[FUG-BR] Redes entre VPNs nao se falam
Alessandro de Souza Rocha
etherlinkii em gmail.com
Segunda Março 19 14:58:59 BRT 2012
iroute 192.168.5.0 255.255.255.0
ifconfig-push 10.1.1.14 10.1.1.13
Em 19 de março de 2012 14:55, Marcelo Gondim <gondim em bsdinfo.com.br> escreveu:
> Em 19/03/2012 14:34, Christiano Liberato escreveu:
>> Bem pessoal, estou utilizando o openbsd.
>>
>> Seguem minhas confs:
>>
>> *No servidor (escritorio 1)* - rede 192.168.100.0/24
>>
>> dev tun0
>> local 200.200.200.200
>> port 1198
>> proto udp
>> server 10.1.1.0 255.255.255.0
>> ifconfig-pool-persist ipp.txt
>>
>> ca /usr/local/etc/openvpn/easy-rsa/2.0/keys/ca.crt
>> cert /usr/local/etc/openvpn/easy-rsa/2.0/keys/srv.crt
>> key /usr/local/etc/openvpn/easy-rsa/2.0/keys/srv.key
>> dh /usr/local/etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
>>
>> push "route 192.168.100.0 255.255.255.0"
>>
>> comp-lzo
>> ping-timer-rem
>> persist-tun
>> persist-key
>>
>> group nobody
>> daemon
>>
>> *No cliente (escritorio 2)* - rede 192.168.200.0/24
>>
>> client
>> dev tun1
>> mssfix 1400
>> proto udp
>> remote 200.200.200.200 1198
>>
>> nobind
>> persist-key
>> persist-tun
>> ca /usr/local/etc/openvpn/keys/ca.crt
>> cert /usr/local/etc/openvpn/keys/filial.crt
>> key /usr/local/etc/openvpn/keys/filial.key
>> comp-lzo
>> verb 3
>> mute 20
>> status /var/log/openvpn/openvpn.log
>> log-append /var/log/openvpn/openvpn.log
>>
>> Como eu disse, a rede do escritorio 2 nao fala com a rede do escritorio 1.
>> No firewall do escritorio 2 consigo pingar o fw e a rede do escritorio 1
>> (ex: 192.168.100.10)
>>
>> Obrigado!
>>
>> Em 19 de março de 2012 14:24, Christiano Liberato<
>> christianoliberato em gmail.com> escreveu:
>
> Eu tenho na minha conf da vpn matriz a diretiva:
>
> client-to-client
> client-config-dir /usr/local/etc/openvpn/ccd
>
> Dentro desse diretório eu crio os arquivos CN especificando que IPs as
> filiais vão pegar e adiciono neles o parâmetro iroute pra permitir que
> as filiais se falem.
>
> Conf da matriz:
>
> port 5002
> proto tcp
> dev tun
> ca /usr/local/etc/openvpn/ca.crt
> cert /usr/local/etc/openvpn/centsoft.crt
> key /usr/local/etc/openvpn/centsoft.key
> dh /usr/local/etc/openvpn/dh1024.pem
> server 172.16.0.0 255.255.255.0
> ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
> client-config-dir /usr/local/etc/openvpn/ccd
> tls-auth /usr/local/etc/openvpn/ta.key 0
> keepalive 10 120
> comp-lzo
> persist-key
> persist-tun
> client-to-client
> route 192.168.10.0 255.255.255.0
> route 192.168.0.0 255.255.255.0
>
> No diretório ccd eu tenho os arquivos:
>
> -rw-r--r-- 1 root 71 Jun 13 2011 intcentro
> -rw-r--r-- 1 root 73 Jun 16 2011 intnet
> -rw-r--r-- 1 root 70 Jun 3 2011 intvila
>
> Dentro do intcentro tem assim:
>
> ifconfig-push 172.16.0.14 172.16.0.13
> iroute 192.168.0.0 255.255.255.0
>
> Onde digo que eles vão ter o IP 172.16.0.14 to propagando a rota deles
> com o iroute.
>
> Desse jeito funciona aqui pra mim :)
>
>
>
>>
>>> Pode estar faltando algo entao na minha conf.
>>>
>>> Em 19 de março de 2012 14:21, Alessandro de Souza Rocha<
>>> etherlinkii em gmail.com> escreveu:
>>>
>>> isto foi feito num servidor Redhat enterprise linux, que a empresa ja
>>>> tinha funcionando e nao queria que eu troca-se, so em caso se desse
>>>> algum pau.
>>>>
>>>>
>>>> Em 19 de março de 2012 14:15, Paulo Henrique BSD Brasil
>>>> <paulo.rddck em bsd.com.br> escreveu:
>>>>> Então no caso estou usando PFSense, não achei o arquivo openvpn.conf,
>>>>> mais a opção é "Remote Networks" , quando ele fecha o tunnel o proprio
>>>>> OpenVPN cria uma rota da seguinte forma.
>>>>>
>>>>> Lado servidor: route add 192.168.100.0/24 $ip_do_tunel_lado_servidor (
>>>>> 10.1.1.1 )
>>>>> Lado clinte: route add 192.168.254.200.0/24 $ip_do_tunnel_lado_cliente (
>>>>> 10.1.1.2 )
>>>>>
>>>>> Isso é feito automaticamente pelo PFSense/OpenVPN no caso de
>>>> SITE-TO-SITE.
>>>>> Att.
>>>>>
>>>>> Em 19/3/2012 13:51, Alessandro de Souza Rocha escreveu:
>>>>>> mode server
>>>>>>
>>>>>> port 1194
>>>>>> proto udp
>>>>>>
>>>>>> dev tun
>>>>>>
>>>>>> #user nobody
>>>>>> #group nobody
>>>>>>
>>>>>> #Usa a biblioteca lzo
>>>>>> comp-lzo
>>>>>>
>>>>>> ca /etc/openvpn/keys/ca.crt
>>>>>> cert /etc/openvpn/keys/servidor.crt
>>>>>> key /etc/openvpn/keys/servidor.key
>>>>>> dh /etc/openvpn/keys/dh1024.pem
>>>>>> server 10.1.1.0 255.255.255.0
>>>>>>
>>>>>> ifconfig-pool-persist /etc/openvpn/ipp.txt
>>>>>> client-config-dir /etc/openvpn/ccd
>>>>>>
>>>>>> ping 10
>>>>>> ping-restart 120
>>>>>> push "ping 10"
>>>>>> push "ping-restart 60"
>>>>>>
>>>>>> push "route 192.168.0.0 255.255.255.0"
>>>>>> push "route 192.168.1.0 255.255.255.0"
>>>>>> push "route 192.168.4.0 255.255.255.0"
>>>>>> push "route 192.168.5.0 255.255.255.0"
>>>>>>
>>>>>> route 192.168.0.0 255.255.255.0
>>>>>> route 192.168.4.0 255.255.255.0
>>>>>> route 192.168.5.0 255.255.255.0
>>>>>>
>>>>>> mssfix 1400
>>>>>> fragment 1400
>>>>>>
>>>>>> client-to-client
>>>>>>
>>>>>> # OpenVPN usa a porta 5000/UDP por padrão.
>>>>>> # Cada túnel do OpenVPN deve usar
>>>>>> # uma porta diferente.
>>>>>> # O padrão é a porta 5000
>>>>>> # This option prevents OpenVPN from closing and re-opening the tun/tap
>>>>>> # device every time it receives a SIGUSR1 signal
>>>>>> persist-tun
>>>>>>
>>>>>> # This is similar to the previous option, but it prevents OpenVPN from
>>>>>> # re-reading the key files every time
>>>>>> persist-key
>>>>>> #float
>>>>>>
>>>>>> log /var/log/openvpn-server.log
>>>>>> status /var/log/openvpn-server.status 10
>>>>>>
>>>>>> # Envia um ping via UDP para a parte
>>>>>> # remota a cada 15 segundos para manter
>>>>>> # a conexão de pé em firewall statefull
>>>>>> # Muito recomendado, mesmo se você não usa
>>>>>> # um firewall baseado em statefull.
>>>>>> #ping 15
>>>>>> #ping-restart 120
>>>>>> # Nível de log
>>>>>> verb 3
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Em 19 de março de 2012 13:42, Christiano Liberato
>>>>>> <christianoliberato em gmail.com> escreveu:
>>>>>>> Tenho essa opção na conf do server mas mesmo assim o escritorio
>>>> cliente nao
>>>>>>> consegue acessar.
>>>>>>> Acho que deve ser alguma conf extra no openvpn.conf do server.
>>>>>>>
>>>>>>> Em 19 de março de 2012 13:32, Alessandro de Souza Rocha<
>>>>>>> etherlinkii em gmail.com> escreveu:
>>>>>>>
>>>>>>>> # Atribui rota para toda a rede local
>>>>>>>> push "route 192.168.0.0 255.255.255.0"
>>>>>>>> push "route 192.168.1.0 255.255.255.0"
>>>>>>>> push "route 192.168.4.0 255.255.255.0"
>>>>>>>> push "route 192.168.5.0 255.255.255.0"
>>>>>>>>
>>>>>>>>
>>>>>>>> Em 19 de março de 2012 12:01, Christiano Liberato
>>>>>>>> <christianoliberato em gmail.com> escreveu:
>>>>>>>>> Alessandro,
>>>>>>>>>
>>>>>>>>> a oção de push "route ... tenho configurado na conf do server
>>>> principal.
>>>>>>>>> Essa é a rota que o server client adiciona para falar com o
>>>> principal.
>>>>>>>>> Mas a opção route 192.168.0.0 255.255.255.0 nao tenho nas minhas
>>>> confs.
>>>>>>>>> O que ela faz?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Em 19 de março de 2012 11:14, Alessandro de Souza Rocha<
>>>>>>>>> etherlinkii em gmail.com> escreveu:
>>>>>>>>>
>>>>>>>>>> push "route 192.168.0.0 255.255.255.0"
>>>>>>>>>> push "route 192.168.1.0 255.255.255.0"
>>>>>>>>>> push "route 192.168.4.0 255.255.255.0"
>>>>>>>>>> push "route 192.168.5.0 255.255.255.0"
>>>>>>>>>>
>>>>>>>>>> route 192.168.0.0 255.255.255.0
>>>>>>>>>> route 192.168.4.0 255.255.255.0
>>>>>>>>>> route 192.168.5.0 255.255.255.0
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Em 19 de março de 2012 11:09, Paulo Henrique BSD Brasil
>>>>>>>>>> <paulo.rddck em bsd.com.br> escreveu:
>>>>>>>>>>> Tem que especificar a rota para a rede remota, "remote
>>>> network"acho
>>>>>>>> que
>>>>>>>>>>> é a opção
>>>>>>>>>>> quando eu chegar no serviços vou dar uma vista no meu PFSense,
>>>>>>>>>>> Para passar trafego broadcast a VPN tem que ser configurado em
>>>> brigde
>>>>>>>> !!
>>>>>>>>>>> Att.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Em 19/3/2012 09:45, Christiano Liberato escreveu:
>>>>>>>>>>>> Bom dia pessoal,
>>>>>>>>>>>>
>>>>>>>>>>>> Estou utilizando o openvpn para interligar escritorios.
>>>>>>>>>>>> Até o momento o tunel esta perfeito mas nao consigo fazer com
>>>> que as
>>>>>>>>>> redes
>>>>>>>>>>>> abaixo dessas VPNs se falam.
>>>>>>>>>>>> Vejam o ambiente:
>>>>>>>>>>>>
>>>>>>>>>>>> rede vpn
>>>>>>>>>>>> 10.1.1.0/24
>>>>>>>>>>>>
>>>>>>>>>>>> escritorio 1
>>>>>>>>>>>> rede interna: 192.168.100.0/24
>>>>>>>>>>>> ip vpn: 10.1.1.1 (inet 10.1.1.1 --> 10.1.1.2 netmask
>>>> 0xffffffff)
>>>>>>>>>>>> escritorio 2
>>>>>>>>>>>> rede interna: 192.168.200.0/24
>>>>>>>>>>>> ip vpn: 10.1.1.10 (inet 10.1.1.10 --> 10.1.1.9 netmask
>>>> 0xffffffff)
>>>>>>>>>>>> O fw do escritorio 2 consegue acessar a rede do escritorio 1.
>>>> Tenho
>>>>>>>>>> regras
>>>>>>>>>>>> no pf permitindo isso, mas a rede interna nao acessa.
>>>>>>>>>>>> O problema nao é regra pois abri tudo para testar e nada de
>>>> acessar.
>>>>>>>>>>>> Com rotas estaticas tambem nao vai.
>>>>>>>>>>>>
>>>>>>>>>>>> Existe alguma regra especifica no pf para permitir esse acesso ao
>>>>>>>>>>>> escritorio 1?
>>>>>>>>>>>>
>>>>>>>>>>>> Obrigado!!
>>>>>>>>>>>> -------------------------
>>>>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>>>> --
>>>>>>>>>>> "Quando a Morte decide contar uma historia,
>>>>>>>>>>> A melhor ação que possa fazer é ouvi-la,
>>>>>>>>>>> e torcer por não ser a sua própria a tal história."
>>>>>>>>>>>
>>>>>>>>>>> Flames> /dev/null ( by Irado !! ).
>>>>>>>>>>> RIP Irado!
>>>>>>>>>>>
>>>>>>>>>>> Paulo Henrique.
>>>>>>>>>>> Analista de Sistemas / Programador
>>>>>>>>>>> BSDs Brasil.
>>>>>>>>>>> Genuine Unix/BSD User.
>>>>>>>>>>> Fone: (21) 9683-5433.
>>>>>>>>>>>
>>>>>>>>>>> -------------------------
>>>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Alessandro de Souza Rocha
>>>>>>>>>> Administrador de Redes e Sistemas
>>>>>>>>>> FreeBSD-BR User #117
>>>>>>>>>> Long live FreeBSD
>>>>>>>>>>
>>>>>>>>>> Powered by ....
>>>>>>>>>>
>>>>>>>>>> (__)
>>>>>>>>>> \\\'',)
>>>>>>>>>> \/ \ ^
>>>>>>>>>> .\._/_)
>>>>>>>>>>
>>>>>>>>>> www.FreeBSD.org
>>>>>>>>>> -------------------------
>>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>>>
>>>>>>>>> -------------------------
>>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Alessandro de Souza Rocha
>>>>>>>> Administrador de Redes e Sistemas
>>>>>>>> FreeBSD-BR User #117
>>>>>>>> Long live FreeBSD
>>>>>>>>
>>>>>>>> Powered by ....
>>>>>>>>
>>>>>>>> (__)
>>>>>>>> \\\'',)
>>>>>>>> \/ \ ^
>>>>>>>> .\._/_)
>>>>>>>>
>>>>>>>> www.FreeBSD.org
>>>>>>>> -------------------------
>>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>>>
>>>>>>> -------------------------
>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>
>>>>>>
>>>>> --
>>>>> "Quando a Morte decide contar uma historia,
>>>>> A melhor ação que possa fazer é ouvi-la,
>>>>> e torcer por não ser a sua própria a tal história."
>>>>>
>>>>> Flames> /dev/null ( by Irado !! ).
>>>>> RIP Irado!
>>>>>
>>>>> Paulo Henrique.
>>>>> Analista de Sistemas / Programador
>>>>> BSDs Brasil.
>>>>> Genuine Unix/BSD User.
>>>>> Fone: (21) 9683-5433.
>>>>>
>>>>> -------------------------
>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>>
>>>> --
>>>> Alessandro de Souza Rocha
>>>> Administrador de Redes e Sistemas
>>>> FreeBSD-BR User #117
>>>> Long live FreeBSD
>>>>
>>>> Powered by ....
>>>>
>>>> (__)
>>>> \\\'',)
>>>> \/ \ ^
>>>> .\._/_)
>>>>
>>>> www.FreeBSD.org
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
--
Alessandro de Souza Rocha
Administrador de Redes e Sistemas
FreeBSD-BR User #117
Long live FreeBSD
Powered by ....
(__)
\\\'',)
\/ \ ^
.\._/_)
www.FreeBSD.org
Mais detalhes sobre a lista de discussão freebsd