Re: [pfSense Support] pfsense on mac mini?
dny wrote: it's quite small hardware and doesnt take too much space. i think, it's pretty good candidate to put into rack rather than other expensive rackmounted hardware... it's not going to work, as Scott said, but...really, you're kidding, right? :) "Expensive" rack mounted hardware? A base mini is $499, and you'd have to add USB NIC's to that. You could get a 1U rack mountable box with 3 NIC's that'll push 100 Mb at wire speed for that price, and not deal with something that isn't rack mountable and has USB NIC's hanging all over the place. Or build a mini ITX box for cheaper, with internal NIC's. I have a mini and love it, but I'd never consider using one for a firewall. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense on mac mini?
On 9/9/05, dny <[EMAIL PROTECTED]> wrote: > hi. > > is it possible to run pfsense on mac mini? > any iso to boot the mac mini? any plan? No. i386 only. > it's quite small hardware and doesnt take too much space. Great. Want to donate a builder box to the project? > i think, it's pretty good candidate to put into rack > rather than other expensive rackmounted hardware... It may be, but we do not own the hardware. And the Macs that I do own are not being converted to FreeBSD. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Give 'er a shot. Should work like a charm. Just put your [EMAIL PROTECTED] username in the WAN config for PPPOE and watch it fly. You'll need to do some playing with "Virtual IPs" so you can handle the 1 to 1 NATs, but shouldn't take too long of poking through the interface to figure it out. --BillOn 9/9/05, Darin <[EMAIL PROTECTED]> wrote: Its just a bridge. Its a pretty old modem with very basic functions. About 3-4 years old. http://www.chipweb.de/dsl/index.php?menu=2&id2=33 Darin - Bill Marquette wrote: Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box. I could not get it to work using natd. Will pfsense be able to do this? I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:432226be835511404224424!
[pfSense Support] pfsense on mac mini?
hi. is it possible to run pfsense on mac mini? any iso to boot the mac mini? any plan? it's quite small hardware and doesnt take too much space. i think, it's pretty good candidate to put into rack rather than other expensive rackmounted hardware... tnx&rgds, dny. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Its just a bridge. Its a pretty old modem with very basic functions. About 3-4 years old. http://www.chipweb.de/dsl/index.php?menu=2&id2=33 Darin - Bill Marquette wrote: Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box. I could not get it to work using natd. Will pfsense be able to do this? I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:432226be835511404224424!
Re: [pfSense Support] Ticket 481
Can you please explain what is quite not right? It works here. Scott On 9/9/05, Dan Swartzendruber <[EMAIL PROTECTED]> wrote: > > arpwatch still not quite right. > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Ticket 481
arpwatch still not quite right. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --BillOn 9/9/05, Darin <[EMAIL PROTECTED]> wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box. I could not get it to work using natd. Will pfsense be able to do this? I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4322115d830751396210774!
Re: [pfSense Support] RE: [pfSense-discussion] IPv6 support on pfSense
On 8/31/05, alan walters <[EMAIL PROTECTED]> wrote: > Still IP6 support on a product now will allow us to build networks that > can scale way better I have a places where ipv6 would be great even now. > > In our wisp setup it would be very convenient to use ipv6 for intersite > transport instead of nat and ipv4 I know it is a big one to take on but > it would be a great feature set to ave > > Just two cents worth It's planned down the road. It will be good to do this when we rip apart the interface code. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WebGUI from WAN
On 9/5/05, Dirk Holbrook <[EMAIL PROTECTED]> wrote: > > I'm trying to set up pfSense to allow WebGUI access to one of the PCs on the > WAN. I have followed the instructions from m0n0wall > (http://m0n0.ch/wall/docbook/faq-webGUI-from-WAN.html) but > have had no luck. > My system is working basically "out of the box", WAN is using DHCP. > Setup is as follows: > ADSL Modem/Router (10.0.0.138) -> 8 port ethernet switch -> WAN PCs & WAN > side of pfSense (dynamic IPs). LAN side of pfSense (192.168.40.2) -> > Wireless AP (192.168.40.1). > AP is correctly allocating IPs from the range I set (192.168.40.100 - > 192.168.40.254) and have no problem getting internet access or WebGUI with > the wireless laptop. > If I set the pfSense WAN to a static IP (10.0.0.1) I lose internet > connectivity on the WAN. > Setting a WAN rule with all *s doesn't seem do anything either. > My knowledge of how this all works is not great so it's probably something > simple that I'm missing. > Thanks in advance. > Add a firewall rule on the wan allowing traffic to the port. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin <[EMAIL PROTECTED]> wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box. I could not get it to work using natd. Will pfsense be able to do this? I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4322115d830751396210774!
Re: [pfSense Support] pfsense and static IPs through PPPoE
Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --BillOn 9/9/05, Darin <[EMAIL PROTECTED]> wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD userfor a few years now, and currently have a firewall up and running on 4.11The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines,I have to use the nat functions in the PPP daemon and assign a public IPto a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5This is the only way I was able to assign those public IPs to anotherbox. I could not get it to work using natd.Will pfsense be able to do this? I installed 82.4 on a test machinejust to get a feel for the interface and didnt really see any provision for it.Any idea how something like this would work?Thanks for your time.Darin --To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DynDNS and PPPoE
To all our PPPoE users: We have just made a fix which we believe will fix the DynDNS issues that you all have been having. The fix will be in the new version that is due to rollout tonight. The new version will be 0.84. Please upgrade your systems accordingly and reboot. After you reboot, please check and see if your DynDNS entry gets updated to your new IP address. If it does not get updated please look at your System Logs and find all entries since reboot that have "phpDynDNS" as the prefix. Copy and paste them as a reply to this email. As a reminder, please "REPLY TO ALL" and not just REPLY when responding to this message. Best Regards, -Erik DynDNS Client and webGUI dude. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfsense and static IPs through PPPoE
I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session. In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP. Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box. I could not get it to work using natd. Will pfsense be able to do this? I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] space on device?
Try doing: /etc/rc.conf_mount_rw rm /conf/backup/* /etc/rc.conf_mount_ro We'll look into the backup file count. Scott On 9/9/05, Rodolfo Vardelli <[EMAIL PROTECTED]> wrote: > I got this error: > > Warning: copy(/cf/conf/backup/config-1126267275.xml): failed to open > stream: No space left on device in /etc/inc/config.inc on line 1261 > Warning: Cannot modify header information - headers already sent by > (output started at /etc/inc/config.inc:1261) in > /usr/local/www/firewall_rules_edit.php on line 305 > > CF is not full, but /cf/conf/backup is full of "old?" conf files > would be nice to keep only 2 or 3 so to have enough space > > I tried to manually remove some of them, but I got an error about a read > only file system. > Do I have to mount it read/write? > > regards > Rodolfo > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] space on device?
I got this error: Warning: copy(/cf/conf/backup/config-1126267275.xml): failed to open stream: No space left on device in /etc/inc/config.inc on line 1261 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1261) in /usr/local/www/firewall_rules_edit.php on line 305 CF is not full, but /cf/conf/backup is full of "old?" conf files would be nice to keep only 2 or 3 so to have enough space I tried to manually remove some of them, but I got an error about a read only file system. Do I have to mount it read/write? regards Rodolfo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPsec on (NAT)OPT1
hi there, ic forgot one thing: I wasn't able to insert "no nat" rules on OPT1 as I don't need NAT on port 500 and proto esp ... !?! Am 09.09.2005 um 12:59 schrieb Tom Müller-Kortkamp: Hi, I have Problems with IPSec on OPT1 (I tried to get help on irc, but ...) OK, I have: A WRAP with 0.82.4, I have a cheap DSL on WAN, a double E1 on OPT1, Static-IP: eg. 1.2.3.4/24, LAN and ATH(OPT2) Bridged Static-IP: eg 192.168.35.254/24 First Problem: No Nat on OPT1. I had to enable "Enable advanced outbound NAT" in Firewall->NAT->Outbound and write two NAT-Rules (for DSL and for OPT1). Next thing: I need IPsec on OPT1 Other Net is: 172.20/16 Endpoint is 2.2.2.2 This is Handshake: 01 INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>2.2.2.2[0] 02 WARNING: ignore RESPONDER-LIFETIME notification. 03 WARNING: transform number has been modified. 04 WARNING: trns_id mismatched: my:DES peer:3DES 05 WARNING: trns_id mismatched: my:DES peer:3DES 06 INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.2.3.4[0] spi=227333822(0xd8cd6be) 07 INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->2.2.2.2[0] spi=1874806242(0x6fbf45e2) 08 INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>192.168.35.2[0] 09 ERROR: no policy found: 2.2.2.2/32[0] 192.168.35.0/24[0] proto=any dir=in 10 ERROR: failed to get proposal for responder. 11 ERROR: failed to pre-process packet. I guess Line 09 ist the Problem!!! # setkey -DP 192.168.35.0/24[any] 192.168.35.254[any] any in none spid=113 seq=3 pid=85039 refcnt=1 172.20.0.0/16[any] 192.168.35.0/24[any] any in ipsec esp/tunnel/2.2.2.2-1.2.3.4/unique#16442 spid=116 seq=2 pid=85039 refcnt=1 192.168.35.254[any] 192.168.35.0/24[any] any out none spid=114 seq=1 pid=85039 refcnt=1 192.168.35.0/24[any] 172.20.0.0/16[any] any out ipsec esp/tunnel/1.2.3.4-2.2.2.2/unique#16441 spid=115 seq=0 pid=85039 refcnt=1 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- kommunity GmbH & Co.KG Tom Müller-Kortkamp Netzwerke & Internet Goseriede 4 D-30159 Hannover Phone +49 (0)5 11 - 80 72 58 0 Fax +49 (0)5 11 - 80 72 58 10 http://www.kommunity.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPsec on (NAT)OPT1
Hi, I have Problems with IPSec on OPT1 (I tried to get help on irc, but ...) OK, I have: A WRAP with 0.82.4, I have a cheap DSL on WAN, a double E1 on OPT1, Static-IP: eg. 1.2.3.4/24, LAN and ATH(OPT2) Bridged Static-IP: eg 192.168.35.254/24 First Problem: No Nat on OPT1. I had to enable "Enable advanced outbound NAT" in Firewall->NAT->Outbound and write two NAT-Rules (for DSL and for OPT1). Next thing: I need IPsec on OPT1 Other Net is: 172.20/16 Endpoint is 2.2.2.2 This is Handshake: 01 INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>2.2.2.2[0] 02 WARNING: ignore RESPONDER-LIFETIME notification. 03 WARNING: transform number has been modified. 04 WARNING: trns_id mismatched: my:DES peer:3DES 05 WARNING: trns_id mismatched: my:DES peer:3DES 06 INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.2.3.4[0] spi=227333822(0xd8cd6be) 07 INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->2.2.2.2[0] spi=1874806242(0x6fbf45e2) 08 INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>192.168.35.2[0] 09 ERROR: no policy found: 2.2.2.2/32[0] 192.168.35.0/24[0] proto=any dir=in 10 ERROR: failed to get proposal for responder. 11 ERROR: failed to pre-process packet. I guess Line 09 ist the Problem!!! # setkey -DP 192.168.35.0/24[any] 192.168.35.254[any] any in none spid=113 seq=3 pid=85039 refcnt=1 172.20.0.0/16[any] 192.168.35.0/24[any] any in ipsec esp/tunnel/2.2.2.2-1.2.3.4/unique#16442 spid=116 seq=2 pid=85039 refcnt=1 192.168.35.254[any] 192.168.35.0/24[any] any out none spid=114 seq=1 pid=85039 refcnt=1 192.168.35.0/24[any] 172.20.0.0/16[any] any out ipsec esp/tunnel/1.2.3.4-2.2.2.2/unique#16441 spid=115 seq=0 pid=85039 refcnt=1 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic DNS updates
Hi Guys! I probably got the same problem! I'm a PPPoE user whose IP changes every 24 hours! But dynDNS doesnt update the DNS entry! I'm not gonna disappear so I could do the testing for you! Mika On 9/7/05, Erik Kristensen <[EMAIL PROTECTED]> wrote: > Finally another PPPoE user. :) Alright, another user brought this to our > attention and we tried working on fixing it with him, but he disappeared > before we could finish testing and figure out if we had fixed it. Apparently > we haven't so ... will you be around this evening? I think I have the > solution to the problem. I will definitely be around after 1930 (EST) -0500. > If you can message me ##pfsense I will work with you on it. Hopefully we can > resolve it tonight. If not I have tomorrow free as well. If anything I can > at least send you the fixed file and you can test it and you can get back to > me. > > -Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] purged SA caused by timeout .. but why?
Yes, the option Prefer old IPsec SAs is not checked. Therefore I think the system preferes newer SAs per default. Jörg -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 8. September 2005 16:57 An: Joerg Horchler Cc: support@pfsense.com Betreff: Re: [pfSense Support] purged SA caused by timeout .. but why? Do you have the prefer newer SA option checked in System -> Advanced? Scott On 9/8/05, Joerg Horchler <[EMAIL PROTECTED]> wrote: > Hi all, > > I wan't to configure a more compley scenario to establish an IPSec-Tunnel > between the LAN of my company and the LAN of one of our customers. First a > short description: > > We wan't to use two machines in our LAN to access several services in the LAN > of our customer. The customers policy forces us to use a network that we > don't use (as explained later). So we have to NAT the IPs of our two > machines. We do this on a firewall. After the firewall the traffic passes our > VPN-Gateway which has to protect the traffic with ESP. Here is a short > graphic. > > Internal LAN: 10.x.x.x/24 > DMZ: 192.168.1.x/24 > Enforced NAT Pool: 192.168.2.x/28 > External LAN:x.x.x.x/x > > +--+ > |box01 | > | 10.x.x.25/24 | > +--+ >| >++ > | > +--+| > |box02 || > | 10.x.x.26/24 || > +--+| >|| >++ > | > |eth0:10.x.x.27/24 > ++ > |firewall| > ++ > |eth1:192.168.1.250/24 > |eth1:1:192.168.2.65/28 > | > | > | > |vr0:192.168.1.251/24 > ++ > |VPN gateway | > ++ > |vr1:x.x.x.x/x > | > | > | > |x.x.x.x/x > ++ > |CiscoVPN| > ++ > |x.x.x.x/x > | > | > +---+ > | | > | | > +---+ | > |box01 | | > | 217.x.x.26/24 | | > +---+ | > | > +---+ | > |box02 |---+ > | 217.x.x.27/24 | > +---+ > > I try to access 217.x.x.26 via SSH from 10.x.x.25. The source address > is NATed on our firewall to 192.168.2.65. On the VPN gateway I > configured a policy to protect every traffic from 192.168.2.x/28 to > 217.x.x.26/24 with ESP via the Cisco VPN appliance (remote gateway). > The connection with this setup times out. The log on our syslog-server > has logged > > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): > IPsec-SA request for x.x.x.x queued due to no phase1 found. > Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: > x.x.x.x[500]<=>x.x.x.x[500] Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode. > Sep 1 14:15:21 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): > couldn't find the proper pskey, try to get one by the peer's address. > Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:2459:log_ph1established(): ISAKMP-SA established > x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193 > Sep 1 14:15:22 cvpndmz racoon: INFO: > isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation: > x.x.x.x[0]<=>x.x.x.x[0] Sep 1 14:15:22 cvpndmz racoon: INFO: > isakmp_inf.c:887:purge_isakmp_spi(): purged ISAKMP-SA proto_id=ISAKMP > spi=ea64dfd3aa29dc62:121857c2df384193. > Sep 1 14:15:52 cvpndmz racoon: ERROR: pfkey.c:804:pfkey_timeover(): x.x.x.x > give up to get IPsec-SA due to time up to wait. > Sep 1 14:15:52 cvpndmz racoon: INFO: > isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA deleted > x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193 > > As no error message above the time out is given here I'm a little bit > confused about what is going on here. > > Perhaps someone has in idea. > > Cheers > Jörg > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
