In lan e openvpn i have only one rule that pass everything. This problem make me crazy....
2012/12/20 WolfSec-Support <supp...@wolfsec.ch>: > can you open also all trafic lan > internet / remove other blocking rules, > and try again > > routing table was fine on your post. > > brgds > > stephan > > > 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com> >> >> 100% sure, the 2 boxes are the gateway of the two lans. >> >> If from a client in lan i do: >> # ping 192.168.8.10 ( a client in the other network) >> >> I see the packets in the interface LAN of the pfsense but the packets >> are not routed in the tunnel vpn. >> >> If i do : >> >> tcpdump -i em1 (lan of pfsense) >> >> I see the packets. >> >> If i do: >> >> tcpdump -i ovpnc2 >> >> I don't see nothing. >> >> Thanks for your help. >> >> 2012/12/20 WolfSec-Support <supp...@wolfsec.ch>: >> > again: >> > make 100% sure gateway information is correct on clients >> > >> > and: >> > check arp cache if client is seen after your try/ping >> > >> > so we can make sure the problem is only in your box(es) >> > >> > rgds >> > stephan >> > >> > >> > >> > 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com> >> >> >> >> Another information. >> >> >> >> If from a client in lan i do: >> >> # ping 192.168.8.10 ( a client in the other network) >> >> >> >> And in pfsense (client openvpn): >> >> tcpdump -i ovpnc2 >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> >> decode >> >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 >> >> bytes >> >> 0 packets captured >> >> 0 packets received by filter >> >> 0 packets dropped by kernel >> >> >> >> I can't see any packet. It Is like the packets is not routed under the >> >> tunnel. >> >> But i don't know why and how fix the problem. >> >> >> >> If i use the command: >> >> tcpdump -i pflog0 icmp >> >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> >> decode >> >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size >> >> 96 >> >> bytes >> >> 0 packets captured >> >> >> >> I can't see any packets blocked by the firewall. >> >> >> >> Thanks for your help. >> >> >> >> 2012/12/20 Cristian Del Carlo <cristian.delca...@gmail.com>: >> >> > Hi try this configuration but i hace the same problem i am very >> >> > confused. >> >> > >> >> > This is my network: >> >> > >> >> > lan1 192.168.9.0 <---> pfsense1 (client openvpn) <--> pfsense2 >> >> > (server openvpn) <--> lan 2 192.168.8.0 >> >> > >> >> > This are now with certificates my configuration files: >> >> > >> >> > Pfsense server: >> >> > >> >> > /var/etc/openvpn/server1.conf >> >> > >> >> > dev ovpns1 >> >> > dev-type tun >> >> > dev-node /dev/tun1 >> >> > writepid /var/run/openvpn_server1.pid >> >> > #user nobody >> >> > #group nobody >> >> > script-security 3 >> >> > daemon >> >> > keepalive 10 60 >> >> > ping-timer-rem >> >> > persist-tun >> >> > persist-key >> >> > proto udp >> >> > cipher AES-128-CBC >> >> > up /usr/local/sbin/ovpn-linkup >> >> > down /usr/local/sbin/ovpn-linkdown >> >> > local X.X.X.X >> >> > tls-server >> >> > ifconfig 10.0.8.1 10.0.8.2 >> >> > tls-verify /var/etc/openvpn/server1.tls-verify.php >> >> > lport 1195 >> >> > management /var/etc/openvpn/server1.sock unix >> >> > ca /var/etc/openvpn/server1.ca >> >> > cert /var/etc/openvpn/server1.cert >> >> > key /var/etc/openvpn/server1.key >> >> > dh /etc/dh-parameters.1024 >> >> > comp-lzo >> >> > route 192.168.9.0 255.255.255.0 >> >> > push "route 192.168.8.0 255.255.255.0" >> >> > >> >> > /var/etc/openvpn-csc/fw-target >> >> > >> >> > iroute 192.168.9.0 255.255.255.0 >> >> > >> >> > Pfsense client: >> >> > >> >> > /var/etc/openvpn/client2.conf >> >> > >> >> > dev ovpnc2 >> >> > dev-type tun >> >> > dev-node /dev/tun2 >> >> > writepid /var/run/openvpn_client2.pid >> >> > #user nobody >> >> > #group nobody >> >> > script-security 3 >> >> > daemon >> >> > keepalive 10 60 >> >> > ping-timer-rem >> >> > persist-tun >> >> > persist-key >> >> > proto udp >> >> > cipher AES-128-CBC >> >> > up /usr/local/sbin/ovpn-linkup >> >> > down /usr/local/sbin/ovpn-linkdown >> >> > local X.X:X.X >> >> > tls-client >> >> > client >> >> > lport 0 >> >> > management /var/etc/openvpn/client2.sock unix >> >> > remote X.X.X.X 1195 >> >> > ifconfig 10.0.8.2 10.0.8.1 >> >> > route 192.168.8.0 255.255.255.0 >> >> > ca /var/etc/openvpn/client2.ca >> >> > cert /var/etc/openvpn/client2.cert >> >> > key /var/etc/openvpn/client2.key >> >> > comp-lzo >> >> > >> >> > Thanks for your help. >> >> > >> >> > >> >> > 2012/12/19 bruno.deb...@cyberoso.com <bruno.deb...@cyberoso.com>: >> >> >> Ok, then no firewall rules forcing gateway, so let's try something >> >> >> else. >> >> >> >> >> >> Did you configure iroute ? >> >> >> >> >> >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope >> >> >> Read : Including multiple machines on the client side when using a >> >> >> routed VPN >> >> >> >> >> >> It might work :-p >> >> >> >> >> >> >> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100, >> >> >> Cristian Del Carlo <cristian.delca...@gmail.com> a écrit : >> >> >> >> >> >>> Hi, >> >> >>> >> >> >>> Thanks for your help. >> >> >>> >> >> >>> Even in LAN i have : >> >> >>> My firewall rules are in both pfsense: >> >> >>> Action: Pass >> >> >>> Interface : LAN >> >> >>> Protocol: Any >> >> >>> Source: Any >> >> >>> Destionation: Any >> >> >>> >> >> >>> If i ping the tunnel from a client seem ok: >> >> >>> >> >> >>> ping 10.0.8.1 --> Ok >> >> >>> ping 10.8.8.2 --> OK >> >> >>> ping 192.168.8.X --> 100% packet loss >> >> >>> >> >> >>> Thanks. >> >> >>> >> >> >>> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: >> >> >>> > may there are any fw rules there in LAN interface with similar >> >> >>> > IP's/networks ? >> >> >>> > some used this under 1.2.x and after upgrading to 2.x this caused >> >> >>> > issues. >> >> >>> > >> >> >>> > onto routing: >> >> >>> > >> >> >>> > looks good >> >> >>> > >> >> >>> > here a similar setup of mine / 1 side: >> >> >>> > >> >> >>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 >> >> >>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0 >> >> >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 >> >> >>> > 1500 >> >> >>> > ovpnc1 >> >> >>> > 192.168.242.0/24 link#1 U 0 1191195015 1500 >> >> >>> > vr0 >> >> >>> > >> >> >>> > rgds >> >> >>> > stephan >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > 2012/12/19 Cristian Del Carlo <cristian.delca...@gmail.com> >> >> >>> >> >> >> >>> >> Hi, >> >> >>> >> >> >> >>> >> thanks for your help. >> >> >>> >> >> >> >>> >> My firewall rules are in both pfsense: >> >> >>> >> Action: Pass >> >> >>> >> Interface : Openvpn >> >> >>> >> Protocol: Any >> >> >>> >> Source: Any >> >> >>> >> Destionation: Any >> >> >>> >> >> >> >>> >> This are my routing from firewall ( without public ip ): >> >> >>> >> >> >> >>> >> pfsense 1 - client: >> >> >>> >> 10.0.8.1 link#10 UH 0 15 >> >> >>> >> ovpnc2 >> >> >>> >> 10.0.8.2 link#10 UHS 0 0 >> >> >>> >> lo0 >> >> >>> >> 192.168.8.0/24 10.0.8.1 UGS 0 45 >> >> >>> >> ovpnc2 >> >> >>> >> 192.168.9.0/24 link#2 U 0 37598040 >> >> >>> >> em1 >> >> >>> >> >> >> >>> >> pfsense 2 - server: >> >> >>> >> 10.0.8.1 link#9 UHS 0 0 >> >> >>> >> lo0 >> >> >>> >> 10.0.8.2 link#9 UH 0 72 >> >> >>> >> ovpns1 >> >> >>> >> 192.168.8.0/24 link#2 U 0 229122 >> >> >>> >> em1 >> >> >>> >> 192.168.8.1 link#2 UHS 0 0 >> >> >>> >> lo0 >> >> >>> >> 192.168.9.0/24 10.0.8.2 UGS 0 1 >> >> >>> >> ovpns1 >> >> >>> >> >> >> >>> >> Could be a routing problem? >> >> >>> >> >> >> >>> >> >> >> >>> >> 2012/12/19 WolfSec-Support <supp...@wolfsec.ch>: >> >> >>> >> > Hi, >> >> >>> >> > >> >> >>> >> > do you have special rules in VPN tunnel ? >> >> >>> >> > make sure to open OpenVPN ruleset as necessary >> >> >>> >> > >> >> >>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels >> >> >>> >> > >> >> >>> >> > but per default normally tunnel is open any<>any >> >> >>> >> > >> >> >>> >> > br >> >> >>> >> > stephan >> >> >>> >> > >> >> >>> >> > >> >> >>> >> > _______________________________________________ >> >> >>> >> > List mailing list >> >> >>> >> > List@lists.pfsense.org >> >> >>> >> > http://lists.pfsense.org/mailman/listinfo/list >> >> >>> >> > >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> -- >> >> >>> >> -------------------------------------------------------- >> >> >>> >> >> >> >>> >> Cristian Del Carlo >> >> >>> >> >> >> >>> >> Il testo e gli eventuali documenti trasmessi contengono >> >> >>> >> informazioni riservate al destinatario indicato. La seguente >> >> >>> >> e-mail è confidenziale e la sua riservatezza è tutelata >> >> >>> >> legalmente >> >> >>> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela >> >> >>> >> della >> >> >>> >> privacy). La lettura, copia o altro uso non autorizzato o >> >> >>> >> qualsiasi altra azione derivante dalla conoscenza di queste >> >> >>> >> informazioni sono rigorosamente vietate. Qualora abbiate >> >> >>> >> ricevuto >> >> >>> >> questo documento per errore siete cortesemente pregati di darne >> >> >>> >> immediata comunicazione al mittente e di provvedere, >> >> >>> >> immediatamente, alla sua distruzione. >> >> >>> >> >> >> >>> >> -------------------------------------------------------- >> >> >>> >> _______________________________________________ >> >> >>> >> List mailing list >> >> >>> >> List@lists.pfsense.org >> >> >>> >> http://lists.pfsense.org/mailman/listinfo/list >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > Stephan Wolf >> >> >>> > >> >> >>> > WolfSec >> >> >>> > Rairing 65 >> >> >>> > CH-8108 Dällikon >> >> >>> > >> >> >>> > +41 43 536 1191 >> >> >>> > +41 76 566 8222 >> >> >>> > http://www.wolfsec.ch >> >> >>> > _______________________________________________ >> >> >>> > List mailing list >> >> >>> > List@lists.pfsense.org >> >> >>> > http://lists.pfsense.org/mailman/listinfo/list >> >> >>> > >> >> >>> >> >> >>> >> >> >>> >> >> >> _______________________________________________ >> >> >> List mailing list >> >> >> List@lists.pfsense.org >> >> >> http://lists.pfsense.org/mailman/listinfo/list >> >> > >> >> > >> >> > >> >> > -- >> >> > -------------------------------------------------------- >> >> > >> >> > Cristian Del Carlo >> >> > >> >> > Il testo e gli eventuali documenti trasmessi contengono informazioni >> >> > riservate al destinatario indicato. La seguente e-mail è >> >> > confidenziale e >> >> > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 >> >> > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o >> >> > altro uso non autorizzato o qualsiasi altra azione derivante dalla >> >> > conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> >> > abbiate ricevuto questo documento per errore siete cortesemente >> >> > pregati >> >> > di darne immediata comunicazione al mittente e di provvedere, >> >> > immediatamente, alla sua distruzione. >> >> > >> >> > -------------------------------------------------------- >> >> >> >> >> >> >> >> -- >> >> -------------------------------------------------------- >> >> >> >> Cristian Del Carlo >> >> >> >> Il testo e gli eventuali documenti trasmessi contengono informazioni >> >> riservate al destinatario indicato. La seguente e-mail è confidenziale >> >> e >> >> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 >> >> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o >> >> altro uso non autorizzato o qualsiasi altra azione derivante dalla >> >> conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> >> abbiate ricevuto questo documento per errore siete cortesemente pregati >> >> di darne immediata comunicazione al mittente e di provvedere, >> >> immediatamente, alla sua distruzione. >> >> >> >> -------------------------------------------------------- >> >> _______________________________________________ >> >> List mailing list >> >> List@lists.pfsense.org >> >> http://lists.pfsense.org/mailman/listinfo/list >> > >> > >> > >> > >> > -- >> > >> > Stephan Wolf >> > >> > WolfSec >> > Rairing 65 >> > CH-8108 Dällikon >> > >> > +41 43 536 1191 >> > +41 76 566 8222 >> > http://www.wolfsec.ch >> > >> > _______________________________________________ >> > List mailing list >> > List@lists.pfsense.org >> > http://lists.pfsense.org/mailman/listinfo/list >> > >> >> >> >> -- >> -------------------------------------------------------- >> >> Cristian Del Carlo >> >> Il testo e gli eventuali documenti trasmessi contengono informazioni >> riservate al destinatario indicato. La seguente e-mail è confidenziale e >> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 >> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o >> altro uso non autorizzato o qualsiasi altra azione derivante dalla >> conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> abbiate ricevuto questo documento per errore siete cortesemente pregati >> di darne immediata comunicazione al mittente e di provvedere, >> immediatamente, alla sua distruzione. >> >> -------------------------------------------------------- >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > > > > > -- > > Stephan Wolf > > WolfSec > Rairing 65 > CH-8108 Dällikon > > +41 43 536 1191 > +41 76 566 8222 > http://www.wolfsec.ch > > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- -------------------------------------------------------- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. -------------------------------------------------------- _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
