Проблема в следующем - openvpn клиент на микротике настроен по типовому мануалу, с сертификатом.
Интерфейс:
Код: Выделить всё
0 R name="ovpn-ks" mac-address=02:F2:32:B8:4D:CD max-mtu=1500 connect-to=XXX.XXX.XXX.XXX port=1195 mode=ip user="none" password="none" profile=ovpn_ks certificate=cert_1 auth=sha1 cipher=blowfish128
add-default-route=no
openvpn сервер:
Код: Выделить всё
dev tun1
local XXX.XXX.XXX.XXX
port 1195
proto tcp
###dev-node MyTap
server 10.99.16.0 255.255.254.0
client-config-dir ccd
client-to-client
##tls-server
dh /usr/local/etc/openvpn/keys/dh2048.pem
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
###crl-verify /usr/local/etc/openvpn/crl/crl.pem
##tls-auth /usr/local/etc/openvpn/ta.key 0
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
#comp-lzo
keepalive 10 120
tun-mtu 1500
mssfix 1450
persist-key
persist-tun
user openvpn
group openvpn
verb 3
management localhost 7778
log /var/log/openvpn/ks.log
status /var/log/openvpn/ks-status.log
Клиенту отдаётся такая сеть /30:
Код: Выделить всё
ifconfig-push 10.99.16.6 10.99.16.5
При этом, на стороне микротика, сеть выглядит таким образом:
Код: Выделить всё
4 D 10.99.16.6/32 10.99.16.5 ovpn-ks
И, соответственно, серверный конец туннеля недоступен. При этом со стороны сервера конец туннеля на микротике доступен, но с адреса сервера, разумеется:
Код: Выделить всё
10:36:48.903576 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1283:1483, ack 5, win 1810, options [nop,nop,TS val 4058969 ecr 3000058423], length 200
10:36:49.003238 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1483, win 1037, options [nop,nop,TS val 3000059426 ecr 4058969], length 0
10:36:49.026754 IP 10.99.16.6 > 10.99.16.5: ICMP echo request, id 712, seq 12, length 36
10:36:49.026759 IP 10.99.16.6 > 10.99.16.5: ICMP echo request, id 712, seq 12, length 36
10:36:49.151051 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1483:1485, ack 5, win 1810, options [nop,nop,TS val 4058981 ecr 3000059426], length 2
10:36:49.250246 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1485, win 1037, options [nop,nop,TS val 3000059673 ecr 4058981], length 0
10:36:49.907511 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1485:1685, ack 5, win 1810, options [nop,nop,TS val 4059069 ecr 3000059673], length 200
10:36:50.007238 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1685, win 1037, options [nop,nop,TS val 3000060430 ecr 4059069], length 0
10:36:50.030815 IP 10.99.16.6 > 10.99.16.5: ICMP echo request, id 712, seq 13, length 36
10:36:50.030822 IP 10.99.16.6 > 10.99.16.5: ICMP echo request, id 712, seq 13, length 36
10:36:50.153779 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1685:1687, ack 5, win 1810, options [nop,nop,TS val 4059081 ecr 3000060430], length 2
10:36:50.253262 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1687, win 1037, options [nop,nop,TS val 3000060676 ecr 4059081], length 0
10:36:50.826484 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [P.], seq 5:6, ack 1687, win 1037, options [nop,nop,TS val 3000061249 ecr 4059081], length 1
10:36:50.851468 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1687:1754, ack 6, win 1810, options [nop,nop,TS val 4059163 ecr 3000061249], length 67
10:36:50.951241 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1754, win 1037, options [nop,nop,TS val 3000061374 ecr 4059163], length 0
10:36:50.974782 IP 10.99.16.6.telnet > 10.99.16.1.58085: Flags [P.], seq 1754:1800, ack 6, win 1810, options [nop,nop,TS val 4059176 ecr 3000061374], length 46
10:36:51.074238 IP 10.99.16.1.58085 > 10.99.16.6.telnet: Flags [.], ack 1800, win 1037, options [nop,nop,TS val 3000061497 ecr 4059176], length 0
10:36:51.878480 IP 10.99.16.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
10:37:01.881429 IP 10.99.16.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
10:37:11.873520 IP 10.99.16.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
10:37:21.876149 IP 10.99.16.6 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Код: Выделить всё
10:38:38.492535 IP 10.99.16.1 > 10.99.16.6: ICMP echo request, id 6311, seq 0, length 64
10:38:38.516172 IP 10.99.16.6 > 10.99.16.1: ICMP echo reply, id 6311, seq 0, length 64
10:38:39.493246 IP 10.99.16.1 > 10.99.16.6: ICMP echo request, id 6311, seq 1, length 64
10:38:39.516739 IP 10.99.16.6 > 10.99.16.1: ICMP echo reply, id 6311, seq 1, length 64
10:38:40.494238 IP 10.99.16.1 > 10.99.16.6: ICMP echo request, id 6311, seq 2, length 64
10:38:40.517841 IP 10.99.16.6 > 10.99.16.1: ICMP echo reply, id 6311, seq 2, length 64
10:38:41.495235 IP 10.99.16.1 > 10.99.16.6: ICMP echo request, id 6311, seq 3, length 64
10:38:41.518872 IP 10.99.16.6 > 10.99.16.1: ICMP echo reply, id 6311, seq 3, length 64
Вопрос - что я делаю не так?