This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN kein Zugriff auf LAN

Astaro UTM v9

Die SSL VPN Verbindung wird aufgebaut.
Ich kann kein LAN-Server anpingen. Die externe IP ist erreichbar.
SSL setup:
Local Networks Internal 192.168.66.0/24 + VPN Pool 192.168.66.240/29
Firewall regeln habe ich manuell gesetzt:
(RemoteUser - Any - Internal Network )

Ich vermute, dass es sich hierbei um ein Routingproblem handelt.

Logs:
Tue Mar 26 09:25:11 2013 OpenVPN 2.1.1 i686-w64-mingw32 [SSL] [LZO2] built on Oct 15 2012
Tue Mar 26 09:25:11 2013 MANAGEMENT: TCP Socket listening on 127.0.0.1:25340
Tue Mar 26 09:25:11 2013 Need hold release from management interface, waiting...
Tue Mar 26 09:25:12 2013 MANAGEMENT: Client connected from 127.0.0.1:25340
Tue Mar 26 09:25:12 2013 MANAGEMENT: CMD 'state on'
Tue Mar 26 09:25:12 2013 MANAGEMENT: CMD 'log all on'
Tue Mar 26 09:25:12 2013 MANAGEMENT: CMD 'hold off'
Tue Mar 26 09:25:12 2013 MANAGEMENT: CMD 'hold release'
Tue Mar 26 09:25:27 2013 MANAGEMENT: CMD 'username "Auth" "RemoteUser"'
Tue Mar 26 09:25:27 2013 MANAGEMENT: CMD 'password [...]'
Tue Mar 26 09:25:27 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Tue Mar 26 09:25:27 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 09:25:27 2013 LZO compression initialized
Tue Mar 26 09:25:27 2013 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Mar 26 09:25:27 2013 MANAGEMENT: >STATE:1364286327,RESOLVE,,,
Tue Mar 26 09:25:28 2013 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 09:25:28 2013 Local Options hash (VER=V4): '6f27195f'
Tue Mar 26 09:25:28 2013 Expected Remote Options hash (VER=V4): 'e8bacd46'
Tue Mar 26 09:25:28 2013 Attempting to establish TCP connection with ***XX:443
Tue Mar 26 09:25:28 2013 MANAGEMENT: >STATE:1364286328,TCP_CONNECT,,,
Tue Mar 26 09:25:28 2013 TCP connection established with ***XX:443
Tue Mar 26 09:25:28 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 26 09:25:28 2013 TCPv4_CLIENT link local: [undef]
Tue Mar 26 09:25:28 2013 TCPv4_CLIENT link remote: ***XX:443
Tue Mar 26 09:25:28 2013 MANAGEMENT: >STATE:1364286328,WAIT,,,
Tue Mar 26 09:25:28 2013 MANAGEMENT: >STATE:1364286328,AUTH,,,
Tue Mar 26 09:25:28 2013 TLS: Initial packet from ***XX:443, sid=e4500422 a1b05f14
Tue Mar 26 09:25:28 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Mar 26 09:25:29 2013 VERIFY OK: depth=1, C=de, L=***XX, O=@Home, CN=@Home VPN CA, emailAddress=***XX
Tue Mar 26 09:25:29 2013 VERIFY X509NAME OK: C=de, L=***XX, O=@Home, CN=Astaro, emailAddress=***XX
Tue Mar 26 09:25:29 2013 VERIFY OK: depth=0, C=de, L=***XX, O=@Home, CN=Astaro, emailAddress=***XX
Tue Mar 26 09:25:33 2013 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Tue Mar 26 09:25:33 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 09:25:33 2013 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Tue Mar 26 09:25:33 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 09:25:33 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 09:25:33 2013 [Astaro] Peer Connection Initiated with ***XX:443
Tue Mar 26 09:25:34 2013 MANAGEMENT: >STATE:1364286334,GET_CONFIG,,,
Tue Mar 26 09:25:35 2013 SENT CONTROL [Astaro]: 'PUSH_REQUEST' (status=1)
Tue Mar 26 09:25:36 2013 PUSH: Received control message: 'PUSH_REPLY,route remote_host 255.255.255.255 net_gateway,route 192.168.66.0 255.255.255.0,route 192.168.66.241,topology net30,ping 10,ping-restart 120,ifconfig 192.168.66.246 192.168.66.245'
Tue Mar 26 09:25:36 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 26 09:25:36 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 26 09:25:36 2013 OPTIONS IMPORT: route options modified
Tue Mar 26 09:25:36 2013 ROUTE default_gateway=192.168.2.1
Tue Mar 26 09:25:36 2013 MANAGEMENT: >STATE:1364286336,ASSIGN_IP,,192.168.66.246,
Tue Mar 26 09:25:36 2013 TAP-WIN32 device [LAN-Verbindung 2] opened: \.\Global\{5BBEE472-D200-42EE-978D-A52D61228625}.tap
Tue Mar 26 09:25:36 2013 TAP-Win32 Driver Version 9.6
Tue Mar 26 09:25:36 2013 TAP-Win32 MTU=1500
Tue Mar 26 09:25:36 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.66.246/255.255.255.252 on interface {5BBEE472-D200-42EE-978D-A52D61228625} [DHCP-serv: 192.168.66.245, lease-time: 31536000]
Tue Mar 26 09:25:36 2013 Successful ARP Flush on interface [32] {5BBEE472-D200-42EE-978D-A52D61228625}
Tue Mar 26 09:25:40 2013 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Tue Mar 26 09:25:40 2013 MANAGEMENT: >STATE:1364286340,ADD_ROUTES,,,
Tue Mar 26 09:25:40 2013 C:\WINDOWS\system32\route.exe ADD ***XX MASK 255.255.255.255 192.168.2.1
Tue Mar 26 09:25:40 2013 Route addition via service succeeded
Tue Mar 26 09:25:40 2013 C:\WINDOWS\system32\route.exe ADD 192.168.66.0 MASK 255.255.255.0 192.168.66.245
Tue Mar 26 09:25:40 2013 Route addition via service succeeded
Tue Mar 26 09:25:40 2013 C:\WINDOWS\system32\route.exe ADD 192.168.66.241 MASK 255.255.255.255 192.168.66.245
Tue Mar 26 09:25:40 2013 Route addition via service succeeded
Tue Mar 26 09:25:40 2013 Initialization Sequence Completed
Tue Mar 26 09:25:40 2013 MANAGEMENT: >STATE:1364286340,CONNECTED,SUCCESS,192.168.66.246,***XX

Routing-Tabelle Windows7:

route print
===========================================================================
Schnittstellenliste
32...00 ff 5b be e4 72 ......Sophos SSL VPN Adapter
14...8c 70 5a 7e 34 89 ......Microsoft Virtual WiFi Miniport Adapter #2
13...8c 70 5a 7e 34 89 ......Microsoft Virtual WiFi Miniport Adapter
12...8c 70 5a 7e 34 88 ......Intel(R) Centrino(R) Advanced-N 6205
11...50 11 22 33 44 55 ......Intel(R) 82579LM Gigabit Network Connection
25...08 00 27 00 58 b9 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
28...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
20...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
30...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
29...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #5
26...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #6
31...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #7
34...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #8
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.101     30
       255.255.255.255      192.168.2.1    192.168.2.101     31
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      192.168.2.0    255.255.255.0   Auf Verbindung     192.168.2.101    286
    192.168.2.101  255.255.255.255   Auf Verbindung     192.168.2.101    286
    192.168.2.255  255.255.255.255   Auf Verbindung     192.168.2.101    286
     192.168.56.0    255.255.255.0   Auf Verbindung      192.168.56.1    276
     192.168.56.1  255.255.255.255   Auf Verbindung      192.168.56.1    276
   192.168.56.255  255.255.255.255   Auf Verbindung      192.168.56.1    276
     192.168.66.0    255.255.255.0   192.168.66.245   192.168.66.246      2
   192.168.66.241  255.255.255.255   192.168.66.245   192.168.66.246      2
   192.168.66.244  255.255.255.252   Auf Verbindung    192.168.66.246    257
   192.168.66.246  255.255.255.255   Auf Verbindung    192.168.66.246    257
   192.168.66.247  255.255.255.255   Auf Verbindung    192.168.66.246    257
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung      192.168.56.1    276
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.66.246    257
        224.0.0.0        240.0.0.0   Auf Verbindung     192.168.2.101    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung      192.168.56.1    276
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.66.246    257
  255.255.255.255  255.255.255.255   Auf Verbindung     192.168.2.101    286
===========================================================================
Ständige Routen:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0   192.168.66.111  Standard
===========================================================================

IPv6-Routentabelle
===========================================================================
Aktive Routen:
If Metrik Netzwerkziel             Gateway
  1    306 ::1/128                  Auf Verbindung
25    276 fe80::/64                Auf Verbindung
25    276 fe80::9dd3[:D]c5a:c546:9691/128
                                    Auf Verbindung
  1    306 ff00::/8                 Auf Verbindung
25    276 ff00::/8                 Auf Verbindung
===========================================================================
Ständige Routen:
  Keine

This thread was automatically locked due to age.

Parents

0 envy over 12 years ago

Was sagt denn das Logfile der Firewall?
Kannst du deine Config mal Posten/Screenshot...

Gruß
Cancel
Vote Up 0 Vote Down

Cancel
0 JamesWood over 12 years ago in reply to envy

Es funktioniert nun. Es lag an der Maskierung von VPN-Pool nach Internem LAN.
Danke an euch! [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JamesWood over 12 years ago in reply to envy

Es funktioniert nun. Es lag an der Maskierung von VPN-Pool nach Internem LAN.
Danke an euch! [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data