[pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Is there anyone here with experience with this message racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)? Pfsense version is 1.2.2 and the remote side is a cisco router. Everything seems to be ok, but we have some connectivity problems with some servers and I don't know if they are related with that message. Regards. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
luismi wrote: Is there anyone here with experience with this message racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)? Pfsense version is 1.2.2 and the remote side is a cisco router. Everything seems to be ok, but we have some connectivity problems with some servers and I don't know if they are related with that message. I've seen that before but it's never really been a fatal condition. The tunnels have continued to work despite it. http://doc.pfsense.org/index.php/IPsec_Troubleshooting#Failed_pfkey_align Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Yes I know that link and I checked my config and seems to be ok. The cisco side is: crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key address 11.22.33.44 no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map PFSVPN 15 ipsec-isakmp description VPN IPSEC contra PFSense FW1 set peer 11.22.33.44 set security-association lifetime seconds 28800 set transform-set 3DES-SHA set pfs group2 match address 100 and in the pfsense side... under Phase 1 proposal (Authentication) I have 28800 seconds as lifetime under Phase 2 proposal (SA/Key Exchange) I have 3600 seconds as lifetime I don't see clearly if those values are correct located against my cisco configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ipsec vpn against the carp VIP address?
Chris Buechler wrote: On Fri, Aug 28, 2009 at 6:47 AM, luismiasturlui...@gmail.com wrote: After a failover, ipsec will negotiate everything again no? yes, and you do get a short drop-out but it is useable; we have two sites each with master/slave pfSense using CARP clustering and ipsec between, and it works well TYVM, pfSense is sufficiently stable and reliable we rarely ever need to reboot them anyway so the secondary firewalls are idle 99.9% of the time. we also have a couple of openvpn tunnels from the remote site to a different local firewall as a fall-back just in case. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] bogons list on website needs updating
Hi, The bogons list on the website, http://files.pfsense.org/bogon-bn-nonagg.txt, needs to be updated. This file is used by /etc/rc.update_bogons.sh. There are a number of networks that have been assigned per http://www.iana.org/assignments/ipv4-address-space/ that are still listed in the pfSense document. My new office network was on it, so it created a bit of a red herring for me. If this is affecting anyone else, the quick and temporary fix is to delete offending network from the firewall rules from the shell. Using 173.0.0.0/8 as an example: show table bogons: pfctl -T show -t bogons check for rule in table bogons: pfctl -t bogons -T test 173.0.0.0 delete rule from table bogons: pfctl -t bogons -T delete 173.0.0.0/8 This will work until the first of the month, when new rules are fetched and loaded. Omar - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Bridge?
This is my setup WAN PUBLIC/30 - is obviously connected to my isp. LAN PRIVATE/24 - is natted users with no special needs. OPT1 PUBLIC/29 - is handed out one by one to users with special needs. OPT2 PUBLIC/29 - IS WHAT I NEED HELP FOR! Since the user of opt2 want his own router to control/own this scope, how do I then set up the interface on my pfsense-box? Should I create the OPT2 as a interface bridged with WAN? Kind regards Anders Dahl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
I have had a tunnel up and working for a few weeks (I have a LSys rv042 on 1 end of the tunnel.) And 2 days ago, I started getting similar messages. I was briefly veiwing the logs last night, and it seems to me that the AH (of IPsec) failed due to some mismatch in the hash key. But I'd need to re-examine the logs to verify. My log was filled with these messages almost the whole day yesterday. And during that time, the tunnel was pretty much down; the rv042 wasn't reachable via the tunnel. - PV On 9/2/09, luismi asturlui...@gmail.com wrote: Yes I know that link and I checked my config and seems to be ok. The cisco side is: crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key address 11.22.33.44 no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map PFSVPN 15 ipsec-isakmp description VPN IPSEC contra PFSense FW1 set peer 11.22.33.44 set security-association lifetime seconds 28800 set transform-set 3DES-SHA set pfs group2 match address 100 and in the pfsense side... under Phase 1 proposal (Authentication) I have 28800 seconds as lifetime under Phase 2 proposal (SA/Key Exchange) I have 3600 seconds as lifetime I don't see clearly if those values are correct located against my cisco configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Sent from my mobile device - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bridge?
a_subscribti...@fiberby.dk wrote: This is my setup WAN PUBLIC/30 - is obviously connected to my isp. LAN PRIVATE/24 - is natted users with no special needs. OPT1 PUBLIC/29 - is handed out one by one to users with special needs. OPT2 PUBLIC/29 - IS WHAT I NEED HELP FOR! Since the user of opt2 want his own router to control/own this scope, how do I then set up the interface on my pfsense-box? Should I create the OPT2 as a interface bridged with WAN? Kind regards Anders Dahl Don't bridge. Just make it just like LAN and then deny packects to/from OPT2 at all interfaces except WAN. Double NAT works for 99% of everything he will probably do. VoIP can get fussy or if he wants to host something publicly from this setup would be two things that would be difficult. Lyle Giese LCR Computer Services, Inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Help with physdiskwrite
Hello everyone! I wonder if someone could send me the physdiskwrite EXE, because I can't access to the m0n0.ch website, I don't know if it's down or what is wrong with it, and I am in the middle of a embeded Pfsense install here! ;) TIA -- Linux User #452368 http://twitter.com/vpadro Manifiesto por una cultura libre: http://culturalibre.org/ Doing a thing well is often a waste of time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] bogons list on website needs updating
On Wed, Sep 2, 2009 at 10:47 AM, Omar Thameeno...@westside.urbanblight.com wrote: Hi, The bogons list on the website, http://files.pfsense.org/bogon-bn-nonagg.txt, needs to be updated. It's up to date, and updates automatically as needed. There are a number of networks that have been assigned per http://www.iana.org/assignments/ipv4-address-space/ that are still listed in the pfSense document. It matches this exactly. http://www.cymru.com/Documents/bogon-bn-nonagg.txt Using 173.0.0.0/8 as an example: Which isn't in there. It probably is in 1.2.2 as at the time of its release it was in the file. The one in releases is the most recent one as of the release date, and 1.2.2 and earlier won't update until the first of the month following the install. Post-1.2.2, when you finish the setup wizard it updates the file immediately. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with physdiskwrite
On Wed, Sep 2, 2009 at 2:46 PM, Victor Padrovpa...@gmail.com wrote: Hello everyone! I wonder if someone could send me the physdiskwrite EXE, because I can't access to the m0n0.ch website, I don't know if it's down or what is wrong with it, and I am in the middle of a embeded Pfsense install here! ;) TIA http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2.zip http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2-PhysGUI-bundle.zip Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with physdiskwrite
On Wed, Sep 2, 2009 at 1:59 PM, Scott Ullrichsullr...@gmail.com wrote: On Wed, Sep 2, 2009 at 2:46 PM, Victor Padrovpa...@gmail.com wrote: Hello everyone! I wonder if someone could send me the physdiskwrite EXE, because I can't access to the m0n0.ch website, I don't know if it's down or what is wrong with it, and I am in the middle of a embeded Pfsense install here! ;) TIA http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2.zip http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2-PhysGUI-bundle.zip Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Thanks Scott! :D -- Linux User #452368 http://twitter.com/vpadro Manifiesto por una cultura libre: http://culturalibre.org/ Doing a thing well is often a waste of time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Problems with installation Developers-2.0
Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install it in VMWare - result is the same. I see lots of errors like: ... /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on device) /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on device) ..done. .: Can't open /etc/rc.php_ini_setup: No such file or directory Enter full pathname of shell or RETURN for /bin/sh: After I hit ENTER and get shell prompt I see that /var has 31M allocated and used at 102% /etc has 9.4M and 102% used. Please advise. Eugene. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with installation Developers-2.0
On Wed, Sep 2, 2009 at 4:38 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install it in VMWare - result is the same. I see lots of errors like: ... /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on device) /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on device) ..done. .: Can't open /etc/rc.php_ini_setup: No such file or directory Enter full pathname of shell or RETURN for /bin/sh: After I hit ENTER and get shell prompt I see that /var has 31M allocated and used at 102% /etc has 9.4M and 102% used. Install the default layout with only / ... No need for separate /var/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with installation Developers-2.0
Scott Ullrich wrote: On Wed, Sep 2, 2009 at 4:38 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install it in VMWare - result is the same. I see lots of errors like: ... /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on device) /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on device) ..done. .: Can't open /etc/rc.php_ini_setup: No such file or directory Enter full pathname of shell or RETURN for /bin/sh: After I hit ENTER and get shell prompt I see that /var has 31M allocated and used at 102% /etc has 9.4M and 102% used. Install the default layout with only / ... No need for separate /var/ Scott Excuse me. How do I do it? It does not ask me a single question, does not give me a single option to choose. Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] bogons list on website needs updating
On Wed, Sep 2, 2009 at 5:26 PM, Omar Thameeno...@westside.urbanblight.com wrote: Sorry about that. It turns out that I have 1.2-RC4 running at home, and that release references http://files.pfsense.org/mirrors/bogon-bn-nonagg.txt, which is out of date. Ah, for something like 2 weeks that was referenced in snapshots, and that file was never updated (mirror sync overwrote it). I put in a redirect so that goes to the correct file. But you should upgrade regardless. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with installation Developers-2.0
On Wed, Sep 2, 2009 at 4:53 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Scott Ullrich wrote: On Wed, Sep 2, 2009 at 4:38 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install it in VMWare - result is the same. I see lots of errors like: ... /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on device) /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on device) ..done. .: Can't open /etc/rc.php_ini_setup: No such file or directory Enter full pathname of shell or RETURN for /bin/sh: After I hit ENTER and get shell prompt I see that /var has 31M allocated and used at 102% /etc has 9.4M and 102% used. Install the default layout with only / ... No need for separate /var/ Scott Excuse me. How do I do it? It does not ask me a single question, does not give me a single option to choose. It does that during the live CD boot? The developer builds seem to be broken, I just grabbed one that won't boot off CD, loops g_vfs_done():md3[WRITE(offset=random, length=random)]error = 28 over and over indefinitely, never boots. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] assign regular private ip to nic connected to dsl modem
hail, I'm just replacing an OpenBSD router to pfSense, and two things are missing for now: this from subject - rue0 is the nic to the modem, and it has no addresses. I used to have 192.168.253.254 as the modem uses .253. I tried with virtual ips (as it worked for the lan side) and nothing. ifconfig shows: rue0: flags=108843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NEEDSGIANT metric 0 mtu 1500 ether 00:e0:4c:03:6a:79 inet6 fe80::2e0:4cff:fe03:6a79%rue0 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (100baseTX full-duplex) status: active and apert from this all is fine. is there a way to do this from webgui ? (I can ssh to it and chage local.sh in /usr/local/etc/rc.d if is the only way =] ) and, as I use reu0 and it has no altq functionalities, where there is a 8.0 based snapshot to try on. I have aue nics here that altq work, but this way 7.x doesn't. must be 8.x (tested already). thanks, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bridge?
On Wed, Sep 2, 2009 at 10:59 AM, a_subscribti...@fiberby.dk wrote: This is my setup WAN PUBLIC/30 - is obviously connected to my isp. LAN PRIVATE/24 - is natted users with no special needs. OPT1 PUBLIC/29 - is handed out one by one to users with special needs. OPT2 PUBLIC/29 - IS WHAT I NEED HELP FOR! Since the user of opt2 want his own router to control/own this scope, how do I then set up the interface on my pfsense-box? Should I create the OPT2 as a interface bridged with WAN? No. Just assign one of the IPs out of the /29 to that interface, give the user the rest, and have them use that one as the gateway. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org