цель соединить две сети. есть два сервера под ClearOS 6.3
основной офис с подсетью 192.168.0.0/24 и шлюзом с OpenVpn в роли сервера 192.168.0.250 Второй офис c подсетью 192.168.0.2/24 и шлюзом с Openvpn в роли клиента
Иногда коннект происходит и из сети за клиентом пингуется сеть основного офиса. при проблемах в подключении лог клиента выглядит так:
Tue Mar 26 12:31:37 2013 OpenVPN 2.2.1 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Tue Mar 26 12:31:37 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:31:37 2013 WARNING: file '/etc/openvpn/new/client-st1g-key.pem' is group or others accessible
Tue Mar 26 12:31:37 2013 LZO compression initialized
Tue Mar 26 12:31:37 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:31:37 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:31:37 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:31:37 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:31:37 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:31:37 2013 UDPv4 link local: [undef]
Tue Mar 26 12:31:37 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:31:37 2013 TLS: Initial packet from XX.XX.XX.XX:1194, sid=89a598f9 f7366aa5
Tue Mar 26 12:31:37 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:31:37 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:31:37 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:31:37 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:31:37 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:31:37 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:31:37 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:31:37 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:31:37 2013 [clearos.grand.com] Peer Connection Initiated with XX.XX.XX.XX:1194
Tue Mar 26 12:31:40 2013 SENT CONTROL [clearos.grand.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 26 12:31:40 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.250,dhcp-option WINS ,dhcp-option DOMAIN grand.com,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: route options modified
Tue Mar 26 12:31:40 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 26 12:31:40 2013 ROUTE default_gateway=192.168.1.1
Tue Mar 26 12:31:40 2013 TUN/TAP device tun0 opened
Tue Mar 26 12:31:40 2013 TUN/TAP TX queue length set to 100
Tue Mar 26 12:31:40 2013 /sbin/ip link set dev tun0 up mtu 1500
Tue Mar 26 12:31:40 2013 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Mar 26 12:31:40 2013 /sbin/ip route add 192.168.0.0/24 via 10.8.0.5
Tue Mar 26 12:31:40 2013 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Tue Mar 26 12:31:40 2013 Initialization Sequence Completed
Tue Mar 26 12:33:40 2013 [clearos.grand.com] Inactivity timeout (--ping-restart), restarting
Tue Mar 26 12:33:40 2013 TCP/UDP: Closing socket
Tue Mar 26 12:33:40 2013 SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 26 12:33:40 2013 Restart pause, 2 second(s)
Tue Mar 26 12:33:42 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:33:42 2013 Re-using SSL/TLS context
Tue Mar 26 12:33:42 2013 LZO compression initialized
Tue Mar 26 12:33:42 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:33:42 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:33:42 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:33:42 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:33:42 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:33:42 2013 UDPv4 link local: [undef]
Tue Mar 26 12:33:42 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:34:42 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:34:42 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:34:42 2013 TCP/UDP: Closing socket
Tue Mar 26 12:34:42 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:34:42 2013 Restart pause, 2 second(s)
Tue Mar 26 12:34:44 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:34:44 2013 Re-using SSL/TLS context
Tue Mar 26 12:34:44 2013 LZO compression initialized
Tue Mar 26 12:34:44 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:34:44 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:34:44 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:34:44 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:34:44 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:34:44 2013 UDPv4 link local: [undef]
Tue Mar 26 12:34:44 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:35:45 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:35:45 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:35:45 2013 TCP/UDP: Closing socket
Tue Mar 26 12:35:45 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:35:45 2013 Restart pause, 2 second(s)
Tue Mar 26 12:35:47 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:35:47 2013 Re-using SSL/TLS context
Tue Mar 26 12:35:47 2013 LZO compression initialized
Tue Mar 26 12:35:47 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:35:47 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:35:47 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:35:47 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:35:47 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:35:47 2013 UDPv4 link local: [undef]
Tue Mar 26 12:35:47 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:36:47 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:36:47 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:36:47 2013 TCP/UDP: Closing socket
Tue Mar 26 12:36:47 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:36:47 2013 Restart pause, 2 second(s)
Tue Mar 26 12:36:49 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:36:49 2013 Re-using SSL/TLS context
Tue Mar 26 12:36:49 2013 LZO compression initialized
Tue Mar 26 12:36:49 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:36:49 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:36:49 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:36:49 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:36:49 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:36:49 2013 UDPv4 link local: [undef]
Tue Mar 26 12:36:49 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:36:49 2013 TLS: Initial packet from XX.XX.XX.XX:1194, sid=7444d74a 473b1a1f
Tue Mar 26 12:36:49 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:36:49 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:36:49 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:36:49 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:36:49 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:36:49 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:36:49 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:36:49 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:36:49 2013 [clearos.grand.com] Peer Connection Initiated with XX.XX.XX.XX:1194
Tue Mar 26 12:36:52 2013 SENT CONTROL [clearos.grand.com]: 'PUSH_REQUEST' (status=1)
Tue Mar 26 12:36:52 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.0.250,dhcp-option WINS ,dhcp-option DOMAIN grand.com,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: route options modified
Tue Mar 26 12:36:52 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 26 12:36:52 2013 Preserving previous TUN/TAP instance: tun0
Tue Mar 26 12:36:52 2013 Initialization Sequence Completed
Tue Mar 26 12:38:47 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:47 2013 TLS Error: reading acknowledgement record from packet
Tue Mar 26 12:38:47 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:47 2013 VERIFY OK: depth=1, /C=RU/L=Krasnodar/O=ClearOS/OU=grand/CN=ca.clearos.grand.com/emailAddress=security@clearos.grand.com/O=grand/ST=Krasnodar
Tue Mar 26 12:38:47 2013 VERIFY OK: nsCertType=SERVER
Tue Mar 26 12:38:47 2013 VERIFY OK: depth=0, /C=RU/ST=Krasnodar/L=Krasnodar/O=ClearOS/O=grand/OU=grand/CN=clearos.grand.com/emailAddress=security@clearos.grand.com
Tue Mar 26 12:38:47 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:38:47 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:38:47 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 26 12:38:47 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 26 12:38:47 2013 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Tue Mar 26 12:38:47 2013 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Tue Mar 26 12:38:47 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Mar 26 12:38:49 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:49 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:38:54 2013 TLS: new session incoming connection from XX.XX.XX.XX:1194
Tue Mar 26 12:39:03 2013 TLS Error: reading acknowledgement record from packet
Tue Mar 26 12:39:04 2013 TLS Error: Unroutable control packet received from XX.XX.XX.XX:1194 (si=3 op=P_ACK_V1)
Tue Mar 26 12:39:49 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:39:49 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:41:14 2013 [clearos.grand.com] Inactivity timeout (--ping-restart), restarting
Tue Mar 26 12:41:14 2013 TCP/UDP: Closing socket
Tue Mar 26 12:41:14 2013 SIGUSR1[soft,ping-restart] received, process restarting
Tue Mar 26 12:41:14 2013 Restart pause, 2 second(s)
Tue Mar 26 12:41:16 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:41:16 2013 Re-using SSL/TLS context
Tue Mar 26 12:41:16 2013 LZO compression initialized
Tue Mar 26 12:41:16 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:41:16 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:41:16 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:41:16 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:41:16 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:41:16 2013 UDPv4 link local: [undef]
Tue Mar 26 12:41:16 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Tue Mar 26 12:42:16 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 26 12:42:16 2013 TLS Error: TLS handshake failed
Tue Mar 26 12:42:16 2013 TCP/UDP: Closing socket
Tue Mar 26 12:42:16 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 26 12:42:16 2013 Restart pause, 2 second(s)
Tue Mar 26 12:42:18 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 26 12:42:18 2013 Re-using SSL/TLS context
Tue Mar 26 12:42:18 2013 LZO compression initialized
Tue Mar 26 12:42:18 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 26 12:42:18 2013 Socket Buffers: R=[196608->131072] S=[196608->131072]
Tue Mar 26 12:42:18 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 26 12:42:18 2013 Local Options hash (VER=V4): '41690919'
Tue Mar 26 12:42:18 2013 Expected Remote Options hash (VER=V4): '530fdded'
Tue Mar 26 12:42:18 2013 UDPv4 link local: [undef]
Tue Mar 26 12:42:18 2013 UDPv4 link remote: XX.XX.XX.XX:1194
конфиг сервера:
port 1194
proto udp
dev tun
ca /etc/pki/CA/ca-cert.pem
cert /etc/pki/CA/sys-0-cert.pem
key /etc/pki/CA/private/sys-0-key.pem
dh /etc/openvpn/ssl/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt
status /var/lib/openvpn/openvpn-status.log
verb 3
push "dhcp-option DNS 192.168.0.250"
push "dhcp-option WINS "
push "dhcp-option DOMAIN grand.com"
push "route 192.168.0.0 255.255.255.0"
конфиг клиента:
client
remote XX.XX.XX.XX 1194
dev tun
proto udp
nobind
keepalive 10 60
tls-timeout 15
persist-key
persist-tun
ca /etc/openvpn/new/ca-cert.pem
cert /etc/openvpn/new/client-st1g-cert.pem
key /etc/openvpn/new/client-st1g-key.pem
ns-cert-type server
comp-lzo
verb 3