Help with site-to-site VPN

Discussion in 'Tomato Firmware' started by sgoldwa, Apr 2, 2008.

  1. sgoldwa

    sgoldwa LI Guru Member

    Hi there,
    I have been struggling with setting up a site-to-site VPN for almost 2 days now, and thought I would reach out to you to see if you could help.

    I found a script in a DD-WRT forum that I am trying to use with Tomato due to Tomato's superior QoS. When I telnet into both of the sites and view the log files, I do see “Initialization Sequence Completed†on both ends, but I cannot ping either way.

    Here is what I have on each end ….

    ___________
    SERVER (Buffalo WHR-HP54G), located in Los Angeles


    (Under the INIT tab, I have…)

    sleep 5
    insmod tun.o


    ____________

    (Under the WAN UP tab, I have…)


    # Move to writable directory and create scripts
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn

    # Config for Site-to-Site SiteA-SiteB
    echo "
    remote 67.XX.95.XX # I put XXs in here for anonymity, that is not what I have in the actual script
    proto udp
    port 2000
    log /tmp/openvpn.log
    dev tun0
    secret /tmp/static.key
    verb 3
    comp-lzo
    keepalive 15 60
    daemon
    " > SiteA-SiteB.conf

    # Config for Static Key, I put XXs in some of the lines here for anonymity, that is not what I have in the actual script

    echo "
    -----BEGIN OpenVPN Static key V1-----
    f825d10e732fcef07c4992add7233b93
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    90eef44fccf6b7e7dbc3304326631eff
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    445bad47dddc438eca5e507b16fae273
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ae1a5d6b10e798c2ab3f758ac59899b8
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    8663ef18cc3cef23e34ded2e14211f10
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    f60364a7940c5966a821a136856067b8
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    730b5ed7bf9dfa9db6ebac735e9ee53f
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    aaeda5e5b1aba189d47737b95f9f798c
    cc81e3e3fd52da33a2781eb4255f7bce
    -----END OpenVPN Static key V1-----
    " > static.key

    # Create interfaces
    /tmp/myvpn --mktun --dev tun0
    ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

    # Create routes
    route add -net 192.168.0.1 netmask 255.255.255.0 gw 10.0.0.2

    # Initiate the tunnel
    sleep 5
    /tmp/myvpn --config SiteA-SiteB.conf




    On the other side, I have…


    CLIENT (Buffalo WHR-HP54G), located in Seattle

    (Under the INIT tab, I have…)
    sleep 5
    insmod tun.o


    ____________

    (Under the WAN UP tab, I have…)


    # Move to writable directory and create scripts
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn

    # Config for Site-to-Site SiteA-SiteB
    echo "
    proto udp
    port 2000
    log /tmp/openvpn.log
    dev tun0
    secret /tmp/static.key
    verb 3
    comp-lzo
    keepalive 15 60
    daemon
    " > SiteA-SiteB.conf

    # Config for Static Key
    echo "
    -----BEGIN OpenVPN Static key V1-----
    f825d10e732fcef07c4992add7233b93
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    90eef44fccf6b7e7dbc3304326631eff
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    445bad47dddc438eca5e507b16fae273
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ae1a5d6b10e798c2ab3f758ac59899b8
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    8663ef18cc3cef23e34ded2e14211f10
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    f60364a7940c5966a821a136856067b8
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    730b5ed7bf9dfa9db6ebac735e9ee53f
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    aaeda5e5b1aba189d47737b95f9f798c
    cc81e3e3fd52da33a2781eb4255f7bce
    -----END OpenVPN Static key V1-----
    " > static.key

    # Create interfaces
    /tmp/myvpn --mktun --dev tun0
    ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

    # Create routes
    route add -net 192.168.10.1 netmask 255.255.255.0 gw 10.0.0.1

    # Initiate the tunnel
    sleep 5
    /tmp/myvpn --config SiteA-SiteB.conf


    __________________

    Do you have any idea what might be wrong? I am actually replacing 2 perfectly great Sonicwall TZ-170s that do great site-to-site BUT they do not offer the QoS I so need on my system. The Tomato firmware is great in that regard.

    Any ideas would be greatly appreciated!!!!!
     
  2. sgoldwa

    sgoldwa LI Guru Member

    Solved it

    Well, I spent the *rest* of the day and solved the problem. I had to add a firewall rule to allow for pinging ICMP packets.
     
  3. FRiC

    FRiC LI Guru Member

    You should not have had to add a rule to allow ping. Were you pinging to your local IP's?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice