Re: [pfSense Support] RE: Openvpn routing config help
On Sat, Dec 11, 2010 at 1:52 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: What has to be done to let LAN clients access resources across the tunnel now from the pfsense side of the config? Found http://forum.pfsense.org/index.php/topic,12888.0.html which worked well. I didn't use client-to-client and did specify a tun device that is associated to an opt interface, as well as specifying a network in each client-specific configuration matching each connection's common name. Clients can't see each other now, I can see the clients take the applicable address but filtering has no effect, all traffic gets passed through the opt interface into the lan interface even if a block any/any rule is first? Make sure you follow all the steps here (order doesn't matter if you've already done some/most) http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP support broken in kernel?
Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to switch\pfSense interface misconfiguration and there were no signs of such misconfiguration. Every CARP packet getting right to the destination. Also there is intermittent CARP status changes but not for all interfaces and without any logic. On Fri, 10 Dec 2010 20:58:16 +0100, Ermal Luçi ermal.l...@gmail.com wrote: Can you please try this change: diff --git
HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
Hi, pfsense not send and recived ipsec message to remote gateway!
Network topology:
192.168.8.0/24(LAN)-Pfsense 2.0
-(WAN)192.168.180.1192.168.180.13(WAN)-monowall
-(LAN)172.20.34.0/24
1.) If inicial coonections from remote net to local net (172.20.34.0/24 -
192.168.8.0/24),
--remote monowall racoon.conf--
path pre_shared_key /var/etc/psk.txt;
path certificate /var/etc;
remote 192.186.180.1 {
exchange_mode aggressive;
my_identifier user_fqdn k...@kaluga-gov.ru;
peers_identifier address 192.186.180.1;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}
sainfo address 172.20.34.0/24 any address 192.168.8.0/24 any {
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 1;
lifetime time 3600 secs;
}
--END monowall racoon.conf--
- pfsense racoon.conf---
# This file is automatically generated. Do not edit
path pre_shared_key /var/etc/psk.txt;
path certificate /var/etc;
listen
{
adminsock /var/db/racoon/racoon.sock root wheel 0660;
isakmp 192.168.180.1 [500];
isakmp_natt 192.168.180.1 [4500];
}
remote 192.186.180.13
{
ph1id 6;
exchange_mode aggressive;
my_identifier address 192.168.180.1;
peers_identifier user_fqdn k...@kaluga-gov.ru;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
sainfo subnet 192.168.8.0/24 any subnet 172.20.34.0/24 any
{
remoteid 6;
encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
END pfsense racoon.conf -
a.) remote monowall racoon.log
Dec 11 16:38:20 racoon: DEBUG: get pfkey ACQUIRE message
Dec 11 16:38:20 racoon: DEBUG: suitable outbound SP found:
172.20.34.0/24
[0] 192.168.8.0/24[0] proto=any dir=out.
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5a08: 172.20.34.0/24[0]
172.20.34.1/32[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5c08: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: suitable inbound SP found: 192.168.8.0/24
[0] 172.20.34.0/24[0] proto=any dir=in.
Dec 11 16:38:20 racoon: DEBUG: new acquire 172.20.34.0/24[0]
192.168.8.0/24[0] proto=any dir=out
Dec 11 16:38:20 racoon: DEBUG: (proto_id=ESP spisize=4 spi=
spi_p= encmode=Tunnel reqid=16426:16425)
Dec 11 16:38:20 racoon: DEBUG: (trns_id=BLOWFISH encklen=128
authtype=hmac-sha)
Dec 11 16:38:20 racoon: DEBUG: configuration found for 192.186.180.1.
Dec 11 16:38:20 racoon: INFO: IPsec-SA request for 192.186.180.1 queued
due to no phase1 found.
Dec 11 16:38:20 racoon: DEBUG: ===
Dec 11 16:38:20 racoon: INFO: initiate new phase 1 negotiation:
192.168.180.13[500]=192.186.180.1[500]
Dec 11 16:38:20 racoon: INFO: begin Aggressive mode.
Dec 11 16:38:20 racoon: DEBUG: new cookie: bd8323a305dc6618
Dec 11 16:38:20 racoon: DEBUG: use ID type of User_FQDN
Dec 11 16:38:20 racoon: DEBUG: compute DH's private.
Dec 11 16:38:20 racoon: DEBUG: 50b121a0 b0639e68 c03f785c c5750692
9ef93e85 2ab97fe9 1524af19 578f99f4 c44f4a08 3af43dc7 6bd94b4f 3f48b220
03d7c270 ed5a7b76 2d054820 90bcef3f c893a102 ae6d2726 d7fedc3f eb5012c2
98163336 247a9e77 842b7b56 e3d89d32 71b7e676 a9a18b0e 77794232 dd509b6d
74714418 ee7cbb50 1697e380 4fd87b6a
Dec 11 16:38:20 racoon: DEBUG: compute DH's public.
Dec 11 16:38:20 racoon: DEBUG: b1ac5940 e16f0a79 403b7ee8 2a190e74
cc2cc43d 6ddb5bdb c8e5d1b6 bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544
6ef87a11 9711c2d9 2d731fa8
Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
The IPSec site-to-site link I have in place between two sites runs over ADSL which I get from two different providers, one at each end. One of them (BT) is blocking traffic on UDP port 500 and 4500. I suspect the technical reasoning for this is because they are twats...None the less, I have to use port redirection. Outgoing traffic on UDP ports 500 and 4500 are NAT'd on the way out to the destination on 501 and 4501 respectively. At the other end connections are NAT'd coming in on UDP ports 501 and 4501 to the firewall on 500 and 4500 respectively. Check you actually have connectivity between the two sites first, ping them perhaps...Then check there is UDP connectivity on these ports and also try other UDP ports in case they are being blocked/filtered. -- Regards, James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
Hi,
JFYI: you must use only those cryptographic services\alrorithms which
has been sertified by ФСБ and\or ФСТЭК (I'm not sure how it sounds
in English).
It seems like blowfish is under question in your case.
On Sat, 11 Dec 2010 14:28:26 +0300, drova...@kaluga-gov.ru wrote:
Hi, pfsense not send and recived ipsec message to remote gateway!
Network topology:
192.168.8.0/24(LAN)-Pfsense 2.0
-(WAN)192.168.180.1192.168.180.13(WAN)-monowall
-(LAN)172.20.34.0/24
1.) If inicial coonections from remote net to local net (172.20.34.0/24 -
192.168.8.0/24),
--remote monowall racoon.conf--
path pre_shared_key /var/etc/psk.txt;
path certificate /var/etc;
remote 192.186.180.1 {
exchange_mode aggressive;
my_identifier user_fqdn k...@kaluga-gov.ru;
peers_identifier address 192.186.180.1;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}
sainfo address 172.20.34.0/24 any address 192.168.8.0/24 any {
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 1;
lifetime time 3600 secs;
}
--END monowall racoon.conf--
- pfsense racoon.conf---
# This file is automatically generated. Do not edit
path pre_shared_key /var/etc/psk.txt;
path certificate /var/etc;
listen
{
adminsock /var/db/racoon/racoon.sock root wheel 0660;
isakmp 192.168.180.1 [500];
isakmp_natt 192.168.180.1 [4500];
}
remote 192.186.180.13
{
ph1id 6;
exchange_mode aggressive;
my_identifier address 192.168.180.1;
peers_identifier user_fqdn k...@kaluga-gov.ru;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
sainfo subnet 192.168.8.0/24 any subnet 172.20.34.0/24 any
{
remoteid 6;
encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
END pfsense racoon.conf -
a.) remote monowall racoon.log
Dec 11 16:38:20 racoon: DEBUG: get pfkey ACQUIRE message
Dec 11 16:38:20 racoon: DEBUG: suitable outbound SP found:
172.20.34.0/24
[0] 192.168.8.0/24[0] proto=any dir=out.
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5a08: 172.20.34.0/24[0]
172.20.34.1/32[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5c08: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: suitable inbound SP found: 192.168.8.0/24
[0] 172.20.34.0/24[0] proto=any dir=in.
Dec 11 16:38:20 racoon: DEBUG: new acquire 172.20.34.0/24[0]
192.168.8.0/24[0] proto=any dir=out
Dec 11 16:38:20 racoon: DEBUG: (proto_id=ESP spisize=4 spi=
spi_p= encmode=Tunnel reqid=16426:16425)
Dec 11 16:38:20 racoon: DEBUG: (trns_id=BLOWFISH encklen=128
authtype=hmac-sha)
Dec 11 16:38:20 racoon: DEBUG: configuration found for 192.186.180.1.
Dec 11 16:38:20 racoon: INFO: IPsec-SA request for 192.186.180.1 queued
due to no phase1 found.
Dec 11 16:38:20 racoon: DEBUG: ===
Dec 11 16:38:20 racoon: INFO: initiate new phase 1 negotiation:
192.168.180.13[500]=192.186.180.1[500]
Dec 11 16:38:20 racoon: INFO: begin Aggressive mode.
Dec 11 16:38:20 racoon: DEBUG: new cookie: bd8323a305dc6618
Dec 11 16:38:20 racoon: DEBUG: use ID type of User_FQDN
Dec 11 16:38:20 racoon: DEBUG: compute DH's private.
Dec 11 16:38:20 racoon: DEBUG: 50b121a0 b0639e68 c03f785c c5750692
9ef93e85 2ab97fe9 1524af19 578f99f4 c44f4a08 3af43dc7 6bd94b4f 3f48b220
03d7c270 ed5a7b76 2d054820 90bcef3f c893a102 ae6d2726 d7fedc3f eb5012c2
98163336 247a9e77 842b7b56 e3d89d32 71b7e676 a9a18b0e
RE: [pfSense Support] RE: Openvpn routing config help
Make sure you follow all the steps here (order doesn't matter if you've already done some/most) http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 All done, and double checked. I actually use this for a standard road warrior setup for my first openvpn config running on 1194, and it works, clients can only see tcp3389 for one remote desktop server. The second instance on 1195 has a custom option of `dev tun1` and is associated with a new opt int and it has a block** yet remote clients can see any resource. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
