Re: [pfSense Support] interesting traffic is not encapsulated

2009-09-23 Thread Evgeny Yurchenko 

Evgeny Yurchenko wrote:

Chris Buechler wrote:
On Tue, Sep 22, 2009 at 11:10 PM, Evgeny Yurchenko 
evg.yu...@rogers.com wrote:
 

I can not ping 10.29.11.1 or 10.29.11.2 from any host connected to LAN
pfSense1. Traffic does not go over IPSec but instead natted and goes to
Internet.
On WAN (ng0):
20:29:13.951253 IP x.x.x.106  10.29.11.1: ICMP echo request, id 
1781, seq

6706, length 40
20:29:19.451065 IP x.x.x.106  10.29.11.1: ICMP echo request, id 
1781, seq

6962, length 40
20:29:24.950912 IP x.x.x.106  10.29.11.1: ICMP echo request, id 
1781, seq

7218, length 40

Can anybody explain this?



If it's initiated from the firewall, and initiated from a source IP
that's part of the IPsec connection, it will traverse the IPsec. If
you don't tell it where to initiate, and you don't have the static
route described in the aforementioned FAQ, it will follow the system
routing table which generally means it won't go over IPsec.

  
I totally understand it and agree, but my purpose is to allow hosts 
from one subnet reach another (remote) subnet and this does not work.
This trace is for the case when traffic initiated by PC 10.29.1.34 
(connected to LAN pfSense1).
I mentioned traffic initiated from the firewall only to demonstrate 
that IPSec tunnel is up and running.

Eugene

Interesting update. Host connected to LAN pfSense1 continuously pings 
LAN interface of pfSense2. Traffic is supposed to go over IPSec-tunnel


LAN pfSense1:# tcpdump -ni fxp0 -n net 10.29.11.0/24
17:10:07.604717 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 8276, length 40
17:10:09.104694 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 8532, length 40
17:10:10.604652 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 8788, length 40
17:10:12.104580 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 9044, length 40
17:10:13.604540 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 9300, length 40
17:10:15.104483 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 9556, length 40
17:10:16.604445 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 9812, length 40
17:10:18.104359 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 10068, length 40
17:10:19.604352 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 10324, length 40
17:10:21.104285 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 10580, length 40
17:10:22.604232 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 10836, length 40
17:10:24.104175 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 11092, length 40
17:10:25.604131 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 11348, length 40
17:10:27.104047 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 11604, length 40
17:10:28.603996 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 11860, length 40
17:10:30.103990 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 12116, length 40
17:10:31.603892 IP 10.29.1.34  10.29.11.1: ICMP echo request, id 1024, 
seq 12372, length 40

^C
20 packets captured
2001 packets received by filter
0 packets dropped by kernel

IPSec is totally disabled on pfSense1**
WAN pfSense1: # tcpdump -ni ng0 host y.y.y.155 or net 10.29.11.0/24
17:10:07.604813 IP x.x.x.206.106  10.29.11.1: ICMP echo request, id 
54116, seq 8276, length 40
17:10:09.104899 IP x.x.x.206.106  10.29.11.1: ICMP echo request, id 
54116, seq 8532, length 40
17:10:10.604888 IP x.x.x.206.106  10.29.11.1: ICMP echo request, id 
54116, seq 8788, length 40

 Enable IPSec on pfSense1 *
17:10:12.363997 IP x.x.x.206.106.500  38.104.156.155.500: isakmp: phase 
1 I agg
17:10:12.689959 IP 38.104.156.155.500  x.x.x.206.106.500: isakmp: phase 
1 R agg

17:10:12.759339 IP x.x.x.206.106.500  y.y.y.155.500: isakmp: phase 1 I agg
17:10:12.760546 IP x.x.x.206.106.500  y.y.y.155.500: isakmp: phase 
2/others I inf[E]
17:10:13.796275 IP x.x.x.206.106.500  y.y.y.155.500: isakmp: phase 
2/others I oakley-quick[E]
17:10:14.010480 IP y.y.y.155.500  x.x.x.206.106.500: isakmp: phase 
2/others R oakley-quick[E]
17:10:14.012456 IP x.x.x.206.106.500  y.y.y.155.500: isakmp: phase 
2/others I oakley-quick[E]
17:10:15.105113 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x1), length 92
17:10:16.604921 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x2), length 92
17:10:18.104787 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x3), length 92
17:10:19.604818 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x4), length 92
17:10:21.104759 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x5), length 92
17:10:22.604735 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x6), length 92
17:10:24.104578 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x7), length 92
17:10:25.604655 IP x.x.x.206.106  y.y.y.155: 
ESP(spi=0x0d9554c6,seq=0x8), length 92
17:10:27.104167 IP x.x.x.206.106  10.29.11.1: ICMP echo request, id 
54116, seq 11604, length 40

Re: [pfSense Support] Quad NIC's?

2009-09-23 Thread Simon Dick 
2009/9/23 Morgan Reed morgan.s.r...@gmail.com:
 On Wed, Sep 23, 2009 at 10:26, Luke Jaeger ad...@pvpa.org wrote:
 Are there any known issues with quad NIC cards on a pfSense box?

 Should be fine, your average (decent) quad NIC is a PCI(express)
 bridge on a card with what essentially amounts to 4 individual network
 adapters on it, far as pfSense is concerned there's 4 NICs (of
 whatever variety) plugged in.

I've never had trouble with using PCI quad port cards with pfSense, I
even once used a 4 port 10Mb card with built in hub... :)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Re: Quad NIC's?

2009-09-23 Thread Dave Warren 
In message f68e3c0e0909230911v178948e3v8380845007f80...@mail.gmail.com
Simon Dick sim...@irrelevant.org was claimed
to have wrote:

I even once used a 4 port 10Mb card with built in hub... :)

Those were fun days, weren't they?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org