Hi, I''m trying to configure an OpenVPN, but I have a slight problem. I follow all the instructions which are explained in the shorewall information, but when doing a ping to the other side machine an error occurs. My configuration is the following: --- zones net Net Internet loc Local Local networks vpn VPN Remote Subnet IPSec colt COLT OpenVPN COLT interfaces net eth0 detect routefilter,norfc1918 loc eth1 detect dhcp loc ppp0 vpn ipsec0 colt tun0 hosts loc eth1:192.168.1.0/24 loc ppp0:192.168.1.0/24 policy loc net ACCEPT fw net ACCEPT loc loc ACCEPT loc vpn ACCEPT vpn loc ACCEPT loc colt ACCEPT colt loc ACCEPT net all DROP all all REJECT tunnels pptpserver net 0.0.0.0/0 ipsec net 81.202.xx.xx openvpn:5001 net 62.97.aa.bb /etc/openvpn/colt.conf dev tun local 217.127.46.153 remote 62.97.78.98 ifconfig 192.168.99.3 192.168.99.4 up ./colt.up secret ./static.key port 5001 verb 5 /etc/openvpn/colt.up #!/bin/bash route add -net 192.168.15.0 netmask 255.255.255.0 gw $5 ------ When I try a VPN connection everything seems to be right. The routes table shows the following: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.99.4 * 255.255.255.255 UH 0 0 0 tun0 localnet * 255.255.255.0 U 0 0 0 eth1 217.xx.xx.0 * 255.255.255.0 U 0 0 0 eth0 192.168.15.0 192.168.99.4 255.255.255.0 UG 0 0 0 tun0 default xx.Red-217-xx 0.0.0.0 UG 0 0 0 eth0 But if I try to do a ping, it provokes the following error: PING 192.168.15.30 (192.168.15.30): 56 data bytes ping: sendto: Operation not permitted ping: wrote 192.168.15.30 64 chars, ret=-1 ping: sendto: Operation not permitted ping: wrote 192.168.15.30 64 chars, ret=-1 ping: sendto: Operation not permitted I''ve tried with the testing that is published in the web about OpenVPN openvpn --dev null --verb 9 --ping 1 --remote host and it works perfectly.- Any idea about which is the problem? Thks! Sergio Navarro
On Mon, 9 Jun 2003, snf wrote:> > interfaces > net eth0 detect routefilter,norfc1918 > loc eth1 detect dhcp > loc ppp0 > vpn ipsec0 > colt tun0 > > hosts > loc eth1:192.168.1.0/24 > loc ppp0:192.168.1.0/24 >You don''t need entries in the hosts file -- get rid of them.> policy > loc net ACCEPT > fw net ACCEPT > loc loc ACCEPT > loc vpn ACCEPT > vpn loc ACCEPT > loc colt ACCEPT > colt loc ACCEPT > net all DROP > all all REJECT > > > But if I try to do a ping, it provokes the following error: > > PING 192.168.15.30 (192.168.15.30): 56 data bytes > ping: sendto: Operation not permitted > ping: wrote 192.168.15.30 64 chars, ret=-1 > ping: sendto: Operation not permitted > ping: wrote 192.168.15.30 64 chars, ret=-1 > ping: sendto: Operation not permitted >Where are you pinging from? The firewall? If so, your policies don''t allow any traffic from the firewall to the colt zone. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net