How To Set Up Site To Site VPN With NOWS
This document (3165776) is provided subject to the disclaimer at the end of this document.
Installing two NICs with NOWS-SBE:
When you install and configure a NOWS-SBE server, do not configure the second network interface card (NIC) until you have completed the installation and configured the primary NIC through the Web configuration tool. After the initial Web configuration is complete, you can then use YaST to configure the second NIC.
NOTE: Since you will be routing traffic through the server, be sure to enableIPForwardingwhen configuring the second NIC.
Setting up VPN site to site:
1. Synchronize the time between the two servers usingntpdate.
2. In the NOWS-SBE Web administration tool, installFirewall (IPTables)andVPN Server(OpenVPN)on both Server A and Server B.
- For Server A replace"auto" in theVirtual IP Address Networkfield with an address, such as 172.16.150.0
- For Server B replace"auto" in theVirtual IP Address Networkfield with a distinct segment address, such as 172.16.151.0
- Replace "auto" in theVPN Network Maskfield with the appropriate mask, such as 255.255.255.0
- Verify thatAllow VPN
Clients Access to Internal Networkis selected
3. From Server A's Web Administration tool, create a client key for Server B to use:
- Go toProducts and Service>>VPN Server (Open VPN)>>Administrative Console>>OpenVPN Key Management
- Enter a unique name and selectGenerate(Hint: Using the name of Server B is a nice way to keep things organized)
- SelectWindows Client and Configurationto
download and save the Windows Client
zip file. File name is based on the unique
4. Copy the client zip file to/etc/openvpnon Server B.
5. Extract the client zip file into
the/etc/openvpn/folder using the command"unzip
6. Rename (mv) or copy (cp)
7. Using a text editor, such as vi, open theserver.conffile and comment out the second to last line so that it looks something like this:
push "route 192.168.25.0 255.255.255.0"
#push "route 126.96.36.199 255.255.254.0"
push "dhcp-option DNS 188.8.131.52"
This prevents the VPN from pushing the public route to the other server and allows each server to access the public network directly
8. Create a client key for ServerA to use by repeating step 3, from Server B's Web administration tool
9. Finalize ServerA's configuration by repeating steps 4-7 on Server A. When completed, each server should have aserver.confand aclient.conffile in the /etc/openvpn directory
10. Restart openvpn on each server using/etc/init.d/openvpn restart.
11. You should now have a functioning VPN tunnel in each direction. Each server should push its private routes to the other. Test the connection by pinging a host on Network A from ServerB, and a host on Network B from ServerA
12. For most networks with more than a single subnet or where Server A and Server B are not the default gateway for clients on their networks you will also need to setup routing on internal switches and routers so that clients on Network A know to point to Server A as the next hop to Network B. The same will also have to be done so that clients on Network B know to point to Server B as the next hop to Network A.(WARNING: This involves modifying systems beyond the NOWS-SBE servers and can break the network if performed incorrectly. You are on your own at this point)
1. To verify the validity of the certificates on the vpn issue the following command:
openssl verify -
2. In step 7 above, it suggests commenting out the public push statements for the VPN. If this is not done and the VPN servers are on the same network segment, the servers will hang. Pushing the public route may also cause trouble communicating over the VPN tunnel.
3. Uninstalling the Firewall (IP Tables) component does not undo any firewall configuration changes that may have been made. Changes to the Firewall configuration can cause the Site-to-Site VPN to stop functioning, so make firewall changes with care.
4. To verify the firewall configuration:
- In a text editor, open/etc/sysconfig/SuSEfirewall2
- Find the line beginning with"FW_DEV_INT”
- Verify that it looks like
FW_DEV_INT="eth1 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9”
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3165776
- Creation Date:05-FEB-08
- Modified Date:27-APR-12
- SUSESUSE Linux Enterprise Server
Did this document solve your problem? Provide Feedback