Re: [pfSense Support] PFSense 1.2.3RC1 / Problems with IPSEC and AES256
On Tue, May 26, 2009 at 5:42 AM, Benjamin Fromme wrote: > Hi List, > > we have several tunnels between some pfsense 1.2.2 boxes. For phase 2 we > have configured AES256 as the only encryption algorithm and everything works > fine. > > Now we upgrade one of the boxes to pfsense 1.2.3RC1 and all tunnels on > this box are broken. The 1.2.2 boxes show the tunnel as working, on the > 1.2.3RC1 box we see the following in the logs: > The newer ipsec-tools doesn't like the syntax that used to work, I committed a fix a couple days ago for this. Any snapshots with today's date or newer should work. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3RC1 / Problems with IPSEC and AES256
I run pfSense-1.2.3-RC1 (FreeBSD 7.1), IPSec with IKE P2 AES 256, it work fine. On Thu, Jun 25, 2009 at 2:13 PM, Chris Buechler wrote: > On Tue, May 26, 2009 at 5:42 AM, Benjamin > Fromme wrote: > > Hi List, > > > > we have several tunnels between some pfsense 1.2.2 boxes. For phase 2 we > > have configured AES256 as the only encryption algorithm and everything > works fine. > > > > Now we upgrade one of the boxes to pfsense 1.2.3RC1 and all tunnels on > > this box are broken. The 1.2.2 boxes show the tunnel as working, on the > > 1.2.3RC1 box we see the following in the logs: > > > > The newer ipsec-tools doesn't like the syntax that used to work, I > committed a fix a couple days ago for this. Any snapshots with today's > date or newer should work. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- My contact: Fullname: Ho Sy Tan Nicname: Ta Nho Sy Org: FireGate Group - 3CDotCom Address: No 6 - Lang Ha - Ba Dinh - Ha Noi Tel: (84).04.62665656 Fax: (84).04.62665657 Mobile: (84). 0902231360 Email: tanh...@firegate.vn Gmail: tanh...@gmail.com Yahoo Mail: tanh...@yahoo.com Hotmail: tanh...@hotmail.com Website:www.firegate.vn
[pfSense Support] Interface wierdness
have a public IP on em1 I have a private IP on em2 (10.0.1.10/24) I have a private ip on OPT1 (10.201.17.1/28) Normally I would have the OPT interface in a DMZ, but constraints aren't allowing me to do that so the OPT1 interface is also plugged in on the local LAN as well. I've assigned a secondary address on a linux machine on the same subnet as OPT1 (10.201.17.3/28). The primary address on the linux machine is 10.0.1.210/24 I have a VPN set up via the WAN interface to the subnet on OPT1 interface. the tunnel comes up perfectly. The linux machine can ping the primary interface on the pfsense machine. The linux machine can ping a host on the other end of the tunnel reliably. The linux machine can ping the OPT1 interface, but it is not reliable. Huge packet loss numbers. I can ping the host on the other end of the tunnel via the OPT1 interface. I've tried all sorts of different rules, but I'm allowing Any traffic and protocol from the OPT1 subnet to the OPT1 interface and vice-verse. I've allowed all traffic from anywhere and to anywhere on the opt one interface. I'm at my wits end. I need two different subnets on my LAN and I need to tunnel one of them. How do I make this happen? Curtis
Re: [pfSense Support] Interface wierdness
- "Curtis Maurand" wrote: > have a public IP on em1 > I have a private IP on em2 (10.0.1.10/24) > I have a private ip on OPT1 (10.201.17.1/28) > > Normally I would have the OPT interface in a DMZ, but constraints aren't > allowing me to do that so the OPT1 interface is also plugged in on the local > LAN as well. > > > I've assigned a secondary address on a linux machine on the same subnet as > OPT1 (10.201.17.3/28). The primary address on the linux machine is > 10.0.1.210/24 > > I have a VPN set up via the WAN interface to the subnet on OPT1 interface. > > the tunnel comes up perfectly. > > The linux machine can ping the primary interface on the pfsense machine. > The linux machine can ping a host on the other end of the tunnel reliably. > The linux machine can ping the OPT1 interface, but it is not reliable. Huge > packet loss numbers. > I can ping the host on the other end of the tunnel via the OPT1 interface. > > I've tried all sorts of different rules, but I'm allowing Any traffic and > protocol from the OPT1 subnet to the OPT1 interface and vice-verse. I've > allowed all traffic from anywhere and to anywhere on the opt one interface. > I'm at my wits end. I need two different subnets on my LAN and I need to > tunnel one of them. > > How do I make this happen? > What happens if you take the VPN out of the mix... does the 'pingability' of OPT1 still perform the same? What kind of VPN are you using... IPSEC/OpenVPN? Did you assign two gateways to the Linux machine? Can you verify with a traceroute/tracepath that your traffic to the remote side of the tunnel is in fact passing via OPT1? --Tim
Re: [pfSense Support] Interface wierdness
- "Curtis Maurand" wrote: > have a public IP on em1 > I have a private IP on em2 (10.0.1.10/24) > I have a private ip on OPT1 (10.201.17.1/28) > > Normally I would have the OPT interface in a DMZ, but constraints aren't > allowing me to do that so the OPT1 interface is also plugged in on the local > LAN as well. > > > I've assigned a secondary address on a linux machine on the same subnet as > OPT1 (10.201.17.3/28). The primary address on the linux machine is > 10.0.1.210/24 > > I have a VPN set up via the WAN interface to the subnet on OPT1 interface. > > the tunnel comes up perfectly. > > The linux machine can ping the primary interface on the pfsense machine. > The linux machine can ping a host on the other end of the tunnel reliably. > The linux machine can ping the OPT1 interface, but it is not reliable. Huge > packet loss numbers. > I can ping the host on the other end of the tunnel via the OPT1 interface. > > I've tried all sorts of different rules, but I'm allowing Any traffic and > protocol from the OPT1 subnet to the OPT1 interface and vice-verse. I've > allowed all traffic from anywhere and to anywhere on the opt one interface. > I'm at my wits end. I need two different subnets on my LAN and I need to > tunnel one of them. > > How do I make this happen? > > Curtis > > ... and what happens if you run a packet capture on the pfSense box? I've found this feature to be absolutely invaluable in these situations... Capture traffic that is source/destination your IPs on the Linux box... run your tests... then import into Wireshark for analysis. --Tim
[pfSense Support] Multiple WANs on a Single Bridge
Hi Everyone, I have been trying to figure out how to setup multiple wan networks on a single bridge. For instance: 111.111.111.111/25 -> em0/bridge0/opt1 -> internal servers 222.222.222.222/25 -> em0/bridge0/opt1 -> internal servers I see a way to add a virtual IP in the Firewall section, but not to add a VIP to the em0 Interface. I have em0 bridged with em1 and my bridge is setup with allowing certain ports through to internal servers, each server has an external IP so I have to use bridged mode, not NATing. Any help would be much appreciated. Thanks Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Interface wierdness
Tim Nelson wrote: - "Curtis Maurand" wrote: > have a public IP on em1 > I have a private IP on em2 (10.0.1.10/24) > I have a private ip on OPT1 (10.201.17.1/28) > > Normally I would have the OPT interface in a DMZ, but constraints aren't allowing me to do that so the OPT1 interface is also plugged in on the local LAN as well. > > > I've assigned a secondary address on a linux machine on the same subnet as OPT1 (10.201.17.3/28). The primary address on the linux machine is 10.0.1.210/24 > > I have a VPN set up via the WAN interface to the subnet on OPT1 interface. > > the tunnel comes up perfectly. > > The linux machine can ping the primary interface on the pfsense machine. > The linux machine can ping a host on the other end of the tunnel reliably. > The linux machine can ping the OPT1 interface, but it is not reliable. Huge packet loss numbers. > I can ping the host on the other end of the tunnel via the OPT1 interface. > > I've tried all sorts of different rules, but I'm allowing Any traffic and protocol from the OPT1 subnet to the OPT1 interface and vice-verse. I've allowed all traffic from anywhere and to anywhere on the opt one interface. I'm at my wits end. I need two different subnets on my LAN and I need to tunnel one of them. > > How do I make this happen? > What happens if you take the VPN out of the mix... does the 'pingability' of OPT1 still perform the same? What kind of VPN are you using... IPSEC/OpenVPN? Did you assign two gateways to the Linux machine? Can you verify with a traceroute/tracepath that your traffic to the remote side of the tunnel is in fact passing via OPT1? --Tim It got worse after I wrote. I'm going home for the weekend and I'm going to deal with it on Monday. --Curtis
Re: [pfSense Support] Multiple WANs on a Single Bridge
On Thu, Jun 25, 2009 at 3:43 PM, Joseph Hardeman wrote: > Hi Everyone, > > I have been trying to figure out how to setup multiple wan networks on a > single bridge. > For instance: > 111.111.111.111/25 -> em0/bridge0/opt1 -> internal servers > 222.222.222.222/25 -> em0/bridge0/opt1 -> internal servers > Nothing to it, if what you really need is a bridge. If the gateway IP is outside the firewall, it's no different to use two subnets than it is one. If the gateway IP isn't outside the firewall, you don't need bridging, you need a routed public IP subnet on an OPT interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and Bridging
One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. Joe -- This message has been scanned for viruses by Colocube's AV Scanner - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple WANs on a Single Bridge
Chris, Thanks for your reply, I found this out earlier today. Yes, all of the gateways are outside of the firewall so when I changed the IP on my laptop after getting the firewall upgraded it was able to get out with no problem. Again, thank you for your reply. I appreciate it. Joe Chris Buechler wrote: On Thu, Jun 25, 2009 at 3:43 PM, Joseph Hardeman wrote: Hi Everyone, I have been trying to figure out how to setup multiple wan networks on a single bridge. For instance: 111.111.111.111/25 -> em0/bridge0/opt1 -> internal servers 222.222.222.222/25 -> em0/bridge0/opt1 -> internal servers Nothing to it, if what you really need is a bridge. If the gateway IP is outside the firewall, it's no different to use two subnets than it is one. If the gateway IP isn't outside the firewall, you don't need bridging, you need a routed public IP subnet on an OPT interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses by Colocube's AV Scanner
