|
|
|
Hi, sorry for the long post but I need advice - also sorry if this got double-posted, I'm having some address book issues...
Trying to set up a site-to-site vpn between 2 openvpn (CentOS 4.5 w/ openvpn 2.0.9) systems. Site 1 (corp office) has its openvpn system configured as "server". Fortinet firewall sitting in front of the corp office lan; vpn server in DMZ and static route set for incoming vpn traffic to go to the vpn box. Site 2 (remote office) has vpn box configured as "client" for routing traffic from several laptops at the remote office to the corp office. Second Fortinet firewall sitting in front of the remote office lan; laptops connected to the internal interface (GREEN segment) and vpn box connected to the DMZ. Static routes have been set on the firewall to pass any traffic destined for the pushed remote subnets to the vpn box.
Using routing, TLS w/ certs, etc. I can establish a tunnel but cannot access resources on the pushed subnets. On the remote office side, I can ping from the vpn box to the subnet at the corp office that the vpn server is on but not any of the other subnets that are "pushed" to the client vpn box. Here's the server config (corp office):
port 443
proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.9.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.2.0 255.255.255.0" push "route 192.168.6.0 255.255.255.0" client-config-dir ccd route 192.168.100.0 255.255.255.0 keepalive 10 120 tls-auth hmac.key 0 cipher AES-256-CBC # AES comp-lzo max-clients 4 user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log verb 5 mute 20 The server config includes a file within the "ccd" directory with the appropriate "iroute" command. Here is the client config:
client dev tun proto tcp remote my_external_ip 443 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun mute-replay-warnings ca ca.crt cert client.crt key client.key ns-cert-type server tls-auth hmac.key 1 cipher AES-256-CBC comp-lzo log client.log verb 6 Any thoughts? Could really use some help on this - need to do a couple of remote offices in this manner.
Thanks... |