Hilfe bei VPN mit Zertifikaten

Diese Seite verwendet Cookies. Durch die Nutzung unserer Seite erklären Sie sich damit einverstanden, dass wir Cookies setzen. Weitere Informationen

  • Hilfe bei VPN mit Zertifikaten

    Hallo ich versuche schon seit mehreren Tagen eine VPN Verbindung zur einer Endian-FW aufzubauen, aber ohne Erfolg.

    Versucht habe ich ich es mit einem Windows XP Client und OpenVPN 2.2.0.

    - EndianFW: 192.168.1.251
    - Grünes Netz: 192.168.1.0
    - Bridge 192.168.1.220 - 192.168.1.249
    - DHCP Antworten aus dem Tunnel blockieren
    - Anlegen einer NAT-Regel auf die Endian FW und Port 1194
    - VPN Firewall ist aus
    - Anleitung für Zertikate aus dem Forum habe ich befolgt, hier dürfte auch das Problem nicht liegen.

    server:

    ; daemon configuration
    daemon
    mode server
    tls-server
    proto udp
    port 1194
    multihome
    user openvpn
    group openvpn
    cd /var/openvpn
    client-config-dir clients
    script-security 2 system

    ; tunnel configuration
    dev tap0

    ; bridge to GREEN
    server-bridge 192.168.1.251 255.255.255.0 192.168.1.220 192.168.1.249
    push "route-gateway 192.168.1.251"

    passtos
    comp-lzo
    management 127.0.0.1 5555
    keepalive 8 30

    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450

    persist-key
    persist-tun
    persist-local-ip
    persist-remote-ip

    ; logging and status

    writepid /var/run/openvpn/openvpn.pid
    ifconfig-pool-persist openvpn.leases
    status /var/log/openvpn/openvpn-status.log
    verb 1

    client-connect "/usr/local/bin/dir.d-exec /etc/openvpn/client-connect.d/"
    client-disconnect "/usr/local/bin/dir.d-exec /etc/openvpn/client-disconnect.d/"

    ; certificates and authentication

    dh /var/efw/openvpn/dh1024.pem
    pkcs12 /var/efw/openvpn/pkcs12.p12

    ns-cert-type client


    Client.ovpn

    client
    dev tap
    proto udp
    remote 100.12.192.74 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    pkcs12 pc1.p12
    ns-cert-type server
    comp-lzo
    verb 3


    Log auf dem Client

    Tue May 10 16:09:08 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
    Tue May 10 16:09:08 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue May 10 16:09:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue May 10 16:09:14 2011 LZO compression initialized
    Tue May 10 16:09:14 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue May 10 16:09:14 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue May 10 16:09:14 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Tue May 10 16:09:14 2011 Local Options hash (VER=V4): 'd79ca330'
    Tue May 10 16:09:14 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Tue May 10 16:09:14 2011 UDPv4 link local: [undef]
    Tue May 10 16:09:14 2011 UDPv4 link remote: 100.12.192.74:1194
    Tue May 10 16:09:14 2011 TLS: Initial packet from 100.12.192.743:1194, sid=01d459eb e6f3c1a4
    Tue May 10 16:09:15 2011 VERIFY OK: depth=1, /C=DE/ST=THU/L=Stadt/O=Firma/OU=IT/CN=name/emailAddress=imail
    Tue May 10 16:09:15 2011 VERIFY OK: nsCertType=SERVER
    Tue May 10 16:09:15 2011 VERIFY OK: depth=0, /C=DE/ST=THU/O=Firma/OU=IT/CN=endian/emailAddress=imail
    Tue May 10 16:09:16 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 10 16:09:16 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 10 16:09:16 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 10 16:09:16 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 10 16:09:16 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue May 10 16:09:16 2011 [endian] Peer Connection Initiated with 100.12.192.743:1194
    Tue May 10 16:09:18 2011 SENT CONTROL [endian]: 'PUSH_REQUEST' (status=1)
    Tue May 10 16:09:18 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.251,route-gateway 192.168.1.251,ping 8,ping-restart 30,ifconfig 192.168.1.220 255.255.255.0'
    Tue May 10 16:09:18 2011 OPTIONS IMPORT: timers and/or timeouts modified
    Tue May 10 16:09:18 2011 OPTIONS IMPORT: --ifconfig/up options modified
    Tue May 10 16:09:18 2011 OPTIONS IMPORT: route-related options modified
    Tue May 10 16:09:18 2011 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{FA1233E1-00B6-4331-A5E9-20332A213B70}.tap
    Tue May 10 16:09:18 2011 TAP-Win32 Driver Version 9.8
    Tue May 10 16:09:18 2011 TAP-Win32 MTU=1500
    Tue May 10 16:09:18 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.220/255.255.255.0 on interface {FA1233E1-00B6-4331-A5E9-20332A213B70} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
    Tue May 10 16:09:18 2011 Successful ARP Flush on interface [65541] {FA1233E1-00B6-4331-A5E9-20332A213B70}
    Tue May 10 16:09:23 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:23 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:28 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:28 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:29 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:29 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:30 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:30 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:31 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:31 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:32 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:32 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:33 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:33 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:34 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:34 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:35 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:35 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:36 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:36 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:37 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:37 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:38 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:38 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:39 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:39 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:40 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Tue May 10 16:09:40 2011 Route: Waiting for TUN/TAP interface to come up...
    Tue May 10 16:09:41 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
    Tue May 10 16:09:41 2011 Initialization Sequence Completed
    Tue May 10 16:10:01 2011 TCP/UDP: Closing socket
    Tue May 10 16:10:01 2011 Closing TUN/TAP interface
    Tue May 10 16:10:01 2011 SIGTERM[hard,] received, process exiting


    ich hoffe Ihr könnt mir helfen.
  • Re: Hilfe bei VPN mit Zertifikaten

    Hallo,

    also sowas wie bei dir

    Quellcode

    1. Tue May 10 16:09:23 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    2. Tue May 10 16:09:23 2011 Route: Waiting for TUN/TAP interface to come up...
    3. Tue May 10 16:09:28 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    4. Tue May 10 16:09:28 2011 Route: Waiting for TUN/TAP interface to come up...
    5. Tue May 10 16:09:29 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    6. Tue May 10 16:09:29 2011 Route: Waiting for TUN/TAP interface to come up...
    7. Tue May 10 16:09:30 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    8. Tue May 10 16:09:30 2011 Route: Waiting for TUN/TAP interface to come up...
    9. Tue May 10 16:09:31 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    10. Tue May 10 16:09:31 2011 Route: Waiting for TUN/TAP interface to come up...
    11. Tue May 10 16:09:32 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    12. Tue May 10 16:09:32 2011 Route: Waiting for TUN/TAP interface to come up...
    13. Tue May 10 16:09:33 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    14. Tue May 10 16:09:33 2011 Route: Waiting for TUN/TAP interface to come up...
    15. Tue May 10 16:09:34 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    16. Tue May 10 16:09:34 2011 Route: Waiting for TUN/TAP interface to come up...
    17. Tue May 10 16:09:35 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    18. Tue May 10 16:09:35 2011 Route: Waiting for TUN/TAP interface to come up...
    19. Tue May 10 16:09:36 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    20. Tue May 10 16:09:36 2011 Route: Waiting for TUN/TAP interface to come up...
    21. Tue May 10 16:09:37 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    22. Tue May 10 16:09:37 2011 Route: Waiting for TUN/TAP interface to come up...
    23. Tue May 10 16:09:38 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    24. Tue May 10 16:09:38 2011 Route: Waiting for TUN/TAP interface to come up...
    25. Tue May 10 16:09:39 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    26. Tue May 10 16:09:39 2011 Route: Waiting for TUN/TAP interface to come up...
    27. Tue May 10 16:09:40 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    28. Tue May 10 16:09:40 2011 Route: Waiting for TUN/TAP interface to come up...
    29. Tue May 10 16:09:41 2011 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
    Alles anzeigen


    bekomm ich dann wenn ich vergess den Client unter Win7 als Admin auszuführen.

    gruß
    Mein Computer kann alles, wegen seiner 32 Bit!
    Wenn ich 32 Bit intus habe, kann ich auch alles!