1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site to Site VPN

Discussion in 'Tomato Firmware' started by cschlik, Feb 27, 2013.

  1. cschlik

    cschlik Serious Server Member

    I have tried without success several site-to-site vpn tutorials. The end result is the same. Client Router crashes at startup.

    I have tried numerous versions of tomato with the same result. I always do a thourough NVRAM erase before working on a config. Banging my head on the wall here... Here is my setup.

    Office: Linksys E3000 with Tomato Firmware 1.28.0000 MIPSR2-106 K26 USB VPN installed. Hooked to a 30meg Charter Cable connection. DHCP address. using DYNDNS.

    My latest attempt I tried Qui's Method (http://blog.qnology.com/2013/02/tutorial-30-minutes-or-less-site-to.html). But I have tried others, again with the client router crashing.

    The E3000 launches the VPN without issue and appears to be awaiting connection.

    Home: Linksys E3000 with same firmware and settings from the blog. This is on a Uverse connection (3wire gateway) with the E3000 on DMZ getting a public IP. I have also tried the router behind router setting with no luck.

    If I launch the client while the server is not running the client router will not crash. As soon as I start the server vpn, the client router crashes and requires a reboot. So I guess there is some sort of communication happening.

    Because of the crash, I see no log entries regarding VPN on the Client Router.

    Here is the server log for the most recent crash:

    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: TITLE,OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 18 2013
    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: TIME,Wed Feb 27 08:31:12 2013,1361975472
    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: GLOBAL_STATS,Max bcast/mcast queue length,0
    Feb 27 08:31:12 StoreVPN daemon.notice openvpn[1257]: END
    Feb 27 08:32:25 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 TLS: Initial packet from [AF_INET]76.205.X.XX:36003, sid=96844747 4c2d79cf
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Site2SiteClient, name=EasyRSA, emailAddress=me@myhost.mydomain
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: 76.205.X.XX:36003 [Site2SiteClient] Peer Connection Initiated with [AF_INET]76.205.X.XX:36003
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
    Feb 27 08:32:26 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 MULTI: Learn: 10.8.0.6 -> Site2SiteClient/76.205.X.XX:36003
    Feb 27 08:32:27 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 MULTI: primary virtual IP for Site2SiteClient/76.205.X.XX:36003: 10.8.0.6
    Feb 27 08:32:29 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 27 08:32:29 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 send_push_reply(): safe_cap=940
    Feb 27 08:32:29 StoreVPN daemon.notice openvpn[1257]: Site2SiteClient/76.205.X.XX:36003 SENT CONTROL [Site2SiteClient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.2.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)

    As a lame excuse at getting new hardware I purchased an Asus N66R and put merlins firmware on it. Same crash...

    Help :)
     
  2. quihong

    quihong Serious Server Member

    Hey Chris,

    I'm glad to see you post your question here cause I'm not really sure what's going on.

    A couple of suggestions.
    - (shot in the dark) can you try tomato-E3000USB-NVRAM60K-1.28.RT-MIPSR2-105-Big-VPN.bin (closest to the version I tested in the tutorial)
    - nvram erase of course and just the most basic configuration - network, ssid, routername, ntp, ddyn
    - when you say the client router crash. Check if you are still able to access it via SSH. If so you should be able to access the logs and troubleshoot further.

    Please keep us updated and thanks for giving the tutorial a try.

    Qui
     
  3. cschlik

    cschlik Serious Server Member

    will the Big file run on the E3000?

    I'll definately try again. I'm going to work with my router here at my office. I realized that my Charter business account dishes out 3 ip's I'll just put both routers in close proximity to see what happens.

    If I can SSH, How do I get the log?
     
  4. quihong

    quihong Serious Server Member

    yeah the firmware I mentioned should work, it does have E3000 in its name :)

    logs should be in /tmp/var/log
     
  5. cschlik

    cschlik Serious Server Member

    Duh! ... Anyway...Here is were we are at. I have the suggested firmware on both routers. Re-did the tutorial. I now have both routers in the same location in bridged mode grabbing their own public IP (take crappy uverse out of the picture).

    Same result. Router crashes. can not SSH, it times out.

    on one occasion I did notice that a connection showed up on the server side before the crash.
     
  6. cschlik

    cschlik Serious Server Member

    Thanks for the Great Tutorial. Up and running now.

    I imagine I had a problem with the Keys. After several crashes yesterday I took a break.

    Got up this morning, had my diet pepsi and started at it again.

    Followed the tutorial to the letter (again I thought) and all is well. I only wish I understood what went wrong. I like tinkingering with this stuff, but like to understand the process.

    Any problem with pasting the server keys into the gui so that I can free up the usb port?

    Again, thanks!
     
  7. quihong

    quihong Serious Server Member

    That's good news. I wish we could figure out the root cause though.

    The client side vpn configuration is trivial. You only have to paste in the keys pretty much. So my only thought is that somehow that got messed up - illegal characters or something like that.

    Yes, you can paste in the server keys and free up the usb port. But...but...entware. What else would you be using the usb port for? A printer?
     

Share This Page