This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

limit certain user to certain machine PART 2

Hi,

After created the new user and installed ssl astaro client under win 7. I added some new rules like:

User***(network)->any->desired machine allow
Userxx(network)->any->any drop

With this sample.... this user can ping any machine...

Any idea?

This thread was automatically locked due to age.

Parents

0 equintana over 15 years ago

Mon Nov 08 08:16:19 2010 OpenVPN 2.1.1 i686-pc-cygwin [SSL] [LZO2] built on May  7 2010
Mon Nov 08 08:16:29 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Mon Nov 08 08:16:29 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 08 08:16:29 2010 LZO compression initialized
Mon Nov 08 08:16:29 2010 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Nov 08 08:16:29 2010 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 08 08:16:29 2010 Local Options hash (VER=V4): '958c5492'
Mon Nov 08 08:16:29 2010 Expected Remote Options hash (VER=V4): '79ef4284'
Mon Nov 08 08:16:29 2010 Attempting to establish TCP connection with ******
Mon Nov 08 08:16:29 2010 TCP connection established with ******x
Mon Nov 08 08:16:29 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Nov 08 08:16:29 2010 TCPv4_CLIENT link local: [undef]
Mon Nov 08 08:16:29 2010 TCPv4_CLIENT link remote: ******x
Mon Nov 08 08:16:29 2010 TLS: Initial packet from ******x, sid=749b9189 823b744b
Mon Nov 08 08:16:29 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 08 08:16:30 2010 VERIFY OK: depth=1, /C=es/L=Derio/O=***xx/CN=***_VPN_CA/emailAddress=e******xx

Mon Nov 08 08:16:30 2010 VERIFY X509NAME OK: /C=es/L=Derio/O=***x/CN=***x/emailAddress=***x
Mon Nov 08 08:16:30 2010 VERIFY OK: depth=0, /C=es/L=Derio/O=S***x/CN=***x/emailAddress=******x
Mon Nov 08 08:16:33 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 08 08:16:33 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 08 08:16:33 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 08 08:16:33 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 08 08:16:33 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Nov 08 08:16:33 2010 [***xx] Peer Connection Initiated with ***xx
Mon Nov 08 08:16:36 2010 SENT CONTROL [***xx]: 'PUSH_REQUEST' (status=1)
Mon Nov 08 08:16:36 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.154.0 255.255.255.0,route 192.168.158.70 255.255.255.255,route 192.168.157.0 255.255.255.0,route 192.168.155.0 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.157.211,route 10.242.2.1,topology net30,ping 10,ping-restart 120,ifconfig 10.242.2.6 10.242.2.5'
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: route options modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 08 08:16:36 2010 ROUTE default_gateway=192.168.150.254
Mon Nov 08 08:16:36 2010 TAP-WIN32 device [Conexión de área local 3] opened: \.\Global\{E548B8C5-117D-4FD8-9CAC-9481C8E4F49F}.tap
Mon Nov 08 08:16:36 2010 TAP-Win32 Driver Version 9.6
Mon Nov 08 08:16:36 2010 TAP-Win32 MTU=1500
Mon Nov 08 08:16:36 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.242.2.6/255.255.255.252 on interface {E548B8C5-117D-4FD8-9CAC-9481C8E4F49F} [DHCP-serv: 10.242.2.5, lease-time: 31536000]
Mon Nov 08 08:16:36 2010 NOTE: FlushIpNetTable failed on interface [27] {E548B8C5-117D-4FD8-9CAC-9481C8E4F49F} (status=5) : Acceso denegado.
Mon Nov 08 08:16:41 2010 TEST ROUTES: 5/5 succeeded len=5 ret=1 a=0 u/d=up
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.154.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.158.70 MASK 255.255.255.255 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.157.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.155.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 10.242.2.1 MASK 255.255.255.255 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 Initialization Sequence Completed
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 equintana over 15 years ago

Mon Nov 08 08:16:19 2010 OpenVPN 2.1.1 i686-pc-cygwin [SSL] [LZO2] built on May  7 2010
Mon Nov 08 08:16:29 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Mon Nov 08 08:16:29 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 08 08:16:29 2010 LZO compression initialized
Mon Nov 08 08:16:29 2010 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Nov 08 08:16:29 2010 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 08 08:16:29 2010 Local Options hash (VER=V4): '958c5492'
Mon Nov 08 08:16:29 2010 Expected Remote Options hash (VER=V4): '79ef4284'
Mon Nov 08 08:16:29 2010 Attempting to establish TCP connection with ******
Mon Nov 08 08:16:29 2010 TCP connection established with ******x
Mon Nov 08 08:16:29 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Nov 08 08:16:29 2010 TCPv4_CLIENT link local: [undef]
Mon Nov 08 08:16:29 2010 TCPv4_CLIENT link remote: ******x
Mon Nov 08 08:16:29 2010 TLS: Initial packet from ******x, sid=749b9189 823b744b
Mon Nov 08 08:16:29 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 08 08:16:30 2010 VERIFY OK: depth=1, /C=es/L=Derio/O=***xx/CN=***_VPN_CA/emailAddress=e******xx

Mon Nov 08 08:16:30 2010 VERIFY X509NAME OK: /C=es/L=Derio/O=***x/CN=***x/emailAddress=***x
Mon Nov 08 08:16:30 2010 VERIFY OK: depth=0, /C=es/L=Derio/O=S***x/CN=***x/emailAddress=******x
Mon Nov 08 08:16:33 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 08 08:16:33 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 08 08:16:33 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 08 08:16:33 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 08 08:16:33 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Nov 08 08:16:33 2010 [***xx] Peer Connection Initiated with ***xx
Mon Nov 08 08:16:36 2010 SENT CONTROL [***xx]: 'PUSH_REQUEST' (status=1)
Mon Nov 08 08:16:36 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.154.0 255.255.255.0,route 192.168.158.70 255.255.255.255,route 192.168.157.0 255.255.255.0,route 192.168.155.0 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.157.211,route 10.242.2.1,topology net30,ping 10,ping-restart 120,ifconfig 10.242.2.6 10.242.2.5'
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: route options modified
Mon Nov 08 08:16:36 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 08 08:16:36 2010 ROUTE default_gateway=192.168.150.254
Mon Nov 08 08:16:36 2010 TAP-WIN32 device [Conexión de área local 3] opened: \.\Global\{E548B8C5-117D-4FD8-9CAC-9481C8E4F49F}.tap
Mon Nov 08 08:16:36 2010 TAP-Win32 Driver Version 9.6
Mon Nov 08 08:16:36 2010 TAP-Win32 MTU=1500
Mon Nov 08 08:16:36 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.242.2.6/255.255.255.252 on interface {E548B8C5-117D-4FD8-9CAC-9481C8E4F49F} [DHCP-serv: 10.242.2.5, lease-time: 31536000]
Mon Nov 08 08:16:36 2010 NOTE: FlushIpNetTable failed on interface [27] {E548B8C5-117D-4FD8-9CAC-9481C8E4F49F} (status=5) : Acceso denegado.
Mon Nov 08 08:16:41 2010 TEST ROUTES: 5/5 succeeded len=5 ret=1 a=0 u/d=up
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.154.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.158.70 MASK 255.255.255.255 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.157.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 192.168.155.0 MASK 255.255.255.0 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 C:\WINDOWS\system32\route.exe ADD 10.242.2.1 MASK 255.255.255.255 10.242.2.5
Mon Nov 08 08:16:41 2010 ROUTE: route addition failed using CreateIpForwardEntry: Acceso denegado.   [status=5 if_index=27]
Mon Nov 08 08:16:41 2010 Route addition via IPAPI failed [adaptive]
Mon Nov 08 08:16:41 2010 Route addition fallback to route.exe
Mon Nov 08 08:16:41 2010 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 08 08:16:41 2010 Initialization Sequence Completed
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data