Environment
Novell Access Manager 3.1 Support Pack 1 SSLVPN Server
Full tunneling mode enabled
OpenVPN client setup on workstation with VMWare installed
OvenVPN server running on VMWare guest OS
Full tunneling mode enabled
OpenVPN client setup on workstation with VMWare installed
OvenVPN server running on VMWare guest OS
Situation
ESP enabled sslvpn server installed on a vmware SLES 10 guest machine. This guest host also includes the Admin Console and Identity Server components.
IN parallel, a workstation setup exists where we have physical network connectivity to the Internet, and all Access Manager setup is on a host-only network on a vmware interface.
When full tunneling is enabled for the sslvpn server, the exception host route is added at the client (to allow keepalive packets to get to tomcat) results in keepalive packets being directed to the workstation's default route (to the Internet).
As a result, keepalive packets do not reach the gateway. Furthermore, the open vpn connection itself does not reach the gateway as that is also directed to the Internet rather than local vmware host-only network.
IN parallel, a workstation setup exists where we have physical network connectivity to the Internet, and all Access Manager setup is on a host-only network on a vmware interface.
When full tunneling is enabled for the sslvpn server, the exception host route is added at the client (to allow keepalive packets to get to tomcat) results in keepalive packets being directed to the workstation's default route (to the Internet).
As a result, keepalive packets do not reach the gateway. Furthermore, the open vpn connection itself does not reach the gateway as that is also directed to the Internet rather than local vmware host-only network.
Resolution
Add a virtual address to the sslvpn gateway. e.g. it's primary address
is 200.200.200.140. Add 200.200.200.141. Disconnect physical network so
there is no default gateway to the Internet. Manually add a default
route e.g. "route add 0.0.0.0 mask 0.0.0.0 200.200.200.141 metric 5"
Now when the extra route is added to allow keepalives t propagate, the route results in traffic destined for 200.200.200.140 (i.e. keepalive and openvpn traffic) to be sent via the virtual address on the gateway (.141).
Now when the extra route is added to allow keepalives t propagate, the route results in traffic destined for 200.200.200.140 (i.e. keepalive and openvpn traffic) to be sent via the virtual address on the gateway (.141).