100% sure, the 2 boxes are the gateway of the two lans. If from a client in lan i do: # ping 192.168.8.10 ( a client in the other network)
I see the packets in the interface LAN of the pfsense but the packets are not routed in the tunnel vpn. If i do : tcpdump -i em1 (lan of pfsense) I see the packets. If i do: tcpdump -i ovpnc2 I don't see nothing. Thanks for your help. 2012/12/20 WolfSec-Support <supp...@wolfsec.ch>: > again: > make 100% sure gateway information is correct on clients > > and: > check arp cache if client is seen after your try/ping > > so we can make sure the problem is only in your box(es) > > rgds > stephan > > > > 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com> >> >> Another information. >> >> If from a client in lan i do: >> # ping 192.168.8.10 ( a client in the other network) >> >> And in pfsense (client openvpn): >> tcpdump -i ovpnc2 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes >> 0 packets captured >> 0 packets received by filter >> 0 packets dropped by kernel >> >> I can't see any packet. It Is like the packets is not routed under the >> tunnel. >> But i don't know why and how fix the problem. >> >> If i use the command: >> tcpdump -i pflog0 icmp >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 >> bytes >> 0 packets captured >> >> I can't see any packets blocked by the firewall. >> >> Thanks for your help. >> >> 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com>: >> > Hi try this configuration but i hace the same problem i am very >> > confused. >> > >> > This is my network: >> > >> > lan1 192.168.9.0 <---> pfsense1 (client openvpn) <--> pfsense2 >> > (server openvpn) <--> lan 2 192.168.8.0 >> > >> > This are now with certificates my configuration files: >> > >> > Pfsense server: >> > >> > /var/etc/openvpn/server1.conf >> > >> > dev ovpns1 >> > dev-type tun >> > dev-node /dev/tun1 >> > writepid /var/run/openvpn_server1.pid >> > #user nobody >> > #group nobody >> > script-security 3 >> > daemon >> > keepalive 10 60 >> > ping-timer-rem >> > persist-tun >> > persist-key >> > proto udp >> > cipher AES-128-CBC >> > up /usr/local/sbin/ovpn-linkup >> > down /usr/local/sbin/ovpn-linkdown >> > local X.X.X.X >> > tls-server >> > ifconfig 10.0.8.1 10.0.8.2 >> > tls-verify /var/etc/openvpn/server1.tls-verify.php >> > lport 1195 >> > management /var/etc/openvpn/server1.sock unix >> > ca /var/etc/openvpn/server1.ca >> > cert /var/etc/openvpn/server1.cert >> > key /var/etc/openvpn/server1.key >> > dh /etc/dh-parameters.1024 >> > comp-lzo >> > route 192.168.9.0 255.255.255.0 >> > push "route 192.168.8.0 255.255.255.0" >> > >> > /var/etc/openvpn-csc/fw-target >> > >> > iroute 192.168.9.0 255.255.255.0 >> > >> > Pfsense client: >> > >> > /var/etc/openvpn/client2.conf >> > >> > dev ovpnc2 >> > dev-type tun >> > dev-node /dev/tun2 >> > writepid /var/run/openvpn_client2.pid >> > #user nobody >> > #group nobody >> > script-security 3 >> > daemon >> > keepalive 10 60 >> > ping-timer-rem >> > persist-tun >> > persist-key >> > proto udp >> > cipher AES-128-CBC >> > up /usr/local/sbin/ovpn-linkup >> > down /usr/local/sbin/ovpn-linkdown >> > local X.X:X.X >> > tls-client >> > client >> > lport 0 >> > management /var/etc/openvpn/client2.sock unix >> > remote X.X.X.X 1195 >> > ifconfig 10.0.8.2 10.0.8.1 >> > route 192.168.8.0 255.255.255.0 >> > ca /var/etc/openvpn/client2.ca >> > cert /var/etc/openvpn/client2.cert >> > key /var/etc/openvpn/client2.key >> > comp-lzo >> > >> > Thanks for your help. >> > >> > >> > 2012/12/19 bruno.deb...@cyberoso.com <bruno.deb...@cyberoso.com>: >> >> Ok, then no firewall rules forcing gateway, so let's try something >> >> else. >> >> >> >> Did you configure iroute ? >> >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope >> >> Read : Including multiple machines on the client side when using a >> >> routed VPN >> >> >> >> It might work :-p >> >> >> >> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100, >> >> Cristian Del Carlo <cristian.delca...@gmail.com> a écrit : >> >> >> >>> Hi, >> >>> >> >>> Thanks for your help. >> >>> >> >>> Even in LAN i have : >> >>> My firewall rules are in both pfsense: >> >>> Action: Pass >> >>> Interface : LAN >> >>> Protocol: Any >> >>> Source: Any >> >>> Destionation: Any >> >>> >> >>> If i ping the tunnel from a client seem ok: >> >>> >> >>> ping 10.0.8.1 --> Ok >> >>> ping 10.8.8.2 --> OK >> >>> ping 192.168.8.X --> 100% packet loss >> >>> >> >>> Thanks. >> >>> >> >>> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: >> >>> > may there are any fw rules there in LAN interface with similar >> >>> > IP's/networks ? >> >>> > some used this under 1.2.x and after upgrading to 2.x this caused >> >>> > issues. >> >>> > >> >>> > onto routing: >> >>> > >> >>> > looks good >> >>> > >> >>> > here a similar setup of mine / 1 side: >> >>> > >> >>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 >> >>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0 >> >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 >> >>> > ovpnc1 >> >>> > 192.168.242.0/24 link#1 U 0 1191195015 1500 >> >>> > vr0 >> >>> > >> >>> > rgds >> >>> > stephan >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > 2012/12/19 Cristian Del Carlo <cristian.delca...@gmail.com> >> >>> >> >> >>> >> Hi, >> >>> >> >> >>> >> thanks for your help. >> >>> >> >> >>> >> My firewall rules are in both pfsense: >> >>> >> Action: Pass >> >>> >> Interface : Openvpn >> >>> >> Protocol: Any >> >>> >> Source: Any >> >>> >> Destionation: Any >> >>> >> >> >>> >> This are my routing from firewall ( without public ip ): >> >>> >> >> >>> >> pfsense 1 - client: >> >>> >> 10.0.8.1 link#10 UH 0 15 ovpnc2 >> >>> >> 10.0.8.2 link#10 UHS 0 0 lo0 >> >>> >> 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 >> >>> >> 192.168.9.0/24 link#2 U 0 37598040 em1 >> >>> >> >> >>> >> pfsense 2 - server: >> >>> >> 10.0.8.1 link#9 UHS 0 0 lo0 >> >>> >> 10.0.8.2 link#9 UH 0 72 ovpns1 >> >>> >> 192.168.8.0/24 link#2 U 0 229122 em1 >> >>> >> 192.168.8.1 link#2 UHS 0 0 lo0 >> >>> >> 192.168.9.0/24 10.0.8.2 UGS 0 1 ovpns1 >> >>> >> >> >>> >> Could be a routing problem? >> >>> >> >> >>> >> >> >>> >> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: >> >>> >> > Hi, >> >>> >> > >> >>> >> > do you have special rules in VPN tunnel ? >> >>> >> > make sure to open OpenVPN ruleset as necessary >> >>> >> > >> >>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels >> >>> >> > >> >>> >> > but per default normally tunnel is open any<>any >> >>> >> > >> >>> >> > br >> >>> >> > stephan >> >>> >> > >> >>> >> > >> >>> >> > _______________________________________________ >> >>> >> > List mailing list >> >>> >> > List@lists.pfsense.org >> >>> >> > http://lists.pfsense.org/mailman/listinfo/list >> >>> >> > >> >>> >> >> >>> >> >> >>> >> >> >>> >> -- >> >>> >> -------------------------------------------------------- >> >>> >> >> >>> >> Cristian Del Carlo >> >>> >> >> >>> >> Il testo e gli eventuali documenti trasmessi contengono >> >>> >> informazioni riservate al destinatario indicato. La seguente >> >>> >> e-mail è confidenziale e la sua riservatezza è tutelata legalmente >> >>> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della >> >>> >> privacy). La lettura, copia o altro uso non autorizzato o >> >>> >> qualsiasi altra azione derivante dalla conoscenza di queste >> >>> >> informazioni sono rigorosamente vietate. Qualora abbiate ricevuto >> >>> >> questo documento per errore siete cortesemente pregati di darne >> >>> >> immediata comunicazione al mittente e di provvedere, >> >>> >> immediatamente, alla sua distruzione. >> >>> >> >> >>> >> -------------------------------------------------------- >> >>> >> _______________________________________________ >> >>> >> List mailing list >> >>> >> List@lists.pfsense.org >> >>> >> http://lists.pfsense.org/mailman/listinfo/list >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > Stephan Wolf >> >>> > >> >>> > WolfSec >> >>> > Rairing 65 >> >>> > CH-8108 Dällikon >> >>> > >> >>> > +41 43 536 1191 >> >>> > +41 76 566 8222 >> >>> > http://www.wolfsec.ch >> >>> > _______________________________________________ >> >>> > List mailing list >> >>> > List@lists.pfsense.org >> >>> > http://lists.pfsense.org/mailman/listinfo/list >> >>> > >> >>> >> >>> >> >>> >> >> _______________________________________________ >> >> List mailing list >> >> List@lists.pfsense.org >> >> http://lists.pfsense.org/mailman/listinfo/list >> > >> > >> > >> > -- >> > -------------------------------------------------------- >> > >> > Cristian Del Carlo >> > >> > Il testo e gli eventuali documenti trasmessi contengono informazioni >> > riservate al destinatario indicato. La seguente e-mail è confidenziale e >> > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 >> > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o >> > altro uso non autorizzato o qualsiasi altra azione derivante dalla >> > conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> > abbiate ricevuto questo documento per errore siete cortesemente pregati >> > di darne immediata comunicazione al mittente e di provvedere, >> > immediatamente, alla sua distruzione. >> > >> > -------------------------------------------------------- >> >> >> >> -- >> -------------------------------------------------------- >> >> Cristian Del Carlo >> >> Il testo e gli eventuali documenti trasmessi contengono informazioni >> riservate al destinatario indicato. La seguente e-mail è confidenziale e >> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 >> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o >> altro uso non autorizzato o qualsiasi altra azione derivante dalla >> conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> abbiate ricevuto questo documento per errore siete cortesemente pregati >> di darne immediata comunicazione al mittente e di provvedere, >> immediatamente, alla sua distruzione. >> >> -------------------------------------------------------- >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > > > > > -- > > Stephan Wolf > > WolfSec > Rairing 65 > CH-8108 Dällikon > > +41 43 536 1191 > +41 76 566 8222 > http://www.wolfsec.ch > > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- -------------------------------------------------------- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. -------------------------------------------------------- _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list