The pfSense Store

Author Topic: Clientes getting same ip even with Duplicate Connections checked  (Read 1283 times)

0 Members and 1 Guest are viewing this topic.

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Hello, my clients are getting the same ip from the same certificate, but i enabled Duplicate Connections on the server config

is anything else to do???

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5063
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #1 on: May 07, 2012, 08:40:41 am »
You have to disable the "Duplicate Connections" checkbox.
Otherwise you get the behaviour you're observing.

Also: Dont assign multiple clients the same certificate.
Every client has to have his own key/certificate pair.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #2 on: May 07, 2012, 08:44:02 am »
It says

"Allow multiple concurrent connections from clients using the same Common Name."
and that is what I need

I need to generate a certificate for each branch, and every branch has 2 or 3 computers

so i created a certificate and a Client Specific Override for each cert, setting the ip to 192.168.xxx.0/24
but they all get the ip 192.168.xxx.2

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #3 on: May 07, 2012, 08:51:37 am »
Also, the clients are getting mask 255.255.255.252
and i configured /24

I am doomed

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #4 on: May 07, 2012, 09:48:20 am »
The clients always get a /30 mask, the /24 just defines the range. If you are allowing concurrent connections (you need that checked), and clients are getting the same IP, then I suspect you have a client specific override that assigns a static IP which you can't have in such scenarios.

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #5 on: May 07, 2012, 10:01:45 am »
I have a custom for every certificate, so each branch gets an unique IP range

so Branch 1 i created an override with Tunnel Network = 192.168.101.0/24
Branch 2 Tunnel Network = 192.168.102.0/24

This cant be done???

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #6 on: May 07, 2012, 10:08:15 am »
You can't and don't want to do that. Only the iroute goes in the override in that case.

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #7 on: May 07, 2012, 10:15:41 am »
Why I dont wanna do this??

All the hosts are trusted managed computers, there is no workaround to this??

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #8 on: May 07, 2012, 03:24:20 pm »
Every client on a single OpenVPN server must have an address within the server's tunnel network. One server isn't able to use multiple subnets there. If you're trying to route that network to that branch, then you need an iroute.

Offline TLP

  • Jr. Member
  • **
  • Posts: 64
    • View Profile
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #9 on: May 10, 2012, 01:39:45 pm »
On the previous post u said "You [...] don't want to do that"

I did some research and found this can be done with tap, but tap generetes a lot of overhead, this isnt a real problem to me, can I do what I described before with tap???

I also found "topology subnet", is this possible??

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Clientes getting same ip even with Duplicate Connections checked
« Reply #10 on: May 10, 2012, 09:33:31 pm »
you don't want tap either, that's only very, very rarely desirable, and pretty much never for site to site.

Take out the hard coded tunnel network, add iroute as needed, and you're set.