Novell Home

My Favorites

Close

Please to see your favorites.

How To Set Up Site To Site VPN With NOWS

This document (3165776) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Workgroup Suite Small Business Edition (NOWS)

Resolution

Reference Diagram



Installing two NICs with NOWS-SBE:

When you install and configure a NOWS-SBE server, do not configure the second network interface card (NIC) until you have completed the installation and configured the primary NIC through the Web configuration tool. After the initial Web configuration is complete, you can then use YaST to configure the second NIC.

NOTE: Since you will be routing traffic through the server, be sure to enableIPForwardingwhen configuring the second NIC.

Setting up VPN site to site:

1. Synchronize the time between the two servers usingntpdate.

2. In the NOWS-SBE Web administration tool, installFirewall (IPTables)andVPN Server(OpenVPN)on both Server A and Server B.

  • For Server A replace"auto" in theVirtual IP Address Networkfield with an address, such as 172.16.150.0
  • For Server B replace"auto" in theVirtual IP Address Networkfield with a distinct segment address, such as 172.16.151.0
  • Replace "auto" in theVPN Network Maskfield with the appropriate mask, such as 255.255.255.0
  • Verify thatAllow VPN Clients Access to Internal Networkis selected

3. From Server A's Web Administration tool, create a client key for Server B to use:

  • Go toProducts and Service>>VPN Server (Open VPN)>>Administrative Console>>OpenVPN Key Management
  • Enter a unique name and selectGenerate(Hint: Using the name of Server B is a nice way to keep things organized)
  • SelectWindows Client and Configurationto download and save the Windows Client zip file. File name is based on the unique name selected.

4. Copy the client zip file to/etc/openvpnon Server B.

5. Extract the client zip file into the/etc/openvpn/folder using the command"unzip _client.zip" If desired, delete the Windows install files.

6. Rename (mv) or copy (cp) the.ovpnfile toclient.conf

7. Using a text editor, such as vi, open theserver.conffile and comment out the second to last line so that it looks something like this:

push "route 192.168.25.0 255.255.255.0"
#push "route 151.155.226.0 255.255.254.0"
push "dhcp-option DNS 151.155.227.253"

This prevents the VPN from pushing the public route to the other server and allows each server to access the public network directly

8. Create a client key for ServerA to use by repeating step 3, from Server B's Web administration tool

9. Finalize ServerA's configuration by repeating steps 4-7 on Server A. When completed, each server should have aserver.confand aclient.conffile in the /etc/openvpn directory

10. Restart openvpn on each server using/etc/init.d/openvpn restart.

11. You should now have a functioning VPN tunnel in each direction. Each server should push its private routes to the other. Test the connection by pinging a host on Network A from ServerB, and a host on Network B from ServerA

12. For most networks with more than a single subnet or where Server A and Server B are not the default gateway for clients on their networks you will also need to setup routing on internal switches and routers so that clients on Network A know to point to Server A as the next hop to Network B. The same will also have to be done so that clients on Network B know to point to Server B as the next hop to Network A.(WARNING: This involves modifying systems beyond the NOWS-SBE servers and can break the network if performed incorrectly. You are on your own at this point)

Troubleshooting tips:

1. To verify the validity of the certificates on the vpn issue the following command:

openssl verify -ca.crt -purpose sslclient .crt

2. In step 7 above, it suggests commenting out the public push statements for the VPN. If this is not done and the VPN servers are on the same network segment, the servers will hang. Pushing the public route may also cause trouble communicating over the VPN tunnel.

3. Uninstalling the Firewall (IP Tables) component does not undo any firewall configuration changes that may have been made. Changes to the Firewall configuration can cause the Site-to-Site VPN to stop functioning, so make firewall changes with care.

4. To verify the firewall configuration:

  • In a text editor, open/etc/sysconfig/SuSEfirewall2
  • Find the line beginning with"FW_DEV_INT”
  • Verify that it looks like this:

FW_DEV_INT="eth1 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9”


Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3165776
  • Creation Date:05-FEB-08
  • Modified Date:27-APR-12
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback