VPN Matriz x Filial  [RESOLVIDO]

Fórum em português destinado a discussões gerais e ajuda aos usuários do BrazilFW 3.x

VPN Matriz x Filial

Mensagempor jefferson.toma » Sáb Out 14, 2017 3:23 pm

Boa tarde, estou errando em algum ponto da configurao. Tenho 1 servidor BFW rodando a anos ja, sqo ativo, dansguardian e restricao de mac/ip.
Rede logica: 10.10.10.1
Rede VPN: 170.70.0.1
Ip server 2012: 10.10.10.2
Estamos abrindo uma filial onde as pessoas que trabalham vao ter acesso ao disco compartilhado: neste caso seria o 10.10.10.2 (servidor windows 2012)
No computador da filial consigo conectar via Open VPN mais nao consigo pingar o maldito 10.10.10.2

Algumas informacoes para voces me ajudarem:
Versão do Firewall: 3.0.262.rc2
Usuarios:
joao openvpn senhajoao 170.70.0.2 #JOAO
Rotas:
yes static vpn route 10.10.10.0/8 170.70.0.1 #vpn
VPN - Servidor OPENVPN: 170.70.0.0

Configuracoes do open vpn no cliente
Código: Selecionar todos
client
dev tun
proto tcp-client
pull
remote 177.xx.xx.xx
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca brazilfw_ca.crt
cert vpnclientebfwmatrizcrt.crt
key vpnclientebfwmatrizkey.key
auth-user-pass
verb 3
keepalive 10 60
link-mtu 1534
ns-cert-type server
cipher BF-CBC
auth SHA1
route 10.10.10.0/8 255.0.0.0 170.70.0.1
Avatar do usuário
jefferson.toma
BFW Curious
 
Mensagens: 31
Registrado em: Qui Nov 22, 2012 7:05 am
BrazilFW Box:

Re: VPN Matriz x Filial

Mensagempor Lenobare » Sáb Out 14, 2017 6:45 pm

Fizemos todo o tutorial baseado na versão estável 3.0.262, não na versão rc2.
Sigam as regras e tudo vai funciomar, acreditem :o!
Se conecta, o problema é sua rota ou o ip/porta do Server 2012 está bloqueado pelo firewall do Windows.
Sua rota no openvpn.ovpn está errada, a correta é essa aqui em seu caso:
Código: Selecionar todos
 route 10.10.10.0 255.0.0.0 170.70.0.1

Observe, não é tamanho /8 e sim 255.0.0.0
Reveja o tutorial com calma que está muito bem explicado :mrgreen:
Boa sorte.
Estude, estude e... continue estudando.
Avatar do usuário
Lenobare
BFW Full Associate
BFW Beneméritos
BFW Manager
BFW Moderator
BFW HaarpCache
BFW Squid 3.5.x
 
Mensagens: 1682
Registrado em: Qua Ago 28, 2013 8:45 pm
Localização: Brasília
BrazilFW Box: Maquina: Fisica
CPU:Xeon HP ML30
Memória 8GB - 2Links
BFW 3.0.262 64 Bits
HD 300GB 15k,
Serviços Ativos: Control Mac, VPN, Squid (Cache),
Addons: Haro, Whatchdog. Squid 3.5.27, Lognet e Samba.

Re: VPN Matriz x Filial

Mensagempor jefferson.toma » Sáb Out 14, 2017 9:27 pm

Leno,
tirei o /8 da openvpn.ovpn estava errado mesmo, eu acredito tambem que seja algo relacionado a rota no firewall, no server 2012 ja desabilitei o firewall para garantir os testes.

na parte da route.cfg:
yes static vpn route 10.10.10.0/8 170.70.0.1 #vpn

fiz do jeito certo?
Avatar do usuário
jefferson.toma
BFW Curious
 
Mensagens: 31
Registrado em: Qui Nov 22, 2012 7:05 am
BrazilFW Box:

Re: VPN Matriz x Filial

Mensagempor Lenobare » Sáb Out 14, 2017 11:14 pm

Se o servidor é o Brazilfw, você tem um cliente openvpn ( cliente windows ) e acessa o vpn do bfw, no Servidor Brazilfw não precisa de rota alguma pois as rotas é apenas para quem acessa o servidor, não o contrário.
teste e se não funcionar, mande as configurações de log do openvpn cliente.
Estude, estude e... continue estudando.
Avatar do usuário
Lenobare
BFW Full Associate
BFW Beneméritos
BFW Manager
BFW Moderator
BFW HaarpCache
BFW Squid 3.5.x
 
Mensagens: 1682
Registrado em: Qua Ago 28, 2013 8:45 pm
Localização: Brasília
BrazilFW Box: Maquina: Fisica
CPU:Xeon HP ML30
Memória 8GB - 2Links
BFW 3.0.262 64 Bits
HD 300GB 15k,
Serviços Ativos: Control Mac, VPN, Squid (Cache),
Addons: Haro, Whatchdog. Squid 3.5.27, Lognet e Samba.

Re: VPN Matriz x Filial

Mensagempor jefferson.toma » Dom Out 15, 2017 2:17 am

File: 
Sun Oct 15 03:16:24 2017 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Sun Oct 15 03:16:24 2017 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
Sun Oct 15 03:16:24 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Oct 15 03:16:24 2017 Need hold release from management interface, waiting...
Sun Oct 15 03:16:25 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Oct 15 03:16:25 2017 MANAGEMENT: CMD 'state on'
Sun Oct 15 03:16:25 2017 MANAGEMENT: CMD 'log all on'
Sun Oct 15 03:16:25 2017 MANAGEMENT: CMD 'hold off'
Sun Oct 15 03:16:25 2017 MANAGEMENT: CMD 'hold release'
Sun Oct 15 03:16:31 2017 MANAGEMENT: CMD 'username "Auth" "jefferson.toma"'
Sun Oct 15 03:16:31 2017 MANAGEMENT: CMD 'password [...]'
Sun Oct 15 03:16:31 2017 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1491)
Sun Oct 15 03:16:31 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 15 03:16:31 2017 Attempting to establish TCP connection with [AF_INET]177.92.xx.xx(ipexterno):1194 [nonblock]
Sun Oct 15 03:16:31 2017 MANAGEMENT: >STATE:1508044591,TCP_CONNECT,,,
Sun Oct 15 03:16:32 2017 TCP connection established with [AF_INET]177.92.xx.xx(ipexterno):1194
Sun Oct 15 03:16:32 2017 TCPv4_CLIENT link local: [undef]
Sun Oct 15 03:16:32 2017 TCPv4_CLIENT link remote: [AF_INET]177.92.xx.xx(ipexterno):1194
Sun Oct 15 03:16:32 2017 MANAGEMENT: >STATE:1508044592,WAIT,,,
Sun Oct 15 03:16:32 2017 MANAGEMENT: >STATE:1508044592,AUTH,,,
Sun Oct 15 03:16:32 2017 TLS: Initial packet from [AF_INET]177.92.xx.xx(ipexterno):1194, sid=18d5a484 d4790d3e
Sun Oct 15 03:16:32 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 15 03:16:33 2017 VERIFY OK: depth=1, C=BR, O=BrazilFW Firewall & Router, ST=Sao Paulo, OU=http://www.brazilfw.com.br, OU=BrazilFW Firewall & Router, CN=BrazilFW Class 3 Secure Server CA
Sun Oct 15 03:16:33 2017 VERIFY OK: nsCertType=SERVER
Sun Oct 15 03:16:33 2017 VERIFY OK: depth=0, C=BR, ST=Sao Paulo, O=BrazilFW Firewall & Router, OU=BrazilFW Firewall & Router, CN=OpenVPN - BrazilFW
Sun Oct 15 03:16:34 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1534', remote='link-mtu 1543'
Sun Oct 15 03:16:34 2017 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1491', remote='tun-mtu 1500'
Sun Oct 15 03:16:34 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 15 03:16:34 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 15 03:16:34 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Oct 15 03:16:34 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 15 03:16:34 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Oct 15 03:16:34 2017 [OpenVPN - BrazilFW] Peer Connection Initiated with [AF_INET]177.92.xx.xx(ipexterno):1194
Sun Oct 15 03:16:35 2017 MANAGEMENT: >STATE:1508044595,GET_CONFIG,,,
Sun Oct 15 03:16:36 2017 SENT CONTROL [OpenVPN - BrazilFW]: 'PUSH_REQUEST' (status=1)
Sun Oct 15 03:16:36 2017 PUSH: Received control message: 'PUSH_REPLY,route 170.70.0.1,topology net30,ping 10,ping-restart 120,ifconfig 170.70.0.2 170.70.0.1'
Sun Oct 15 03:16:36 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 15 03:16:36 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 15 03:16:36 2017 OPTIONS IMPORT: route options modified
Sun Oct 15 03:16:36 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 15 03:16:36 2017 MANAGEMENT: >STATE:1508044596,ASSIGN_IP,,170.70.0.2,
Sun Oct 15 03:16:36 2017 open_tun, tt->ipv6=0
Sun Oct 15 03:16:36 2017 TAP-WIN32 device [Conexão local 3] opened: \\.\Global\{F165ABBA-7D93-4E41-A561-338F210774F8}.tap
Sun Oct 15 03:16:36 2017 TAP-Windows Driver Version 9.21
Sun Oct 15 03:16:36 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 170.70.0.2/255.255.255.252 on interface {F165ABBA-7D93-4E41-A561-338F210774F8} [DHCP-serv: 170.70.0.1, lease-time: 31536000]
Sun Oct 15 03:16:36 2017 Successful ARP Flush on interface [28] {F165ABBA-7D93-4E41-A561-338F210774F8}
Sun Oct 15 03:16:41 2017 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun Oct 15 03:16:41 2017 MANAGEMENT: >STATE:1508044601,ADD_ROUTES,,,
Sun Oct 15 03:16:41 2017 C:\Windows\system32\route.exe ADD 10.10.10.0 MASK 255.0.0.0 170.70.0.1
Sun Oct 15 03:16:41 2017 Warning: address 10.10.10.0 is not a network address in relation to netmask 255.0.0.0
Sun Oct 15 03:16:41 2017 ROUTE: route addition failed using CreateIpForwardEntry: Parâmetro incorreto. [status=87 if_index=28]
Sun Oct 15 03:16:41 2017 Route addition via IPAPI failed [adaptive]
Sun Oct 15 03:16:41 2017 Route addition fallback to route.exe
Sun Oct 15 03:16:41 2017 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sun Oct 15 03:16:42 2017 C:\Windows\system32\route.exe ADD 170.70.0.1 MASK 255.255.255.255 170.70.0.1
Sun Oct 15 03:16:42 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Oct 15 03:16:42 2017 Route addition via IPAPI succeeded [adaptive]
Sun Oct 15 03:16:42 2017 Initialization Sequence Completed
Sun Oct 15 03:16:42 2017 MANAGEMENT: >STATE:1508044602,CONNECTED,SUCCESS,170.70.0.2,177.92.xx.xx(ipexterno)
Avatar do usuário
jefferson.toma
BFW Curious
 
Mensagens: 31
Registrado em: Qui Nov 22, 2012 7:05 am
BrazilFW Box:

Re: VPN Matriz x Filial  [RESOLVIDO]

Mensagempor jefferson.toma » Dom Out 15, 2017 1:11 pm

depois de muita analise consegui resolver o problema era a simples rota!
route 10.0.0.0 255.0.0.0 170.70.0.1


deu certo dai. muito obrigado família bfw
Avatar do usuário
jefferson.toma
BFW Curious
 
Mensagens: 31
Registrado em: Qui Nov 22, 2012 7:05 am
BrazilFW Box:


Voltar para BrazilFW 3.x - Ajuda em Geral

Quem está online

Usuários navegando neste fórum: Nenhum usuário registrado e 16 visitantes

cron