug 16 23:25:48 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon Aug 16 23:25:48 2010 Attempting to establish TCP connection with aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 TCP connection established with aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Aug 16 23:25:48 2010 TCPv4_CLIENT link local: [undef]
Mon Aug 16 23:25:48 2010 TCPv4_CLIENT link remote: aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 TLS: Initial packet from aaa.bb.cc.ddd:45645, sid=e864ea64 74f2c706
Mon Aug 16 23:25:48 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Aug 16 23:25:50 2010 VERIFY OK: depth=1, /C=CN/ST=SH/L=Shanghai/O=ZGQC/CN=ZGQC-SY/emailAddress=vpn@zgqc.3322.org
Mon Aug 16 23:25:50 2010 VERIFY OK: depth=0, /C=CN/ST=SH/O=ZGQC/CN=ZGQC-SY/emailAddress=vpn@zgqc.3322.org
Mon Aug 16 23:25:52 2010 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1543'
Mon Aug 16 23:25:52 2010 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Aug 16 23:25:52 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 16 23:25:52 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 16 23:25:52 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 16 23:25:52 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 16 23:25:52 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Aug 16 23:25:52 2010 [ZGQC-SY] Peer Connection Initiated with 222.69.93.135:45645
Mon Aug 16 23:25:54 2010 SENT CONTROL [ZGQC-SY]: 'PUSH_REQUEST' (status=1)
Mon Aug 16 23:25:54 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.11.32 255.255.255.248,ifconfig 192.168.11.38 192.168.11.33'
Mon Aug 16 23:25:54 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 16 23:25:54 2010 OPTIONS IMPORT: route options modified
Mon Aug 16 23:25:54 2010 ROUTE default_gateway=10.0.1.1
Mon Aug 16 23:25:54 2010 There is a problem in your selection of --ifconfig endpoints [local=192.168.11.38, remote=192.168.11.33].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
Mon Aug 16 23:25:54 2010 Exiting
That's all.
Can somebody help me correct the IP/subnet mask settings? Also, I've heard that there is no such problem on linux client?
Thank you.
Top
 
tjhana
just joined
Posts: 2
Joined: Tue Jun 21, 2005 9:52 am

Re: OpenVPN and subnet 255.255.255.252

Tue Aug 17, 2010 11:21 am

hello kenny,

i don't understand what you're asking here, what your problem is and what are you trying to accomplish.

I'm assuming you want to connect branch offices to your headquarter office.


if you need to connect several branch office you just need to connect 1 by 1 properly. once you've set / successfully connect 1 branch office to your HQ office, you can try to ping from the client from your branch A to the client computer located @ HQ office. once the ping test is successful, the rest will be easy.

and just a tips: if possible you may want to try using openvpn on your linux also. so you have eliminate the possibility of non-compatibility.

just my 2 cents.
Top
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: OpenVPN and subnet 255.255.255.252

Tue Aug 17, 2010 11:27 am

well, here is my network structure
This is also my approach, while I'm currently testing the way start from point to point (windows client)
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: fadelliz78, pajapatak, rudivd and 91 guests
  4. RouterOS
  5. General