[pfSense Support] IPSEC problem on pfSense 1.2.3

[Carlos Vicente]

Hi all,

I have pfSense 1.2.3 with OpenVPN working. I want IPSEC for mobile clients
on the same box, so I configured it and I can bring the tunnel up, but I
can´t ping, or access the lan address of the box.
The firewall rules on ipsec tab are correct, but i can´t see any traffic on
the firewall log from ipsec interface.

Thanks is advance,

Carlos

-- 

***
*http://www.sebastiaoguerra.com* 
*http://www.atelierdamoto.com* 
*http://www.blocoa3.com* 
--
Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e
destinados,
exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este
e-mail por
erro, por favor, contacte-nos. Obrigado.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of
the individual or entity to whom they are addressed. If you have received
this e-mail in error
please notify us.



Antes de imprimir este e-mail pense se necessita mesmo de o fazer

Re: [pfSense Support] IPSEC problem on pfSense 1.2.3

[Vick Khera]

On Wed, Jun 1, 2011 at 6:42 AM, Carlos Vicente  wrote:
> I have pfSense 1.2.3 with OpenVPN working. I want IPSEC for mobile clients
> on the same box, so I configured it and I can bring the tunnel up, but I
> can´t ping, or access the lan address of the box.
> The firewall rules on ipsec tab are correct, but i can´t see any traffic on
> the firewall log from ipsec interface.
>

On 1.2.3 mobile clients work really well.  What is your mobile client
software? Does it show the tunnel up as well?  Does pfSense log
anything when you ping it via the vpn?

If your mobile clients are not LANs but just single hosts, then I'd
really suggest sticking with OpenVPN.  It is much more robust at
dealing with any sort of intermediate network hops.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IPSEC problem on pfSense 1.2.3

[Carlos Vicente]

Thanks Vick for your response,

I should have posted more information, so here it goes:
- IPSEC Client: Shrew VPN Client 2.1.7 for Windows;
- The tunnel goes up but i can´t ping the pfSense box (i have a rule for
that on ipsec tab firewall);
- pfSense doesn't log anything from and to IPSEC VPN;
- I'm using single hosts now, but i've tried with networks (on IPSEC
firewall rules in pfSense) and a IP from that network on the client side
config.

My pfSense box is behind a ISP modem router, which forwards ports UDP 500
and UDP 4500 (just in case) to the WAN interface of my box (which is on the
LAN interface of the router). I use DynDns (on the ISP router) to access my
pfSense from internet. On the client side i use the virtual adapter and gave
it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side).

ISP Modem router WAN (DHCP)
pfSense WAN IP 192.168.1.65 (connected on the LAN interface of the ISP
router)
pfSense LAN 192.168.5.0/24
IPSEC VPN client IP 192.168.13.1

Here are some logs from the VPN connection:
NOTE: I replaced the public IP with xxx.xxx.xxx.x

 racoon: *[Self]*: INFO: 192.168.5.1[500] used as isakmp port (fd=17)  racoon:
*[Self]*: INFO: 192.168.1.65[500] used as isakmp port (fd=16)  racoon: *
[Self]*: INFO: 127.0.0.1[500] used as isakmp port (fd=15)  racoon: *[Self]*:
INFO: 192.168.0.1[500] used as isakmp port (fd=14)  racoon: *[Self]*: INFO:
192.168.5.1[500] used as isakmp port (fd=17)  racoon: *[Self]*: INFO:
192.168.1.65[500] used as isakmp port (fd=16)  racoon: *[Self]*: INFO:
127.0.0.1[500] used as isakmp port (fd=15)  racoon: *[Self]*: INFO:
192.168.0.1[500] used as isakmp port (fd=14)  racoon: ERROR: such policy
does not already exist: "0.0.0.0/0[0] 192.168.13.1/32[0] proto=any
dir=out"  racoon:
ERROR: such policy does not already exist: "192.168.13.1/32[0]
0.0.0.0/0[0]proto=any dir=in"  racoon:
INFO: IPsec-SA established: ESP 192.168.1.65[0]->xxx.xxx.xxx.x[0]
spi=1491121(0x16c0b1)  racoon: INFO: IPsec-SA established: ESP
xxx.xxx.xxx.x[0]->192.168.1.65[0] spi=115113049(0x6dc7c59)  racoon: INFO: no
policy found, try to generate the policy : 192.168.13.1/32[0]
0.0.0.0/0[0]proto=any dir=in  racoon:
INFO: respond new phase 2 negotiation:
192.168.1.65[0]<=>xxx.xxx.xxx.x[0]  racoon:
INFO: ISAKMP-SA established 192.168.1.65[500]-xxx.xxx.xxx.x[10177]
spi:af896a91dc59d1dc:a6d17e37deb7e875  racoon: INFO: received Vendor ID:
CISCO-UNITY  racoon: INFO: received Vendor ID: DPD  racoon: INFO: received
broken Microsoft ID: FRAGMENTATION  racoon: INFO: received Vendor ID: RFC
3947  racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03  racoon:
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  racoon: INFO:
received Vendor ID: draft-ietf-ipsec-nat-t-ike-01  racoon: INFO: received
Vendor ID: draft-ietf-ipsec-nat-t-ike-00  racoon: INFO: begin Aggressive
mode.  racoon: INFO: respond new phase 1 negotiation:
192.168.1.65[500]<=>xxx.xxx.xxx.x[10177]
I hope this is all understandable...

Thanks again,

Carlos


On Wed, Jun 1, 2011 at 3:54 PM, Vick Khera  wrote:

> On Wed, Jun 1, 2011 at 6:42 AM, Carlos Vicente 
> wrote:
> > I have pfSense 1.2.3 with OpenVPN working. I want IPSEC for mobile
> clients
> > on the same box, so I configured it and I can bring the tunnel up, but I
> > can´t ping, or access the lan address of the box.
> > The firewall rules on ipsec tab are correct, but i can´t see any traffic
> on
> > the firewall log from ipsec interface.
> >
>
> On 1.2.3 mobile clients work really well.  What is your mobile client
> software? Does it show the tunnel up as well?  Does pfSense log
> anything when you ping it via the vpn?
>
> If your mobile clients are not LANs but just single hosts, then I'd
> really suggest sticking with OpenVPN.  It is much more robust at
> dealing with any sort of intermediate network hops.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 

***
*http://www.sebastiaoguerra.com* 
*http://www.atelierdamoto.com* 
*http://www.blocoa3.com* 
--
Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e
destinados,
exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este
e-mail por
erro, por favor, contacte-nos. Obrigado.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of
the individual or entity to whom they are addressed. If you have received
this e-mail in error
please notify us.



Antes de imprimir este e-mail pense se necessita mesmo de o fazer

Re: [pfSense Support] IPSEC problem on pfSense 1.2.3

[Vick Khera]

On Wed, Jun 1, 2011 at 11:47 AM, Carlos Vicente wrote:

> My pfSense box is behind a ISP modem router, which forwards ports UDP 500
> and UDP 4500 (just in case) to the WAN interface of my box (which is on the
> LAN interface of the router). I use DynDns (on the ISP router) to access my
> pfSense from internet. On the client side i use the virtual adapter and gave
> it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side).
>

1.2.3 does not support NAT-T, which you would seem to need for this case.
 OpenVPN is the way to go.

[pfSense Support] 2.0-RC2 issues with TCP timeouts

[Wade Blackwell]

Good morning all,
I have 2.0-RC2 running on a 32bit, 4 core Xeon, 4Gig of memory. I have 3
two port intel Gig cards (poor man switch), 3 of those ports form bridge0
where all my DMZ hosts reside. The issue I am having is about once/week my
daily backups will fail as my main backup host will no longer be able to
initiate connections to an external host (rsync over ssh). The rules have
not changed, blowing out the state table also does not make a difference. I
even turned down the L3 interface to the DMZ hoping that would jar things
loose and allow the connections to be made. The strange thing is that other
hosts in the DMZ can connect out during this time. A reboot of the firewall
takes care of the issue. Anyone seen issues like this?

 -W

-- 
Wade Blackwell
805.457.8825 X998
www.cupofcompassion.com

The Coffee That Makes a Difference!

Re: [pfSense Support] IPSEC problem on pfSense 1.2.3

[Carlos Vicente]

That's what I thought. Will the version 2.0 support NAT-T and IPSEC VPN
supported by iPhone and iPad?

Thank you very much for your help.

On Wed, Jun 1, 2011 at 5:18 PM, Vick Khera  wrote:

> On Wed, Jun 1, 2011 at 11:47 AM, Carlos Vicente wrote:
>
>> My pfSense box is behind a ISP modem router, which forwards ports UDP 500
>> and UDP 4500 (just in case) to the WAN interface of my box (which is on the
>> LAN interface of the router). I use DynDns (on the ISP router) to access my
>> pfSense from internet. On the client side i use the virtual adapter and gave
>> it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side).
>>
>
> 1.2.3 does not support NAT-T, which you would seem to need for this case.
>  OpenVPN is the way to go.
>



-- 

***
*http://www.sebastiaoguerra.com* 
*http://www.atelierdamoto.com* 
*http://www.blocoa3.com* 
--
Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e
destinados,
exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este
e-mail por
erro, por favor, contacte-nos. Obrigado.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of
the individual or entity to whom they are addressed. If you have received
this e-mail in error
please notify us.



Antes de imprimir este e-mail pense se necessita mesmo de o fazer

Re: [pfSense Support] IPSEC problem on pfSense 1.2.3

[Seth Mos]

yes, ipad works. the settings are finicky.

Op 1 jun 2011, om 19:12 heeft Carlos Vicente het volgende geschreven:

> That's what I thought. Will the version 2.0 support NAT-T and IPSEC VPN 
> supported by iPhone and iPad?
> 
> Thank you very much for your help.
> 
> On Wed, Jun 1, 2011 at 5:18 PM, Vick Khera  wrote:
> On Wed, Jun 1, 2011 at 11:47 AM, Carlos Vicente  wrote:
> My pfSense box is behind a ISP modem router, which forwards ports UDP 500 and 
> UDP 4500 (just in case) to the WAN interface of my box (which is on the LAN 
> interface of the router). I use DynDns (on the ISP router) to access my 
> pfSense from internet. On the client side i use the virtual adapter and gave 
> it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side).
> 
> 1.2.3 does not support NAT-T, which you would seem to need for this case.  
> OpenVPN is the way to go.
> 
> 
> 
> -- 
> 
> *
> http://www.sebastiaoguerra.com
> http://www.atelierdamoto.com
> http://www.blocoa3.com
> --
> Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e 
> destinados,
> exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este 
> e-mail por
> erro, por favor, contacte-nos. Obrigado.
> This e-mail and any files transmitted with it are confidential and intended 
> solely for the use of
> the individual or entity to whom they are addressed. If you have received 
> this e-mail in error
> please notify us.
> 
>  
> 
> Antes de imprimir este e-mail pense se necessita mesmo de o fazer

[pfSense Support] Pfsense 2.0 dyndns

[Fuchs, Martin]

Hi !
Do we know about any dyndns issues ?
I have some systems where sometimes dyndns does not update, the client shows it 
in red, but does not update ?
Shouldn't this be done when it's printed in red ?
Only manually saving or reconnect triggers the update of dyndns...
Any ideas ?

Regards,
Martin
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 2.0 restore config partially?

[Volker Kuhlmann]

When restoring the config on 2.0RC1 only partially from a full config
backup nothing is restored. I tried with dhcp - select dhcp from the
restore drop-down, give it a full config backup previously created (of
which I want to restore only the dhcp server part).

Is this expected behaviour?

Thanks,

Volker

-- 
Volker Kuhlmann is list0570 with the domain in header.
http://volker.dnsalias.net/ Please do not CC list postings to me.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 2.0 restore config partially?

[Chris Buechler]

On Wed, Jun 1, 2011 at 5:00 PM, Volker Kuhlmann  wrote:
> When restoring the config on 2.0RC1 only partially from a full config
> backup nothing is restored.

The config must contain only the part being restored when doing a
partial restore.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense as a centralized antivirus update to multiple hosts

[Joseph Rotan]

Hi,

I would like to confirm if pfsense can act as a centralized PC to update
anti-virus to multiple host PC's connected on the same LAN.

In our setup we have ADSL , Lease-line and E1 connections that are used as a
means of internet connectivity to our pfsense WAN interface whereas the LAN
interface connect to HUB that redistribute connection to multiple host PC's.

As a means of cutting down costs to purchase each licenses for each hosts
our anti-virus supplier has provided us a solution with one exchange server
or PC to many connected clients on a network, therefore the pfsense machine
will automatically extract updates from the antivirus remote server and
pfsense will redistribute it to the connected clients on a network.


Thanks

Joseph.

Re: [pfSense Support] pfsense as a centralized antivirus update to multiple hosts

[Chris Buechler]

On Wed, Jun 1, 2011 at 8:24 PM, Joseph Rotan  wrote:
> Hi,
> I would like to confirm if pfsense can act as a centralized PC to update
> anti-virus to multiple host PC's connected on the same LAN.

In general, no that's not possible. That depends on how the antivirus
updates work. AV will either require pulling updates from the official
source, or for centrally-managed corporate-focused AV options, a
server that runs on a Windows server is generally required.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense as a centralized antivirus update to multiple hosts

[Christian Veith]

Hi Joseph,

in General it's not possible with pfsense. As Chris mentioned most 
Solutions will require a windows server machine for delivering updates 
to the Clients.


Some Antivirus Solutions, such as Eset NOD32, could be configured to use 
an alternate http server for getting it's updates. It's possible to 
setup a squid package installation on the pfsense box and use it as a 
caching proxy. The signatures will be downloaded only once and then 
delivered from Cache.


Other Products like Symantec Enterprise Protection offer the possibility 
of "Global Update Provider" Clients. These provide updates by peer to 
peer like functions, electing one Client as the bridgehead for signature 
updates.



regards

Christian



Am 02.06.2011 02:24, schrieb Joseph Rotan:

Hi,

I would like to confirm if pfsense can act as a centralized PC to 
update anti-virus to multiple host PC's connected on the same LAN.


In our setup we have ADSL , Lease-line and E1 connections that are 
used as a means of internet connectivity to our pfsense WAN interface 
whereas the LAN interface connect to HUB that redistribute connection 
to multiple host PC's.


As a means of cutting down costs to purchase each licenses for each 
hosts our anti-virus supplier has provided us a solution with one 
exchange server or PC to many connected clients on a network, 
therefore the pfsense machine will automatically extract updates from 
the antivirus remote server and pfsense will redistribute it to the 
connected clients on a network.



Thanks

Joseph.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org