OpenVPN routing issue

[growse]

I've got a strange issue with openVPN. My setup is:

[ Internet ]
||
\/
Cisco 837 (192.168.0.1) -> about 3/4 servers
||
\/
linux router (192.168.0.6,192.168.1.6) -> laptops, desktops etc.

Everything on this network works. 192.168.1.0/24 is firewalled from 192.168.0.0/24, and everything can reach the internet via the cisco. Devices in the 192.168.0.0/24 have the cisco as their default gateway. The cisco has routing rules to point 192.168.1.0/24 and anything that's not internet-bound towards the linux router (192.168.0.6).

Clients in the 192.168.1.0/24 have the linux router as their default gw which then has the cisco as it's default gateway.

Now, I've got openvpn set up on the linux router. I can vpn in from the outside world and it gets forwarded through the cisco to the linux router and the tunnel is established. From here, I can see anything on 192.168.0.0/16. The vpn network is 192.168.100.0/24 and the correct routes seem to get established on the linux router. I've added a route for the vpn network to the cisco, and I can ping vpn clients from the cisco. Vpn clients are configured to redirect all network traffic down the vpn.

However, the problem is that no vpn client can ping or see the internet. A traceroute simply says that it goes through the linux router, then to the cisco router, then just times out. I've a hunch it's because the reply packets don't know how to get routed back to the client, but given that the cisco can see the clients, it should be able to route the packets. Similarly, the linux router is the vpn server so can route to the clients.

What am I doing wrong here?

 

[oddjob62]

You have set up a route on the cisco router to 192.168.1.0 but have you done one for 192.168.100.0?

IE does the Cisco know how to route to 192.168.100.0?

 

[Rich]

Internet packets are being "tunnelled" along with all other traffic. You need to set up PAT on the Cisco router to allow traffic out from the remote networks that are using the VPN. Whatever you have configured for the 192.168.x.x network to get out to the internet, needs to be duplicated for the address pool you gave to the VPN clients in other words.
Better yet, configure split tunneling on the Linux box so that you are only tunneling traffic to the networks you require (192.168.x.x) and not tunneling web traffic down to the other lan. This way internet traffic is sent out of the VPN clients internet connection as opposed to wasting your bandwidth.

Edit:

You can feel free to remove any sensitive data from the config of the cisco router and paste it here if you feel comfortable doing so. Ill have a look at it and see what needs adding.
For the record, You could have done all of the VPN on the 837, assuming it has a crypto IOS.

 

[growse]

You have set up a route on the cisco router to 192.168.1.0 but have you done one for 192.168.100.0?

IE does the Cisco know how to route to 192.168.100.0?

Yes, the Cisco can ping clients of the 192.168.100.0/24 network.

Internet packets are being "tunnelled" along with all other traffic. You need to set up PAT on the Cisco router to allow traffic out from the remote networks that are using the VPN. Whatever you have configured for the 192.168.x.x network to get out to the internet, needs to be duplicated for the address pool you gave to the VPN clients in other words.
Better yet, configure split tunneling on the Linux box so that you are only tunneling traffic to the networks you require (192.168.x.x) and not tunneling web traffic down to the other lan. This way internet traffic is sent out of the VPN clients internet connection as opposed to wasting your bandwidth.

Bandwidth wastage isn't a worry. I can configure the vpn so that internet packets get routed as per the vpn clients normal connection, but I actually want all packets, including internet ones to go down the vpn, hence the default route being set on the vpn client to the vpn tunnel.

I've just figured out what it is. I can't test it at work, but I'm fairly sure that I'm missing:

access-list 102 deny   ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

These lines exist for 1.0 and 0.0. I'll add them and see what happens

 

[Rich]

Deny traffic from 192.168.100.0 /24 to 192.168.100.0 /24 ??. Your router will never get to see that traffic, it will be taken care of at layer 2.
As i have said, i think it is PAT related. So there will be a command in there somewhere like this:

ip nat inside source list 101 interface dialer0 overload

101 will be the access list that defines which networks get translated to the public address of the router and out onto the internet. I imagine your existing networks will be in it, but the new remote access pool wont be.
All of this is educated guess work unless we can see the config though. Let us know how you get on.

 

[oddjob62]

ip nat inside source list 101 interface dialer0 overload

101 will be the access list that defines which networks get translated to the public address of the router and out onto the internet. I imagine your existing networks will be in it, but the new remote access pool wont be.
All of this is educated guess work unless we can see the config though. Let us know how you get on.

Sounds like a good assumption to me.

 

[growse]

Deny traffic from 192.168.100.0 /24 to 192.168.100.0 /24 ??. Your router will never get to see that traffic, it will be taken care of at layer 2.
As i have said, i think it is PAT related. So there will be a command in there somewhere like this:

ip nat inside source list 101 interface dialer0 overload

101 will be the access list that defines which networks get translated to the public address of the router and out onto the internet. I imagine your existing networks will be in it, but the new remote access pool wont be.
All of this is educated guess work unless we can see the config though. Let us know how you get on.

Yup - it's access list number 102, so ignoring the deny command I put above, I think I need the permit for 192.168.100.0/24 on that access-list.

 

[Rich]

Ahhh

Yep, the Deny is fairly useless, but the permit is definitely what you need