[pfSense Support] PPTP User Error 1.2 CF
Hi I got the following when adding a PPTP user: Fatal error: Cannot create references to/from string offsets nor overloaded objects in /etc/inc/xmlparse.inc on line 57 It then reloaded a backup of the XML, and it seems the user was added, yet to be confirmed. Is this any help to know? Kind regards David Hingston
[pfSense Support] Can't Sync TinyDNS over IPsec VPN
We have a pfSense 1.2 setup at 2 offices that maintain an IPsec VPN connection. The systems at each each can ping/access systems at the other end. In addition, systems at each end can ping/ssh-into/web-connnect-to the pfSense systems at both ends. However, while ssh'd into either pfSense system, the other pfSense system can't be ping'd/etc. I'm assuming this is the same reason that TinyDNS can't sync from one of the pFSense systems to the other. Both sides have rules to allow all LAN-based traffic via IPsec tunnel and it works for all LAN-connected systems but not the pfSense system, itself. I've tried everything I can think of but can't seem to get any kind of rule/route specified that'll enable the pfSense system, itself, to communicate to the pfSense system at the other end of its IPsec tunnel. Is there some way to route the pfSense router's LAN interface to the remotely VPN'd pfSense router's LAN interface (i.e., via it's own IPsec tunnel)? -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
On Thu, May 22, 2008 at 1:51 AM, John Greiner [EMAIL PROTECTED] wrote: Thank you Chris for the response! Glad it wasn't just me being a dolt. I wonder what kind of magic the Secure Computing folks were able to conjure up that enables UDP 500 to be shared at the firewall and behind it... Yeah I'm not sure what they were doing. The only way that could work with pfSense is if the local racoon could differentiate between L2TP for another destination and IPsec destined to itself and route accordingly, which it's not capable of doing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
Chris Buechler wrote: On Thu, May 22, 2008 at 1:51 AM, John Greiner [EMAIL PROTECTED] wrote: Thank you Chris for the response! Glad it wasn't just me being a dolt. I wonder what kind of magic the Secure Computing folks were able to conjure up that enables UDP 500 to be shared at the firewall and behind it... Yeah I'm not sure what they were doing. The only way that could work with pfSense is if the local racoon could differentiate between L2TP for another destination and IPsec destined to itself and route accordingly, which it's not capable of doing. Hmmm. Assuming the L2TP clients are roaming with dynamic addresses, why not setup rules that forward IPsec related traffic from anywhere but the static IPsec peers to the L2TP host? I'm not sure how the pfsense rules would look but in plain pf it would look something like this ... EXT = your external interface name L2TP = ip address of your internal L2TP host VPNGW1 = static address of site to site peer #1 VPNGW2 = static address of site to site peer #2 table vpngw const { $VPNGW1, $VPNGW2 } rdr on $ext proto udp from !vpngw to $EXT port 500 - $L2TP port 500 rdr on $ext proto udp from !vpngw to $EXT port 4500 - $L2TP port 4500 rdr on $ext proto esp from !vpngw to $EXT - $L2TP -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't Sync TinyDNS over IPsec VPN
Bryan Derman wrote: We have a pfSense 1.2 setup at 2 offices that maintain an IPsec VPN connection. The systems at each each can ping/access systems at the other end. In addition, systems at each end can ping/ssh-into/web-connnect-to the pfSense systems at both ends. However, while ssh'd into either pfSense system, the other pfSense system can't be ping'd/etc. That's this: http://doc.m0n0.ch/handbook/faq-snmpovervpn.html same fix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
On Thu, May 22, 2008 at 11:42 AM, Matthew Grooms [EMAIL PROTECTED] wrote: Hmmm. Assuming the L2TP clients are roaming with dynamic addresses, why not setup rules that forward IPsec related traffic from anywhere but the static IPsec peers to the L2TP host? I'm not sure how the pfsense rules would look but in plain pf it would look something like this ... Hmm, that's a good idea. Unfortunately we only allow policy NAT in outbound NAT, not inbound, so that wouldn't be possible now. I opened a feature request ticket, that would be nice to have at some point. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PPTP Lan Arp Issues
I have pfSense 1.2-release on a multi-lan box. We have 9 Interfaces with 6 six active. Only a single WAN, all the rest are used with dedicated leased lines. We have IPsec in tunnel mode for several remote offices as well. We added PPTP services, via the internal PPTP server, however we aren't able to get any traffic through. First I thought it was the firewall, but now I have a any/any/any rule at the top of the PPTP, and still nothing. Finally I tried tcpdump. Here is an ssh connection failing: # tcpdump -ni ng1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng1, link-type NULL (BSD loopback), capture size 96 bytes 15:12:37.823031 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517934 0,sackOK,eol 15:12:38.729693 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517943 0,sackOK,eol 15:12:39.729283 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517953 0,sackOK,eol Here is tcpdump, watching the host 10.1.1.176 # tcpdump -ni bge0 host 10.1.1.176 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 15:12:57.760347 arp who-has 10.1.1.176 tell 10.1.1.20 15:12:58.760071 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:12.778768 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,sackOK,eol 15:13:12.780033 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:13.780625 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:14.780454 arp who-has 10.1.1.176 tell 10.1.1.20 --- This looks to me like we aren't actually arping for 10.1.1.176. Can anyone offer advice? Sincerely, Joshua
RE: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
Any chance the UDP 500 negotiations between the firewalls for ipsec tunnels could be directed to negotiate on a different port leaving 500 available for L2TP traffic behind the firewall? -Original Message- From: Chris Buechler [EMAIL PROTECTED] Sent: Thursday, May 22, 2008 1:47 PM To: support@pfsense.com Subject: Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box On Thu, May 22, 2008 at 11:42 AM, Matthew Grooms [EMAIL PROTECTED] wrote: Hmmm. Assuming the L2TP clients are roaming with dynamic addresses, why not setup rules that forward IPsec related traffic from anywhere but the static IPsec peers to the L2TP host? I'm not sure how the pfsense rules would look but in plain pf it would look something like this ... Hmm, that's a good idea. Unfortunately we only allow policy NAT in outbound NAT, not inbound, so that wouldn't be possible now. I opened a feature request ticket, that would be nice to have at some point. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
On Thu, May 22, 2008 at 8:05 PM, John Greiner [EMAIL PROTECTED] wrote: Any chance the UDP 500 negotiations between the firewalls for ipsec tunnels could be directed to negotiate on a different port leaving 500 available for L2TP traffic behind the firewall? With a little code writing it'd be possible. racoon.conf can specify ports, there is no way to do so currently without changing code and you can't manually edit config files without having changes overwritten. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem running IPSec VPN on the PFSense box and L2TP IPSec behind the box
John Greiner wrote: Any chance the UDP 500 negotiations between the firewalls for ipsec tunnels could be directed to negotiate on a different port leaving 500 available for L2TP traffic behind the firewall? Thats possible, but UDP port 500 is only relevant for IKE traffic. The IKE protocol is used for authenticating peers and negotiating dynamic key material. A security transport protocol, typically ESP, is used to protect the actual traffic. ESP is an IP protocol like TCP/UDP but it has no port numbers in its header. This creates problems for firewalls that perform NAT as they can only inspect source/destination addresses to classify the traffic. If it were possible to do with pfsense, you might be able to get away with only forwarding packets destined for UDP ports 500 and 4500 to the internal L2TP host. But that depends entirely on Nat Traversal being supported by both the L2TP client and gateway. This multiplexes IKE and encapsulated ESP packets on UDP port 4500 which allows the traffic to pass through NAT more easily. If pfsense can't do a selective port forward based on the source address and destination port, then your out of luck. -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP User Error 1.2 CF
On Thu, May 22, 2008 at 5:20 AM, Tortise [EMAIL PROTECTED] wrote: Hi I got the following when adding a PPTP user: Fatal error: Cannot create references to/from string offsets nor overloaded objects in /etc/inc/xmlparse.inc on line 57 It then reloaded a backup of the XML, and it seems the user was added, yet to be confirmed. Is this any help to know? Is it something you can replicate? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP Lan Arp Issues
On Thu, May 22, 2008 at 6:43 PM, Joshua Schmidlkofer [EMAIL PROTECTED] wrote: I have pfSense 1.2-release on a multi-lan box. We have 9 Interfaces with 6 six active. Only a single WAN, all the rest are used with dedicated leased lines. We have IPsec in tunnel mode for several remote offices as well. We added PPTP services, via the internal PPTP server, however we aren't able to get any traffic through. First I thought it was the firewall, but now I have a any/any/any rule at the top of the PPTP, and still nothing. Finally I tried tcpdump. Here is an ssh connection failing: # tcpdump -ni ng1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng1, link-type NULL (BSD loopback), capture size 96 bytes 15:12:37.823031 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517934 0,sackOK,eol 15:12:38.729693 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517943 0,sackOK,eol 15:12:39.729283 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517953 0,sackOK,eol Here is tcpdump, watching the host 10.1.1.176 # tcpdump -ni bge0 host 10.1.1.176 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 15:12:57.760347 arp who-has 10.1.1.176 tell 10.1.1.20 15:12:58.760071 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:12.778768 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,sackOK,eol 15:13:12.780033 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:13.780625 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:14.780454 arp who-has 10.1.1.176 tell 10.1.1.20 --- This looks to me like we aren't actually arping for 10.1.1.176. Can anyone offer advice? pfSense will proxy ARP for PPTP clients. If that were broken we definitely would have heard about it countless times by now. How do you have the PPTP server setup? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Acessing private IPs on WAN side
Hi, we have a leased SHDSL line to the local Telco, with a bridged SHDSL modem at each end that are configured with ips 192.168.200.10 .11 Is there a way to access them from our Lan short of giving them public IP addresses? LAN 192.168.1.x/24 --- WAN public IP --- modem 192.168.200.10 --- modem 192.168.200.11 --- gateway at telco with public IP Thanks in advance, Craig - Sustainable Solutions Kathmandu, Nepal Auckland, New Zealand ph 977 1 5548021 [EMAIL PROTECTED] http://www.sussol.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Acessing private IPs on WAN side
On Thu, May 22, 2008 at 11:55 PM, Craig Drown [EMAIL PROTECTED] wrote: Hi, we have a leased SHDSL line to the local Telco, with a bridged SHDSL modem at each end that are configured with ips 192.168.200.10 .11 Is there a way to access them from our Lan short of giving them public IP addresses? LAN 192.168.1.x/24 --- WAN public IP --- modem 192.168.200.10 --- modem 192.168.200.11 --- gateway at telco with public IP What is the subnet mask on the 192.168.200. IPs? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP Lan Arp Issues
Not sure what you want Here is the snippet from the pptpd config: modeserver/mode redir/ localip10.42.1.10/localip remoteip10.42.1.176/remoteip I think that localip might be the problem. Does that need to be a VirtualIP assigned to the internal interface? Should that simply be the LAN. I tried to Google to find the answer, but I couldn't seem to find it. Sincerely, Joshua On Thu, May 22, 2008 at 7:39 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Thu, May 22, 2008 at 6:43 PM, Joshua Schmidlkofer [EMAIL PROTECTED] wrote: I have pfSense 1.2-release on a multi-lan box. We have 9 Interfaces with 6 six active. Only a single WAN, all the rest are used with dedicated leased lines. We have IPsec in tunnel mode for several remote offices as well. We added PPTP services, via the internal PPTP server, however we aren't able to get any traffic through. First I thought it was the firewall, but now I have a any/any/any rule at the top of the PPTP, and still nothing. Finally I tried tcpdump. Here is an ssh connection failing: # tcpdump -ni ng1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng1, link-type NULL (BSD loopback), capture size 96 bytes 15:12:37.823031 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517934 0,sackOK,eol 15:12:38.729693 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517943 0,sackOK,eol 15:12:39.729283 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517953 0,sackOK,eol Here is tcpdump, watching the host 10.1.1.176 # tcpdump -ni bge0 host 10.1.1.176 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 15:12:57.760347 arp who-has 10.1.1.176 tell 10.1.1.20 15:12:58.760071 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:12.778768 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,sackOK,eol 15:13:12.780033 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:13.780625 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:14.780454 arp who-has 10.1.1.176 tell 10.1.1.20 --- This looks to me like we aren't actually arping for 10.1.1.176. Can anyone offer advice? pfSense will proxy ARP for PPTP clients. If that were broken we definitely would have heard about it countless times by now. How do you have the PPTP server setup? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP Lan Arp Issues
Chris, Just to be clear, I tried adding the 10.42.1.10 as a VirtualIP address. I am just not seeing what I am doing wrong. From the client, I _can_ ping 10.42.1.10. I cannot ping anything else. 21:31:35.032761 IP 10.42.1.176 10.42.1.11: ICMP echo request, id 47406, seq 212, length 64 21:31:35.032935 arp who-has 10.42.1.176 tell 10.42.1.11 21:31:36.004956 IP 10.42.1.176 10.42.1.11: ICMP echo request, id 47406, seq 213, length 64 21:31:37.337214 IP 10.42.1.176 10.42.1.11: ICMP echo request, id 55342, seq 0, length 64 21:31:37.337381 arp who-has 10.42.1.176 tell 10.42.1.11 I don't see what I have messed up. What other information can I provide you with? Sincerely, Joshua On Thu, May 22, 2008 at 9:21 PM, Joshua Schmidlkofer [EMAIL PROTECTED] wrote: Not sure what you want Here is the snippet from the pptpd config: modeserver/mode redir/ localip10.42.1.10/localip remoteip10.42.1.176/remoteip I think that localip might be the problem. Does that need to be a VirtualIP assigned to the internal interface? Should that simply be the LAN. I tried to Google to find the answer, but I couldn't seem to find it. Sincerely, Joshua On Thu, May 22, 2008 at 7:39 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Thu, May 22, 2008 at 6:43 PM, Joshua Schmidlkofer [EMAIL PROTECTED] wrote: I have pfSense 1.2-release on a multi-lan box. We have 9 Interfaces with 6 six active. Only a single WAN, all the rest are used with dedicated leased lines. We have IPsec in tunnel mode for several remote offices as well. We added PPTP services, via the internal PPTP server, however we aren't able to get any traffic through. First I thought it was the firewall, but now I have a any/any/any rule at the top of the PPTP, and still nothing. Finally I tried tcpdump. Here is an ssh connection failing: # tcpdump -ni ng1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ng1, link-type NULL (BSD loopback), capture size 96 bytes 15:12:37.823031 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517934 0,sackOK,eol 15:12:38.729693 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517943 0,sackOK,eol 15:12:39.729283 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,nop,wscale 3,nop,nop,timestamp 131517953 0,sackOK,eol Here is tcpdump, watching the host 10.1.1.176 # tcpdump -ni bge0 host 10.1.1.176 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 15:12:57.760347 arp who-has 10.1.1.176 tell 10.1.1.20 15:12:58.760071 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:12.778768 IP 10.1.1.176.58098 10.1.1.20.22: S 3867494987:3867494987(0) win 65535 mss 1404,sackOK,eol 15:13:12.780033 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:13.780625 arp who-has 10.1.1.176 tell 10.1.1.20 15:13:14.780454 arp who-has 10.1.1.176 tell 10.1.1.20 --- This looks to me like we aren't actually arping for 10.1.1.176. Can anyone offer advice? pfSense will proxy ARP for PPTP clients. If that were broken we definitely would have heard about it countless times by now. How do you have the PPTP server setup? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Acessing private IPs on WAN side
On Fri, 23 May 2008 00:03:05 -0400, Chris Buechler appears to have written: On Thu, May 22, 2008 at 11:55 PM, Craig Drown [EMAIL PROTECTED] wrote: Hi, we have a leased SHDSL line to the local Telco, with a bridged SHDSL modem at each end that are configured with ips 192.168.200.10 .11 Is there a way to access them from our Lan short of giving them public IP addresses? LAN 192.168.1.x/24 --- WAN public IP --- modem 192.168.200.10 --- modem 192.168.200.11 --- gateway at telco with public IP What is the subnet mask on the 192.168.200. IPs? 255.255.255.0 Cheers, Craig - Sustainable Solutions Kathmandu, Nepal Auckland, New Zealand ph 977 1 5548021 [EMAIL PROTECTED] http://www.sussol.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Acessing private IPs on WAN side
On Fri, May 23, 2008 at 1:07 AM, Craig Drown [EMAIL PROTECTED] wrote: LAN 192.168.1.x/24 --- WAN public IP --- modem 192.168.200.10 --- modem 192.168.200.11 --- gateway at telco with public IP What is the subnet mask on the 192.168.200. IPs? 255.255.255.0 Good, they're on a different subnet from your LAN. You should be able to follow this: http://wiki.m0n0.ch/wikka.php?wakka=AccessingModemOutsideFirewall intended for m0n0wall, I wrote parts of that, but it will work on pfSense too. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]