And I'm experiencing it right now.
Here is my ROS 4.11 configuration:
Code: Select all
[admin@MikroTik] /ip address> print
# ADDRESS NETWORK BROADCAST INTERFACE
0 D 192.168.1.108/24 192.168.1.0 192.168.1.255 ether2
1 192.168.10.1/24 192.168.10.0 192.168.10.255 ether1
Code: Select all
[admin@MikroTik] /ip route> print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 0
1 ADC 192.168.1.0/24 192.168.1.108 ether2 0
2 ADC 192.168.10.0/24 192.168.10.1 ether1 0
Code: Select all
[admin@MikroTik] /ip pool> print
# NAME RANGES
0 lan_pool 192.168.10.2-192.168.10.254
1 ovpn_pool1 192.168.11.34-192.168.11.38
Code: Select all
[admin@MikroTik] /ppp profile> print
1 name="ovpn_profile1" local-address=192.168.11.33 remote-address=ovpn_pool1
use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default
Code: Select all
[admin@MikroTik] /ppp secret> print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 ppp1 ovpn xxxxxxx. ovpn_profile1
Code: Select all
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 \
default-profile=ovpn_profile1 enabled=yes keepalive-timeout=disabled \
mac-address=xx:xx:xx:xx:xx:xx max-mtu=1500 mode=ip netmask=29 port=45645 \
require-client-certificate=no
Code: Select all
client
dev tun
proto tcp
remote aaa.bb.cc.ddd
port 45645
auth-user-pass
nobind
persist-tun
persist-key
#tls-auth static.key
ca ca.crt
cert rb493.crt
key rb493.key
dh dh2048.pem
cipher BF-CBC
comp-lzo
verb 3
keepalive 15 120
status openvpn-status.log
Code: Select all
Mon Aug 16 23:25:40 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Mon Aug 16 23:25:48 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 16 23:25:48 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug 16 23:25:48 2010 LZO compression initialized
Mon Aug 16 23:25:48 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Aug 16 23:25:48 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Aug 16 23:25:48 2010 Local Options hash (VER=V4): '69109d17'
Mon Aug 16 23:25:48 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon Aug 16 23:25:48 2010 Attempting to establish TCP connection with aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 TCP connection established with aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Aug 16 23:25:48 2010 TCPv4_CLIENT link local: [undef]
Mon Aug 16 23:25:48 2010 TCPv4_CLIENT link remote: aaa.bb.cc.ddd:45645
Mon Aug 16 23:25:48 2010 TLS: Initial packet from aaa.bb.cc.ddd:45645, sid=e864ea64 74f2c706
Mon Aug 16 23:25:48 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Aug 16 23:25:50 2010 VERIFY OK: depth=1, /C=CN/ST=SH/L=Shanghai/O=ZGQC/CN=ZGQC-SY/emailAddress=vpn@zgqc.3322.org
Mon Aug 16 23:25:50 2010 VERIFY OK: depth=0, /C=CN/ST=SH/O=ZGQC/CN=ZGQC-SY/emailAddress=vpn@zgqc.3322.org
Mon Aug 16 23:25:52 2010 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1543'
Mon Aug 16 23:25:52 2010 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Aug 16 23:25:52 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 16 23:25:52 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 16 23:25:52 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 16 23:25:52 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 16 23:25:52 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Aug 16 23:25:52 2010 [ZGQC-SY] Peer Connection Initiated with 222.69.93.135:45645
Mon Aug 16 23:25:54 2010 SENT CONTROL [ZGQC-SY]: 'PUSH_REQUEST' (status=1)
Mon Aug 16 23:25:54 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.11.32 255.255.255.248,ifconfig 192.168.11.38 192.168.11.33'
Mon Aug 16 23:25:54 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 16 23:25:54 2010 OPTIONS IMPORT: route options modified
Mon Aug 16 23:25:54 2010 ROUTE default_gateway=10.0.1.1
Mon Aug 16 23:25:54 2010 There is a problem in your selection of --ifconfig endpoints [local=192.168.11.38, remote=192.168.11.33]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Mon Aug 16 23:25:54 2010 Exiting
Can somebody help me correct the IP/subnet mask settings? Also, I've heard that there is no such problem on linux client?
Thank you.