OpenVPN Site-to-Site connectivity issue [on hold]

        I've set up a site-to-site VPN using OpenVPN, but I cannot successfully ping between hosts that are on the different subnets which the VPN tunnel connects.  Given the topology below, I cannot ping node D from node A and vice versa.
1. Topology: enter image description here Host_Alice(A) and GW_Alice(B) are in the same subnet; Host_Bob(D) and GW_Bob(C) are in the same subnet; GW_Alice(B) and GW_Bob(C) are linked by OpenVPN tunnel; 2. Goal: Provide connectivity between Host_Alice (A) and Host_Bob (D). 3. Connectivity table: I tried to ping each other and get this connectivity table: enter image description here 4. Problem details and tcpdump result: enter image description here I pinged Host_Bob(D) from Host_Alice(A) and did tcpdump on each host when the ping was going on. Here is what I observed: (1) Host_Alice (A) tried to ping Host_Bob (D); (2) The ICMP request packet arrived at Host_Bob(D); (3) The ICMP response packet arrived at GW_Alice (B) with the correct dst IP address and MAC address of Host_Alice (A); (4) But, Host_Alice (A) cannot receives the ICMP response. It's just the final hop doesn't go through. On a separate test, I pinged GW_Alice(B) from Host-Alice(A), which is successful. The ICMP response from GW_Alice (B) can arrive at Host_Alice (A) successfully (Indicating there shouldn't be a routing issue between A and B). 5. Routing Set up: (1) Host A: Destination network Gateway 10.100.1.0/24 (The other subnet) 10.170.2.93 (GW_Alice(B)) (2) Host B: Destination network Interface 10.100.1.0/24 (The other subnet) tun0 (VPN tunnel) The Host C and Host D have the symmetric routing set up 6. OpenVPN configuration (1) Server Configuration server.conf (On GW_Bob(C))
port 1194

proto udp

dev tun

ca ca.crt
cert server.crt
key server.key 

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 10.100.1.0 255.255.255.0"

client-config-dir /etc/openvpn/ccd
route 10.170.2.0 255.255.255.0

keepalive 10 120

tls-auth ta.key 0

key-direction 0

cipher AES-128-CBC

auth SHA256

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3
(2) On GW_Bob(C): /etc/openvpn/ccd/client1
iroute 10.170.2.0 255.255.255.0
iroute 10.100.1.0 255.255.255.0
(3) Client configuration client.conf on GW_Alice(B)
client

dev tun

proto udp

remote B.B.B.B 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-128-CBC
auth SHA256

key-direction 1

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

comp-lzo

verb 3

Leave Your Comment

Leave a Reply