Shorewall users - Dec 2004 - openvpn/shorewall tunnel problem

Dear list,
I am having a problem with openvpn.  I have the following arrangement,
running two instances of openvpn on "home fw".  I want to protect my
WLAN in back of the home fw and that works fine.  I can see "Peer
connection initiated with 192.168.1.3:5000" in daemon.log on homefw.
Nothing gets initiated with officefw, nor can I ping the other end of
the tunnel at officefw.  I was hoping to be able to get from "subnet to
subnet" i.e. be able to ping from 192.168.1.3 to a machine like
192.168.10.13, but not possible either.


home subnet                                     office subnet
192.168.1.0/24                                 192.168.10.0/24
  winxp -- WLAN -- homefw -- Internet -------------- officefw
     <--- tun 1 -----> <------------------ tun0 ---------->
10.1.1.2      10.1.1.1  10.1.10.1                     10.1.10.2
       route 216.x.y.z  route 192.168.10.0/24        route
192.168.1.0/24

Why does nothing work for tun0?
TIA
Rick

The following policies are in place on officefw:
fw              vpn3            ACCEPT

loc             vpn3            ACCEPT

net             vpn3            ACCEPT

vpn1            loc             ACCEPT

vpn3            loc             ACCEPT

vpn3            net             ACCEPT

vpn3            fw              ACCEPT

where tunnels entry is
openvpn:50001           net     216.x.y.z    vpn3   

and similar policies on homefw, 
loc             vpn4            ACCEPT

fw              vpn4            ACCEPT

net             vpn4            ACCEPT

vpn4            loc             ACCEPT

vpn4            fw              ACCEPT

vpn4            net             ACCEPT  
where tunnels entry is
openvpn:50001           net     137.p.q.r  vpn4  


On homefw, the route table becomes
# ip route sho
10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
216.x.y.z via 10.1.1.2 dev tun1 
10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.12.22.89 
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.12.22.89 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
192.168.10.0/24 via 10.1.10.2 dev tun0 
default via 216.12.22.65 dev eth0

and the tunnel conf on homefw (to the office fw) is
dev tun
disable-occ
port 50001
local 216.x.y.z    < ... public IP anonymized...>
# Our remote peer (office subnet)
remote 137.p.q.r   < ... public IP anonymized...>
ifconfig 10.1.10.1 10.1.10.2
route 192.168.10.0 255.255.255.0
# Our pre-shared static key
secret static.key

The officefw conf is similar, except these things reversed
port 50001
local 137.p.q.r
remote  216.x.y.z
ifconfig 10.1.10.2 10.1.10.1


The config for the WLAN tunnel is
dev tun
# For compatability with 2.x openvpn clients/servers
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
disable-occ
local 192.168.1.254
float
ifconfig 10.1.1.1 10.1.1.2
# only this route directive will work, all else fails.
route 216.x.y.z
# Our pre-shared static key
secret static.key

On Mon, 2004-12-13 at 23:05 -0500, Tibbs, Richard wrote:
> On homefw, the route table becomes
> # ip route sho
> 10.1.10.2 dev tun0  proto kernel  scope link  src 10.1.10.1 
> 216.x.y.z via 10.1.1.2 dev tun1 
> 10.1.1.2 dev tun1  proto kernel  scope link  src 10.1.1.1 
> 216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.12.22.89 
> 216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.12.22.89 
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
> 192.168.10.0/24 via 10.1.10.2 dev tun0 
> default via 216.12.22.65 dev eth0
>From the above, it is clear that your firewall''s public IP address
is
216.12.22.89 and that your default gateway is  216.12.22.65. So I
haven''t an idea what you are trying to hide by disguising the second
route but I can tell you that it is almost certainly extraneous and
shouldn''t be there.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key