Thanks for the quick response Nick. I'll try to digest this and give it a try.
Both sides are static
To extend on this conversation we actually have three sites. I was thinking it would be best to have them all connected to each other (triad form). Do you agree? Why?
I can't get IPsec basic to work site to site with one site behind a NAT (COS is on a DMZ on this NAT).
The master (not NAT'd) has this in the log:
The NAT'd site log:
Config on the Main site:
Config on the NAT's site:
I have ports 500 and 4500 open on each end.
Any help would be appreciated.
I am getting more and more pressure to relax our network security (authenticating proxy mostly) in order to have Macs, iPad and iPhones work smoother on the internal network (appently prox authentication does not play well with the Apple Store).
How does everyone else deal with this. Also, how do you deal with the single user only "feature" of iOS when it is used by several users?
I am looking for ideas on how to lock down our internet network. At the moment all our staff and parents connect their personal wireless (and sometimes wired) devices to own single internal network to browse the internet and stream media.
I was thinking if there was an application that would look at the hostnames on the Windows Domain and any static IP's that we have reserved in DHCP and place any "other" devices on a VLAN.
I sure this is "pie in the sky" but what do you do for network security?
Well that is not reassuring. We redesigned our whole network around LDAP replication over VPN.
I wish I would of had more than a week to test and implement.
What is driving this is the need for more than 254 IP's combined for all three sites.
Can I get WINS routing so I can use subnets at each site without LDAP replication?
I have a master at one site and two slaves at two other sites. I have configured them to sync over a VPN and over the internet. I have opened all the required ports.
The accounts and groups show up in the slaves but the certificates (and I do not know what else) do not.
The log is full of these errors:
AccountsFileSync: Error establishing connection: Connection refused
CertificateManagerFileSync: Error establishing connection: Connection refused
Does anyone know what to do?
I am stuck.
Nick, when you say copy the certificates are you referring to the VPN certificate from the command "openvpn --genkey --secret /etc/openvpn/static.key" or the system certificates the Certificate Manager creates? Where do I copy these from and to where?
Peter, I tried this two different ways:
1.) I created a temporary VPN tunnel with another system and connected the slave to the master via the internal master host name. Then configured the COS OpenVPN.
2.) I opened the required sync ports to the internet and connected the slave to the master via the external master host name. The closed the ports and added a DNS record on the slave to point the external master host name to the internal address.
In both cases I got OpenVPN working but had install and configuring it manually. The COS OpenVPN install required the Certificate Manager to get setup and this is what prompted this thread.
System 1.) has a good VPN connection but I am having connectivity problems with the master server. This may be an issue with how I have Windows Network setup.
System 2.) seems to be working OK.
The Master is directly on the internet but both the slaves are behind NAT's and are in the DMZ.
I installed a second server at another site and set it up in slave mode. I then install the Certificate Manager on it and it forever sits at "The system is waiting for a connection to the master node.". The users and groups sync'd immediately.
My goal was to connect the two sites via OpenVPN. But OpenVPN will not start on the slave if I can't get the certificates configured on the slave.
Has anyone been successful with OpenVPN site-to-site connection and slave mode?