(linux-br) Openvpn não conecta...

Wed, 05 Dec 2007 09:06:14 -0800 

Prezados Srs.

    Estou enfrentando dificuldades na conexão openvpn entre 
Linux(server) x Windows 2000(client), sempre que inicializo uma conexão 
recebo a seguinte mensagem de erro;

    Tue Dec  4 18:01:40 2007 TLS: Initial packet from 
200.XXX.XX.XXX:59291, sid=230175fc 4097d903
    Tue Dec  4 18:02:30 2007 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
    Tue Dec  4 18:02:31 2007 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
    Tue Dec  4 18:02:33 2007 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
    Tue Dec  4 18:02:35 2007 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
    Tue Dec  4 18:02:37 2007 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
    Tue Dec  4 18:02:40 2007 TLS Error: TLS key negotiation failed to 
occur within 60 seconds (check your network connectivity)
    Tue Dec  4 18:02:40 2007 TLS Error: TLS handshake failed
    Tue Dec  4 18:02:40 2007 TCP/UDP: Closing socket
    Tue Dec  4 18:02:40 2007 SIGUSR1[soft,tls-error] received, process 
restarting
    Tue Dec  4 18:02:40 2007 Restart pause, 2 second(s)
    Tue Dec  4 18:02:42 2007 WARNING: you are using user/group/chroot 
without persist-key/persist-tun -- this may cause restarts to fail
    Tue Dec  4 18:02:42 2007 Diffie-Hellman initialized with 1024 bit key
    Tue Dec  4 18:02:42 2007 WARNING: file '/etc/openvpn/matriz.key' is 
group or others accessible
    Tue Dec  4 18:02:42 2007 LZO compression initialized
    Tue Dec  4 18:02:42 2007 Control Channel MTU parms [ L:1542 D:138 
EF:38 EB:0 ET:0 EL:0 ]
    Tue Dec  4 18:02:42 2007 Preserving previous TUN/TAP instance: tun0
    Tue Dec  4 18:02:42 2007 Data Channel MTU parms [ L:1542 D:1450 
EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Dec  4 18:02:42 2007 Local Options hash (VER=V4): '02890f1b'
    Tue Dec  4 18:02:42 2007 Expected Remote Options hash (VER=V4): 
'8a042371'
    Tue Dec  4 18:02:42 2007 UDPv4 link local (bound): [undef]:1194
    Tue Dec  4 18:02:42 2007 UDPv4 link remote: [undef]

    *Minhas configurações*;

    Maq1 - Gateway de Internet                                     IP: 
192.168.1.101  (Conectiva 7.0) - IP Fixo (ADSL)
    Maq2 - Máquina com o openvpn intalado (server)    IP: 192.168.1.110  
(Mandriva 2006)
    Maq3 - Máquina cliente (cliente)                               IP: 
192.168.0.1     (Windows 2000 SP4) - IP dinâmico (ADSL)

    *Configuração do server*;

    port 1194
    proto udp
    dev tun
    ca   /etc/openvpn/ca.crt
    cert /etc/openvpn/matriz.crt
    key  /etc/openvpn/matriz.key
    dh   /etc/openvpn/dh1024.pem
    tls-server
    ifconfig 172.16.0.1 172.16.0.2
    up /etc/openvpn/cria-rotas.up
    ;user  totum30
    ;group totum30
    comp-lzo
    ping 10
    ping-restart 1200
    persist-tun
    push "route 192.168.1.0 255.255.255.0"
    verb 3
    status /var/log/openvpn/matriz-contabilidade.log
    log-append /var/log/openvpn/matriz.log

    # arquivo cria-rotas.up
    route add -net 192.168.0.0 netmask 255.255.255.0 gw $5

    *Configuração do client*;

    tls-client
    dev tun
    proto udp
    remote 201.XX.XXX.XXX 1194
    resolv-retry infinite
    ifconfig 172.16.0.2 172.16.0.1
    route 192.168.1.0 255.255.255.0 172.16.0.1
    comp-lzo
    dh   "C:\\Arquivos de programas\\OpenVPN\\config\\dh1024.pem"
    ca   "C:\\Arquivos de programas\\OpenVPN\\config\\ca.crt"
    cert "C:\\Arquivos de programas\\OpenVPN\\config\\contabilidade.crt"
    key  "C:\\Arquivos de programas\\OpenVPN\\config\\contabilidade.key"
    ping 10
    ping-restart 60
    persist-tun
    verb 3
    status "C:\\Arquivos de 
programas\\OpenVPN\\log\\contabilidade-matriz.log"
    log-append "C:\\Arquivos de programas\\OpenVPN\\log\\contabilidade.log"

  
    Tenho as seguintes configurações no *Firewall da  Maq1* - Gateway de 
Internet  IP: 192.168.1.101  (Conectiva 7.0) - IP Fixo (ADSL);

    # Liberacao das portas 1194 (tcp) e 1194 (udp) para acesso do OpenVPN
    # e redirecionamento para a maquina que contém a openvpn 
I.P.(192.168.1.110).

    iptables -A INPUT  -p tcp --sport 1194 --dport 1194 -j ACCEPT
    iptables -A INPUT  -p udp --sport 1194 --dport 1194 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1194 -j DNAT 
--to 192.168.1.110:1194
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT 
--to 192.168.1.110:1194

    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT

    Configurações no *Firewall da Maq2* - Máquina com o openvpn intalado 
(server) - IP: 192.168.1.110  (Mandriva 2006)
*    Usando o Shorewall*

    # /etc/shorewall/zones
    net    ipv4
    loc    ipv4
    fw    firewall
    vpn    ipv4

    # /etc/shorewall/interfaces
    net    eth0    detect
    loc    eth1    detect
    vpn    tun+    detect   

    # /etc/shorewall/policy
    loc    net    ACCEPT
    loc    fw    ACCEPT
    fw    loc    ACCEPT
    fw    net    ACCEPT
    net    all    ACCEPT    #DROP    info
    all    all    ACCEPT    #REJECT    info

    # /etc/shorewall/rules
    ACCEPT    vpn    loc    udp    1194    -
    ACCEPT    vpn    fw    udp    1194    -
    ACCEPT    vpn    net    udp    1194    -
    ACCEPT     loc    vpn    udp    1194    -
    ACCEPT    fw    vpn    udp    1194    -
    ACCEPT    net    vpn    udp    1194    -

    # /etc/shorewall/tunnels
    openvpn:1194    net    0.0.0.0/0

Agradeço os comentários...

Olavo.

---------------------------------------------------------------------------
Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br

Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utilização da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html

Responder a