Página 3 de 4 PrimeiroPrimeiro 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. certeza não tenho de nada - e provavel que seja apenas uma informação e não um aviso; de qualquer forma, até esse trecho final de log que vc coloca nao há indicação de um erro que causasse a perda da conexão. Ainda acho que vc deveria pedir log com "9" (bem falante) e, quando estabelecida a conexão, pingar para o outro lado do tunel a partir de outra maquina PASSANDO pelo servidor. Colocar tcpdump capturando o trafego e analisa-lo com o wireshark; experimentar o tunel com outro certificado e/ou mais um cliente.


  2. Mon Dec 8 09:03:16 2008 MULTI: new connection by client 'mautrab' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.



    Cara, primeiramente esse tipo de aviso não devia nem aparecer. ele indica que tem outro cliente tentando conectar na VPN com a mesma chave. Mesmo você tendo certeza de que criou só uma chave. Recrie as chaves novamente e teste novamente a VPN.

    Lembre-se que o COMMON-NAME é único!



    Outra opção, é descomentar a linha #duplicate-cn, SOMENTE com fins de experimentação, veja se aviso reaparece.

    Outra coisa, você NÃO pode usar o log ou log-append ao mesmo tempo. Ou um ou outro, o servidor não suporta os dois simultaneamente.


    log /var/log/openvpn.log
    log-append /var/log/openvpn.log



    Ab, Duca.
    Última edição por Duca; 09-12-2008 às 16:16.



  3. Olá Duka.

    removi um dos logs que você mencionou, porém continua a mesma coisa, quanto a CN, eu sempre coloco diferente em cada usuarios criado, na verdade em cada usuario o cn eu coloco o proprio nome do usuário, pois se colocar o mesmo cn em certificados diferentes ele não deixa gerar.

    quando reinicio o OPENVPN, e log apos peço para o cliente windows conectar o log aparece sem a linha de MULTI. assim:

    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 Re-using SSL/TLS context
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 LZO compression initialized
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 Local Options hash (VER=V4): 'a8f55717'
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 Expected Remote Options hash (VER=V4): '22188c5b'
    Wed Dec 10 08:31:24 2008 189.47.198.150:2283 TLS: Initial packet from 189.47.198.150:2283, sid=da671c84 e2fdc245
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 VERIFY OK: depth=1, /C=BR/ST=BA/L=SALVADOR/O=ASTERISK_PESSOAL/CN=asterisk/emailAddress=mauricio@mmm.eti.br
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 VERIFY OK: depth=0, /C=BR/ST=BA/O=ASTERISK_PESSOAL/CN=mautrab/emailAddress=mauricio@mmm.eti.br
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Dec 10 08:31:25 2008 189.47.198.150:2283 [mautrab] Peer Connection Initiated with 189.47.198.150:2283
    Wed Dec 10 08:31:25 2008 mautrab/189.47.198.150:2283 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/mautrab
    Wed Dec 10 08:31:25 2008 mautrab/189.47.198.150:2283 MULTI: Learn: 10.9.0.17 -> mautrab/189.47.198.150:2283
    Wed Dec 10 08:31:25 2008 mautrab/189.47.198.150:2283 MULTI: primary virtual IP for mautrab/189.47.198.150:2283: 10.9.0.17
    Wed Dec 10 08:31:26 2008 mautrab/189.47.198.150:2283 PUSH: Received control message: 'PUSH_REQUEST'
    Wed Dec 10 08:31:26 2008 mautrab/189.47.198.150:2283 SENT CONTROL [mautrab]: 'PUSH_REPLY,route 10.9.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.17 10.9.0.18' (status=1)
    ==========================================================

    Mas apos desconectar o cliente e conectar de novo aparece com o MULTI assim:

    Wed Dec 10 08:34:28 2008 MULTI: multi_create_instance called
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 Re-using SSL/TLS context
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 LZO compression initialized
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 Local Options hash (VER=V4): 'a8f55717'
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 Expected Remote Options hash (VER=V4): '22188c5b'
    Wed Dec 10 08:34:28 2008 189.47.198.150:2308 TLS: Initial packet from 189.47.198.150:2308, sid=2d5aa42c 266087a4
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 VERIFY OK: depth=1, /C=BR/ST=BA/L=SALVADOR/O=ASTERISK_PESSOAL/CN=asterisk/emailAddress=mauricio@mmm.eti.br
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 VERIFY OK: depth=0, /C=BR/ST=BA/O=ASTERISK_PESSOAL/CN=mautrab/emailAddress=mauricio@mmm.eti.br
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Dec 10 08:34:29 2008 189.47.198.150:2308 [mautrab] Peer Connection Initiated with 189.47.198.150:2308
    Wed Dec 10 08:34:29 2008 MULTI: new connection by client 'mautrab' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
    Wed Dec 10 08:34:29 2008 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/mautrab
    Wed Dec 10 08:34:29 2008 MULTI: Learn: 10.9.0.17 -> mautrab/189.47.198.150:2308
    Wed Dec 10 08:34:29 2008 MULTI: primary virtual IP for mautrab/189.47.198.150:2308: 10.9.0.17
    Wed Dec 10 08:34:30 2008 mautrab/189.47.198.150:2308 PUSH: Received control message: 'PUSH_REQUEST'
    Wed Dec 10 08:34:30 2008 mautrab/189.47.198.150:2308 SENT CONTROL [mautrab]: 'PUSH_REPLY,route 10.9.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.17 10.9.0.18' (status=1)
    =========================================================================

    Independente de estar com o MUTI ou sem MULTI no log o windows perde a rota como descrevi no post anterior.

    Isso esta acontecendo comigo em outros servidores tbem inclusive com distribuições diferentes

    Agradeço a sua atenção.

    Maurício

  4. Esqueci,

    ao colocar a linha duplicate-cn o log gera ao cliente logar um erro

    "Options error: option 'duplicate-cn' cannot be used in this context"

    assim :

    Wed Dec 10 08:41:32 2008 /sbin/ip route add 10.9.0.0/24 via 10.9.0.2
    Wed Dec 10 08:41:32 2008 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Dec 10 08:41:32 2008 GID set to nobody
    Wed Dec 10 08:41:32 2008 UID set to nobody
    Wed Dec 10 08:41:32 2008 Socket Buffers: R=[135168->131072] S=[135168->131072]
    Wed Dec 10 08:41:32 2008 UDPv4 link local (bound): 201.20.20.22:2430
    Wed Dec 10 08:41:32 2008 UDPv4 link remote: [undef]
    Wed Dec 10 08:41:32 2008 MULTI: multi_init called, r=256 v=256
    Wed Dec 10 08:41:32 2008 IFCONFIG POOL: base=10.9.0.4 size=62
    Wed Dec 10 08:41:32 2008 Initialization Sequence Completed
    Wed Dec 10 08:41:43 2008 MULTI: multi_create_instance called
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 Re-using SSL/TLS context
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 LZO compression initialized
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 Local Options hash (VER=V4): 'a8f55717'
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 Expected Remote Options hash (VER=V4): '22188c5b'
    Wed Dec 10 08:41:43 2008 189.47.198.150:2400 TLS: Initial packet from 189.47.198.150:2400, sid=6cc5d9ad c30ab912
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 VERIFY OK: depth=1, /C=BR/ST=BA/L=SALVADOR/O=ASTERISK_PESSOAL/CN=asterisk/emailAddress=mauricio@magalhaes.eti.br
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 VERIFY OK: depth=0, /C=BR/ST=BA/O=ASTERISK_PESSOAL/CN=mautrab/emailAddress=mauricio@magalhaes.eti.br
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Dec 10 08:41:44 2008 189.47.198.150:2400 [mautrab] Peer Connection Initiated with 189.47.198.150:2400
    Wed Dec 10 08:41:44 2008 mautrab/189.47.198.150:2400 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/mautrab
    Wed Dec 10 08:41:44 2008 mautrab/189.47.198.150:2400 Options error: option 'duplicate-cn' cannot be used in this context
    Wed Dec 10 08:41:44 2008 mautrab/189.47.198.150:2400 MULTI: Learn: 10.9.0.17 -> mautrab/189.47.198.150:2400
    Wed Dec 10 08:41:44 2008 mautrab/189.47.198.150:2400 MULTI: primary virtual IP for mautrab/189.47.198.150:2400: 10.9.0.17
    Wed Dec 10 08:41:45 2008 mautrab/189.47.198.150:2400 PUSH: Received control message: 'PUSH_REQUEST'
    Wed Dec 10 08:41:45 2008 mautrab/189.47.198.150:2400 SENT CONTROL [mautrab]: 'PUSH_REPLY,route 10.9.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,



  5. Cara, dá uma olhada aqui.


    ca /etc/openvpn/chaves/keys/ca.crt
    cert /etc/openvpn/chaves/keys/asterisk.crt
    key /etc/openvpn/chaves/keys/asterisk.key
    dh /etc/openvpn/chaves/keys/dh1024.pem
    ....
    ca catrab.crt
    cert mautrab.crt
    key mautrab.key




    Salve engano, o cliente e servidor compartilham a mesma chave pública, logo o parãmtero ca dos dois tem que ter mesma chave, logo deveria ser:


    ca /etc/openvpn/chaves/keys/ca.crt
    cert /etc/openvpn/chaves/keys/asterisk.crt
    key /etc/openvpn/chaves/keys/asterisk.key
    dh /etc/openvpn/chaves/keys/dh1024.pem
    ....
    ca ca.crt
    cert mautrab.crt
    key mautrab.key



    Tirado do openvpn how-to:

    Key Files

    Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
    Filename Needed By Purpose Secret
    ca.crt server + all clients Root CA certificate NO
    ca.key key signing machine only Root CA key YES
    dh{n}.pem server only Diffie Hellman parameters NO
    server.crt server only Server Certificate NO
    server.key server only Server Key YES
    client1.crt client1 only Client1 Certificate NO
    client1.key client1 only Client1 Key YES
    client2.crt client2 only Client2 Certificate NO
    client2.key client2 only Client2 Key YES
    client3.crt client3 only Client3 Certificate NO
    client3.key client3 only Client3 Key YES

    ---------------

    Veja se isto está influenciando em alguma coisa.
    Você tem outras máquinas windows ligadas a esta VPN?

    Ab, Duca.
    Última edição por Duca; 10-12-2008 às 16:29.






Tópicos Similares

  1. Openvpn para ia64
    Por Duca no fórum Servidores de Rede
    Respostas: 2
    Último Post: 16-05-2007, 07:38
  2. Respostas: 1
    Último Post: 19-08-2005, 00:43
  3. Sendmail - Eviar e-mail para dominio local e remoto com mesm
    Por jrmami no fórum Servidores de Rede
    Respostas: 1
    Último Post: 31-05-2002, 21:40
  4. Servidor para servicos ...
    Por MarcelScan no fórum Servidores de Rede
    Respostas: 1
    Último Post: 09-04-2002, 22:39
  5. Passos para conf de uma estacao linux ..
    Por MarcelScan no fórum Servidores de Rede
    Respostas: 1
    Último Post: 04-04-2002, 22:40

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L