[pfSense Support] Some problems with pfsense
Ill describe some problems we are noticing in pfsense and some advices in how to reproduce: 1) Under heavy load and using transparent proxy in pfsense in some peak hours users receive HTTP 500 Error for pages that are online. If the administrator removes pfsense the error quits happening. 2) The process rc.initial uses 100% CPU. It happens with a special pattern: if conection with the shell using ssh is broken the CPU load of rc.initial usually goes to 100% 3) The config.xml file sometimes disappear, mainly if the machine has a power failure or improper shutdown. There are no easy recovery procedure for this. We noticed that this problem happens with several platforms and configurations. We currently have an installed plant of 60 pfsense machines and these problems are based on our experience. Best Regards, Pedro Paulo Oliveira Jr
RES: [pfSense Support] Application filtering over HTTP
We also produce a Layer-7 filtering solution but it'll cost money also. But I can guarantee that is less than BlueCoat -Mensagem original- De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 4 de outubro de 2006 13:59 Para: support@pfsense.com Assunto: Re: [pfSense Support] Application filtering over HTTP On 10/4/06, Benoît Beaujault [EMAIL PROTECTED] wrote: Hello, More and more applications, due to firewall filtering, move to HTTP, is it in the roadmap of pfsense to propose a fonctionnality to filter some applications over HTTP (peer-to-peer, MSN, ICQ and so on) ? Start by forcing all your users through a proxy; enforce the use of a proxy with firewall rules (and policy - technology can't stop everything, but firing people will). Then figure out what proxies are better. One of my neighbors is always telling me that anything can be accomplished with either time or money...you need to spend the time, or the money to solve your problem. Squid is free, but will cost you time (and won't solve all your problems), commercial proxies such as Bluecoat can make use of commercial blacklists (for better or worse), but will cost you money. I can attest first hand that Bluecoat stops OpenVPN, BTW. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.4/424 - Release Date: 21/8/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] wifi
Cara, Não deu para entender nada do inglês, muda o texto ou manda e-mail em português em pvt aqui. PPJ -Mensagem original- De: Gerente Técnico ERP [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 29 de setembro de 2006 13:38 Para: support@pfsense.com Assunto: [pfSense Support] wifi Question, pfSense work is card Wifi, for create Lan Wifi? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.4/424 - Release Date: 21/8/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] wifi
Cara, Não deu para entender nada do inglês, muda o texto ou manda e-mail em português em pvt aqui. PPJ -Mensagem original- De: Gerente Técnico ERP [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 29 de setembro de 2006 13:38 Para: support@pfsense.com Assunto: [pfSense Support] wifi Question, pfSense work is card Wifi, for create Lan Wifi? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.4/424 - Release Date: 21/8/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] Any NAT-T users out there?
BTW, I know since the guy in the room beside me is working on it. -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 19 de setembro de 2006 14:36 Para: support@pfsense.com Assunto: Re: [pfSense Support] Any NAT-T users out there? On 9/19/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: What? If you don't know what I am asking then simply ignore. There are people out there that know what this is. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.4/424 - Release Date: 21/8/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] Redirect Port 80 to Squid/Dans Guardian Box for Filtering
You can use Netfilter (http://www.netfilter.com.br) it runs on pfsense. -Mensagem original- De: stephan peterson [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 18 de agosto de 2006 11:06 Para: support@pfsense.com Assunto: [pfSense Support] Redirect Port 80 to Squid/Dans Guardian Box for Filtering I'm using pfSense on my home network and it is working great as a firewall for me. I'd like to add content filtering to the mix. I was thinking I would dedicate a box to the task. I'd like to make it transparent to the users though. I don't want to have to configure the browsers to point to the Squid/DG box. I'd rather redirect all outbound HTTP traffic to the Sqiud/DG box and then it would send it out thru the firewall using a firewall rule that would allow it outbound on port 80. Has anyone done this? Is it possible? Poking around I don't see how to make it happen and my searches of the list archive haven't turned up any help. I get the impression though that it's not possible and that's not wanted I wanted to hear. Thanks, Stephan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.2/422 - Release Date: 17/8/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] Bridged Multi-Wan Load Balancing Failover
I run pfsense in Sun Ultra20 -Mensagem original- De: Gary Buckmaster [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 3 de agosto de 2006 13:39 Para: support@pfsense.com Assunto: Re: [pfSense Support] Bridged Multi-Wan Load Balancing Failover Aren't those Opteron based? If so, then you're out of luck, because pfSense is currently not an x64 platform. -Gary Scott Williamson wrote: Next Question, has anyone had experiences running pfsense on Sun X2100 Servers? Regards There are 10 types of people in this world, those who can read binary, and those who cannot. -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 9:56 AM To: support@pfsense.com Subject: RE: [pfSense Support] Bridged Multi-Wan Load Balancing Failover Not only that bridging won't work for CARP it won't work with policybased routing (as the name already says) and/or loadblalancing either. How many public IPs do your T1s have? You need at least 3 IPs at each T1 that you can use to set up CARP correctly. The subnet between the pfSenses and the ASA shouldn't be the problem. Just use a subnet that is not used anywhere else in your local network (LAN, DMZ, remote VPN LANs, ...). Btw, you'll have some problems using 1:1 NAT for this kind of setup as you can't 1:1 NAT the same IP (of the ASA) to different WANs (that would be 2:1 what is not possible). You need to go along with portforwards at WAN and at WAN2 to the ASA. Then the state will handle which is the right interface to send out the reply. Holger -Original Message- From: Scott Williamson [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 4:46 PM To: support@pfsense.com Subject: RE: [pfSense Support] Bridged Multi-Wan Load Balancing Failover 1:1 Nat Accept ALL:ALL? There are 10 types of people in this world, those who can read binary, and those who cannot. -Original Message- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 9:44 AM To: support@pfsense.com Subject: Re: [pfSense Support] Bridged Multi-Wan Load Balancing Failover Scott, Bridging and CARP don't play nicely together, so you're going to have to go another route. -Gary Scott Williamson wrote: Ok so here is the question, I have 2 Wan Links Sprint 3MB connection and Verizon 1.5 MB connection. I am wanting to Load Balance across both connections and use a secondary pfsense firewall for failover. The company I work for mad a sizeable investment in 2 Cisco ASA 5520's that we are throwing into the picture as well. Here is a rough diagram of what I would like to do: Sprint T1's||Verizon T1 | | || PFSENSE Main - Standby PFSENSE | | ASA 5520 - Standby 5520 | | | DMZLAN DMZ2 I am just wanting to bridge all traffic and the external IP's through the PFSENSE and allow the ASA 5520's to do the firewalling and VPN. Is this possible or is there a better soulution? Regards, Scott Williamson There are 10 types of people in this world, those who can read binary, and those who cannot. DISCLAIMER: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person without the consent of the sender. Unless expressly stated herein to the contrary, only agreements in writing, signed by an authorized officer of the Company, may be enforced against it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in
[pfSense Support] Pfsense and Netbios problem
ADSLVTIBOX (wan DHCP -- lan192.168.3.10)---PFSENSE (Wan 192.168.3.11 lan 192.168.1.10) CLIENTS (192.168.1.X) The clients connect in a PPTP Server (201.134.218.98) in order to use NETBIOS resources When the client type \\192.168.2.25 There was no connection If we remove pfsense all goes fine
RES: [pfSense Support] Pfsense and Netbios problem
Both 1918 and bogon are disabled De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 26 de julho de 2006 15:32 Para: support@pfsense.com Assunto: Re: [pfSense Support] Pfsense and Netbios problem RFC1918 or bogon filter on wan most likely. --Bill On 7/26/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: VITBOX is a equipment of the ISP that provides NAT The PPTP server is outside DSL in other city The firewall is full OPEN -Mensagem original- De: Holger Bauer [mailto:[EMAIL PROTECTED]] Enviada em: quarta-feira, 26 de julho de 2006 15:27 Para: support@pfsense.com Assunto: RE: [pfSense Support] Pfsense and Netbios problem Where does the client connect to? To the VTIBOX? and why do you have this kind of setup? This is most likely a firewallrules issue. Check firewall-logs for blocks and what rule is causing them. Holger -Original Message- From: Pedro Paulo de Magalhaes Oliveira Junior [mailto: [EMAIL PROTECTED]] Sent: Wednesday, July 26, 2006 8:18 PM To: support@pfsense.com Subject: [pfSense Support] Pfsense and Netbios problem ADSLVTIBOX (wan DHCP -- lan192.168.3.10)---PFSENSE (Wan 192.168.3.11 lan 192.168.1.10) CLIENTS (192.168.1.X) The clients connect in a PPTP Server ( 201.134.218.98) in order to use NETBIOS resources When the client type \\192.168.2.25 There was no connection If we remove pfsense all goes fine Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006
RES: RES: [pfSense Support] Pfsense and Netbios problem
Yes I can ping. The firewall rules are all open. Since both equipment make NAT can be this the cause? ADSLVTIBOX (wan DHCP -- lan192.168.3.10)---PFSENSE (Wan 192.168.3.11 lan 192.168.1.10) CLIENTS (192.168.1.X) -Mensagem original- De: Brad Bendy [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 26 de julho de 2006 16:42 Para: support@pfsense.com Assunto: Re: RES: [pfSense Support] Pfsense and Netbios problem netbios naming does not work over PPTP, but i see you are trying to connect via IP. Can you ping over the tunnel? Sounds like rule issue on the PPTP tab, you must allow what can pass (if you want to do SMB, you need 137 139 tcp/udp I think) On Wednesday 26 July 2006 12:13, Pedro Paulo de Magalhaes Oliveira Junior wrote: Both 1918 and bogon are disabled _ De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 26 de julho de 2006 15:32 Para: support@pfsense.com Assunto: Re: [pfSense Support] Pfsense and Netbios problem RFC1918 or bogon filter on wan most likely. --Bill On 7/26/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: VITBOX is a equipment of the ISP that provides NAT The PPTP server is outside DSL in other city The firewall is full OPEN -Mensagem original- De: Holger Bauer [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 26 de julho de 2006 15:27 Para: support@pfsense.com Assunto: RE: [pfSense Support] Pfsense and Netbios problem Where does the client connect to? To the VTIBOX? and why do you have this kind of setup? This is most likely a firewallrules issue. Check firewall-logs for blocks and what rule is causing them. Holger -Original Message- From: Pedro Paulo de Magalhaes Oliveira Junior [mailto: [EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 8:18 PM To: support@pfsense.com Subject: [pfSense Support] Pfsense and Netbios problem ADSLVTIBOX (wan DHCP -- lan192.168.3.10)---PFSENSE (Wan 192.168.3.11 lan 192.168.1.10) CLIENTS (192.168.1.X) The clients connect in a PPTP Server ( 201.134.218.98) in order to use NETBIOS resources When the client type \\192.168.2.25 There was no connection If we remove pfsense all goes fine Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006 -- Thank You Brad Bendy Shock Webhosting, LLC. http://www.shockwebhost.com 602-550-4004 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] FTP Server
Mr DMZ Telecom, Please dont send messages with request read receipt. De: [ASP] DMZ Telecom [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 19 de julho de 2006 03:26 Para: support@pfsense.com Assunto: RES: [pfSense Support] FTP Server Prioridade: Alta you can help me? Atenciosamente, Dmz Telecom Ltda. Help Desk Internet Corporativa Dominioz - Hospedagem de sites - www.dominioz.com.br TargetNet -Internetvia Radio- www.targetnet.com.br Atendimento: [12]3645.1666 3645.5088 Celular: [12] 9115-8609 MSN: [EMAIL PROTECTED] Internet via Radio Hospedagem de Sites Esta mensagem e seus anexos podem conter informações confidenciais ou privilegiadas. Se você não é o destinatário dos mesmos você não está autorizado a utilizar o material para qualquer fim. Solicitamos que você apague a mensagem e avise imediatamente ao remetente. O conteúdo desta mensagem e seus anexos não representam necessariamente a opinião e a intenção da empresa, não implicando em qualquer obrigação ou responsabilidade da parte da mesma. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. The contents of this message and its attachments do not necessarily express the opinion or the intention of the company, and do not implies any legal obligation or responsibilities from this company. De: Rob Terhaar [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 19 de julho de 2006 01:53 Para: support@pfsense.com Assunto: Re: [pfSense Support] FTP Server Installing an FTP server into your router/firewall isn't a good thing to do. Really, you don't want to do this. On 7/18/06, [ASP] DMZ Telecom [EMAIL PROTECTED] wrote: How i install a ftp server in the pfsense (ftpd)? How i make this saw ports? Sorry my english!! Atenciosamente, Dmz Telecom Ltda. Help Desk Internet Corporativa Dominioz - Hospedagem de sites - www.dominioz.com.br TargetNet -Internetvia Radio- www.targetnet.com.br Atendimento: [12]3645.1666 3645.5088 Celular: [12] 9115-8609 MSN: [EMAIL PROTECTED] Internet via Radio Hospedagem de Sites Esta mensagem e seus anexos podem conter informações confidenciais ou privilegiadas. Se você não é o destinatário dos mesmos você não está autorizado a utilizar o material para qualquer fim. Solicitamos que você apague a mensagem e avise imediatamente ao remetente. O conteúdo desta mensagem e seus anexos não representam necessariamente a opinião e a intenção da empresa, não implicando em qualquer obrigação ou responsabilidade da parte da mesma. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. The contents of this message and its attachments do not necessarily express the opinion or the intention of the company, and do not implies any legal obligation or responsibilities from this company. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/390 - Release Date: 17/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/390 - Release Date: 17/7/2006
RES: [pfSense Support] How to install upnp in pfsense
Is there interest that we make a UPnP? -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de julho de 2006 11:37 Para: support@pfsense.com Assunto: Re: [pfSense Support] How to install upnp in pfsense On 7/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Someone know how to implement UPnP gateway in pfsense to make Microsoft MSN and Windows Messenger support voice ? I konw that has a UPnP implementation for Freebsd. so many thanks, There currently is not a upnp solution for pfSense. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date: 4/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] How to install upnp in pfsense
:) Got the message! I wonder Why people need UPnP -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de julho de 2006 12:11 Para: support@pfsense.com Assunto: Re: [pfSense Support] How to install upnp in pfsense On 7/6/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Is there interest that we make a UPnP? I have 0 interest in it but if someone wants to do the work, go for it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date: 4/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] How to install upnp in pfsense
The voice works with current configuration -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de julho de 2006 15:05 Para: Scott Ullrich Cc: support@pfsense.com Assunto: Re: [pfSense Support] How to install upnp in pfsense rss... good, Microsoft is a bad idea, but there is a question, behind pfsense firewall have many clients workstations using Micro$oft Windows MSN Mesenger using voice, then I need a solution for this Newton Calvin Coord. Tecnologia de Redes CTR/NIS Quoting Scott Ullrich [EMAIL PROTECTED]: On 7/6/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: :) Got the message! I wonder Why people need UPnP Because anything Microsoft does is good? /sarcasm - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date: 4/7/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Snort Inline PfSense
Hello, I was wondering how to port Snort-Inline (ipfw) to pfsense. Anybody has some idea to help? Thanks, Pedro Paulo Jr
RES: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc?
Check: HiFn Broadcomm Cavium -Mensagem original- De: Raja Subramanian [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 16 de maio de 2006 16:20 Para: support@pfsense.com Assunto: Re: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc? Hi, On 5/16/06, Eugen Leitl [EMAIL PROTECTED] wrote: Easy solution to that -- buy a crypto accelerator. Even without, 4 MBit/s symmetrical throughput should be doable with a wrap. Can you also please comment on the on-chip crypto of the VIA CPUs? - Raja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.1/328 - Release Date: 1/5/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] BSDCan
Copied from: http://pfsense.blogspot.com/ If you haven't heard yet, pfSense and m0n0wall will be presented at BSDCan this year by Scott and myself. We'll also be attending the FreeBSD Developer Summit. This is not a cash-laden conference though, so Scott and I have agreed to provide for our own airfare to Ottawa. We're asking for donations so as little as possible of this expense will have to come out of our pockets. I will immediately post a follow up here if we do receive enough donations to cover our expenses. This is a great opportunity for us to network with the FreeBSD developers, and will certainly help make this project better. Thanks for your continued support! Edit: Might help if I tell you how to donate. :) You can send PayPal to [EMAIL PROTECTED], or email me for alternate means of payment.
[pfSense Support] Problem in appliance
I need some clue on how to recover config.xml using floppy disk sometimes Im losing the confing.xml in this appliance
RES: [pfSense Support] Biggest pfSense install
I'm using a modified version of pfsense in a very large hospital with a 155MB/s fiber link and with around 70% occupation. -Mensagem original- De: Gary Buckmaster [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 10:42 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install I'm pretty sure this isn't the biggest install of pfSense, but we run pfSense as our primary firewall for a 10M fiber connection, continually utilized at about 6Mb/s. This includes load balancing an Internet facing database cluster which handles approximately 35 million transactions a day. So far, pfSense has been a champ. -Gary Scott Ullrich wrote: This may sound unusual but I would like to get an idea of what the biggest pfSense installation is out int he wild. Are you pushing major packets w/ pfSense, please take a moment and describe your setup. It would be nice to know that we are helping out in some big ways. Thanks in advance! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] Biggest pfSense install
Sun Ultra 20 Dual Gigabit PCI-X 2GB RAM -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 13:58 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install Now thats interesting. What kind of hardware is this running on? On 4/27/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: I'm using a modified version of pfsense in a very large hospital with a 155MB/s fiber link and with around 70% occupation. -Mensagem original- De: Gary Buckmaster [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 10:42 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install I'm pretty sure this isn't the biggest install of pfSense, but we run pfSense as our primary firewall for a 10M fiber connection, continually utilized at about 6Mb/s. This includes load balancing an Internet facing database cluster which handles approximately 35 million transactions a day. So far, pfSense has been a champ. -Gary Scott Ullrich wrote: This may sound unusual but I would like to get an idea of what the biggest pfSense installation is out int he wild. Are you pushing major packets w/ pfSense, please take a moment and describe your setup. It would be nice to know that we are helping out in some big ways. Thanks in advance! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] Biggest pfSense install
I'll put a 3DES accelerator on it and try ASAP -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 14:14 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install Very impressive. I'd love to hear more, keep the reports coming in! On 4/27/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Remember I asked Bill if he could rent his perf meter We can handle 90mbps ipsec DES with this hardware -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 14:05 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install Thats rather nice. Anyone else pushing some serious bits? We're pushing about 45 megabit at Bluegrass.net from time to time on our private firewalls (not much, but its something). :) On 4/27/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Sun Ultra 20 Dual Gigabit PCI-X 2GB RAM -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 13:58 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install Now thats interesting. What kind of hardware is this running on? On 4/27/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: I'm using a modified version of pfsense in a very large hospital with a 155MB/s fiber link and with around 70% occupation. -Mensagem original- De: Gary Buckmaster [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 27 de abril de 2006 10:42 Para: support@pfsense.com Assunto: Re: [pfSense Support] Biggest pfSense install I'm pretty sure this isn't the biggest install of pfSense, but we run pfSense as our primary firewall for a 10M fiber connection, continually utilized at about 6Mb/s. This includes load balancing an Internet facing database cluster which handles approximately 35 million transactions a day. So far, pfSense has been a champ. -Gary Scott Ullrich wrote: This may sound unusual but I would like to get an idea of what the biggest pfSense installation is out int he wild. Are you pushing major packets w/ pfSense, please take a moment and describe your setup. It would be nice to know that we are helping out in some big ways. Thanks in advance! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.0/325 - Release Date: 26/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Weird kernel trap
I have na appliance from Lanner with 4 NIC Realtek FreeBSD recognizes it and uses re driver When the 4 NIC are turned on we receive a kernel trap when probing the fourth NIC. When we disable one of the NICs we boot normally. Any hints? Latest snapshot.
RES: [pfSense Support] boot problems after upgrade, part 2.
I think RELENG_6_1 has some important fixes. -Mensagem original- De: Vivek Khera [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de abril de 2006 11:31 Para: support@pfsense.com Assunto: Re: [pfSense Support] boot problems after upgrade, part 2. On Apr 5, 2006, at 8:35 PM, Scott Ullrich wrote: Not really. It almost sounds like RELENG_6 is not in sync with RELENG_6_0 but my understanding is that RELENG_6_0 is the FreeBSD 6 release tree so thats what we really need to track. RELENG_6_0 is only gonna get you security fixes over 6.0-RELEASE. RELENG_6 is currently what is becoming 6.1-RELEASE and has a *lot* of changes relative to 6.0. They are not in sync at all as they are divergent branches of development, and only selected changes are ported back over to the RELENG_6_0 branch. Hopefully they'll tag RELENG_6_1 really soon now... but for less of a moving target 6.0 release is the way to go. Perhaps the goal for pfSense 1.1 should be to use RELENG_6_1. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.5/301 - Release Date: 4/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] boot problems after upgrade, part 2.
http://www.freebsd.org/releases/6.1R/schedule.html I think yesterday RELENG_6_1 branch 5 March 2006 5 April 2006-- The new major version branch is created. Update newvers.sh and release.ent on various branches involved. -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de abril de 2006 12:14 Para: support@pfsense.com Assunto: Re: [pfSense Support] boot problems after upgrade, part 2. Has it been tagged yet? On 4/6/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: I think RELENG_6_1 has some important fixes. -Mensagem original- De: Vivek Khera [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 6 de abril de 2006 11:31 Para: support@pfsense.com Assunto: Re: [pfSense Support] boot problems after upgrade, part 2. On Apr 5, 2006, at 8:35 PM, Scott Ullrich wrote: Not really. It almost sounds like RELENG_6 is not in sync with RELENG_6_0 but my understanding is that RELENG_6_0 is the FreeBSD 6 release tree so thats what we really need to track. RELENG_6_0 is only gonna get you security fixes over 6.0-RELEASE. RELENG_6 is currently what is becoming 6.1-RELEASE and has a *lot* of changes relative to 6.0. They are not in sync at all as they are divergent branches of development, and only selected changes are ported back over to the RELENG_6_0 branch. Hopefully they'll tag RELENG_6_1 really soon now... but for less of a moving target 6.0 release is the way to go. Perhaps the goal for pfSense 1.1 should be to use RELENG_6_1. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.5/301 - Release Date: 4/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.5/301 - Release Date: 4/4/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Skype traffic priorization
Does anybody know how to priorize Skype traffic in pfsense QOS?
RES: [pfSense Support] Problem with ipsec tunnel
Does Beta2 have fixed mobile IPSEC problem that was related with ipsec-tools-0.6.5? De: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 2 de março de 2006 12:58 Para: support@pfsense.com Assunto: Re: [pfSense Support] Problem with ipsec tunnel Yes it is.. and those rules are already present! Thank you again, I'll let you know. On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: For the rules I was speaking about the cisco do you know if these run IOS? I'm not sure if these adsl device run that or just a gui. If it's IOS the rules would be something like: permit esp any any permit any any eq isakmp John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 9:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: Ah it was late last night misread part of that, no more 3am replies. :P Eh eh, same habits.. don't worry! On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AHESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again.. In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this. I think that psSense does it automatically. Am i wrong? Or you are speaking about the routers? Sorry for the confusion No.. you're welcome! Thank you again! Tom From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN? I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a ping c 5 S your pfsense lan ip remote pfsense lan ip from the Diag - Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn? Thank you again... Thanks John From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are:
[pfSense Support] L2TP
L2TP Thanks Scott! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] QOS
Yes. I want to shape the tunnel only. Is it easy to do? -Mensagem original- De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 20 de janeiro de 2006 13:03 Para: support@pfsense.com Assunto: Re: [pfSense Support] QOS If all you want to do is shape the tunnel, then yes. Traffic inside the tunnel cannot be shaped at this time without breaking IPSec compatibility (FreeBSD limitation). --Bill On 1/20/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: I know that pfsense does not do Traffic Shapping inside IPSEC so before anybody blame me let me explain: I have a client configuration with a pfsense on a main node and various remote networks using ipsec to connect to this main node. Can I use QOS to give more priority to one network than other? Regards, Pedro Paulo Jr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/235 - Release Date: 19/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] QOS
I'll try and write a how-to. Any hint? -Mensagem original- De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 20 de janeiro de 2006 15:42 Para: support@pfsense.com Assunto: Re: [pfSense Support] QOS Relatively. --Bill On 1/20/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Yes. I want to shape the tunnel only. Is it easy to do? -Mensagem original- De: Bill Marquette [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 20 de janeiro de 2006 13:03 Para: support@pfsense.com Assunto: Re: [pfSense Support] QOS If all you want to do is shape the tunnel, then yes. Traffic inside the tunnel cannot be shaped at this time without breaking IPSec compatibility (FreeBSD limitation). --Bill On 1/20/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: I know that pfsense does not do Traffic Shapping inside IPSEC so before anybody blame me let me explain: I have a client configuration with a pfsense on a main node and various remote networks using ipsec to connect to this main node. Can I use QOS to give more priority to one network than other? Regards, Pedro Paulo Jr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/235 - Release Date: 19/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.21/235 - Release Date: 19/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec BugValidation 5
Hi, IPSec issue has been fixed in BugValidation 5.
RES: [pfSense Support] IPSec BugValidation 5
Yes. The bouncing stoped. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 18 de janeiro de 2006 16:19 Para: support@pfsense.com Assunto: RE: [pfSense Support] IPSec BugValidation 5 I will see if I can test something tonight. Pedro what problem do you see fixed? Establishment/Bouncing? John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 11:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec BugValidation 5 We didnt change anything but ok. Scott On 1/18/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Hi, IPSec issue has been fixed in BugValidation 5. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 18/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] IPSec BugValidation 5
I just upgraded to BUGVAL5 and worked -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 18 de janeiro de 2006 16:23 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec BugValidation 5 ISP issues? We really didn't change anything. On 1/18/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Yes. The bouncing stoped. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 18 de janeiro de 2006 16:19 Para: support@pfsense.com Assunto: RE: [pfSense Support] IPSec BugValidation 5 I will see if I can test something tonight. Pedro what problem do you see fixed? Establishment/Bouncing? John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 11:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec BugValidation 5 We didnt change anything but ok. Scott On 1/18/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Hi, IPSec issue has been fixed in BugValidation 5. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 18/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/233 - Release Date: 18/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: [pfSense Support] IPSec Problems
I'm experiencing some problems with this IPSEC version. My tunnel opens lasts sometimes and closes. My IPSEC section in both sides: Side 1: 200.204.120.145 Side 2: 200.179.214.104 Side 1: ipsec preferredoldsa/ enable/ tunnel auto/ interfacewan/interface local-subnet networklan/network /local-subnet remote-subnet192.168.0.0/24/remote-subnet remote-gateway200.179.214.104/remote-gateway p1 modeaggressive/mode myident myaddress/ /myident encryption-algorithm3des/encryption-algorithm hash-algorithmsha1/hash-algorithm dhgroup2/dhgroup lifetime86400/lifetime pre-shared-keysupersecret/pre-shared-key private-key/ cert/ peercert/ authentication_methodpre_shared_key/authentication_method /p1 p2 protocolesp/protocol encryption-algorithm-option3des/encryption-algorithm-option encryption-algorithm-optionblowfish/encryption-algorithm-option encryption-algorithm-optioncast128/encryption-algorithm-option encryption-algorithm-optionrijndael/encryption-algorithm-option hash-algorithm-optionhmac_sha1/hash-algorithm-option hash-algorithm-optionhmac_md5/hash-algorithm-option pfsgroup0/pfsgroup lifetime86400/lifetime /p2 descrNetfilterRJ/descr /tunnel /ipsec Side 2: ipsec preferredoldsa/ enable/ tunnel auto/ interfacewan/interface local-subnet networklan/network /local-subnet remote-subnet192.168.1.0/24/remote-subnet remote-gateway200.204.120.145/remote-gateway p1 modeaggressive/mode myident myaddress/ /myident encryption-algorithm3des/encryption-algorithm hash-algorithmsha1/hash-algorithm dhgroup2/dhgroup lifetime86400/lifetime pre-shared-keybqnsepc/pre-shared-key private-key/ cert/ peercert/ authentication_methodpre_shared_key/authentication_method /p1 p2 protocolesp/protocol encryption-algorithm-option3des/encryption-algorithm-option encryption-algorithm-optionblowfish/encryption-algorithm-option encryption-algorithm-optioncast128/encryption-algorithm-option encryption-algorithm-optionrijndael/encryption-algorithm-option hash-algorithm-optionhmac_sha1/hash-algorithm-option hash-algorithm-optionhmac_md5/hash-algorithm-option pfsgroup0/pfsgroup lifetime86400/lifetime /p2 descrNetfilter SP/descr /tunnel /ipsec -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:24 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec Problems Okay, if for some reason 0.6.5 is not out by the time we go to release I'll back down to 0.6.2. Scott On 1/16/06, John Cianfarani [EMAIL PROTECTED] wrote: From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original
[pfSense Support] IPSec Problem
Here is the results of my IPSec from previous e-mail It seems that SAD are floating Is it related with with 0.6.4? # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c 200.204.120.145 200.179.214.104 esp mode=tunnel spi=79729560(0x04c09398) reqid=20453(0x4fe5) E: 3des-cbc a900049a 63eb4212 2c83625a 2b3c6ba2 47adc0b4 af9f1aa7 A: hmac-sha1 8b8c2148 dda1ea67 871b9b4a 3cd6b70c eba51f0c seq=0x0004 replay=4 flags=0x state=mature created: Jan 17 16:06:56 2006 current: Jan 17 16:07:05 2006 diff: 9(s) hard: 86400(s) soft: 69120(s) last: Jan 17 16:07:04 2006 hard: 0(s) soft: 0(s) current: 448(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4 hard: 0 soft: 0 sadb_seq=1 pid=87725 refcnt=2 200.179.214.104 200.204.120.145 esp mode=tunnel spi=141064572(0x0868797c) reqid=20454(0x4fe6) E: 3des-cbc 83d26e28 43b9bdfa 5dd5fef9 7a4dd104 8ee8edaa cf32eefb A: hmac-sha1 0dbf4b06 568b1312 d05bfa35 de71d991 bd701e6d seq=0x replay=4 flags=0x state=mature created: Jan 17 16:06:56 2006 current: Jan 17 16:07:05 2006 diff: 9(s) hard: 86400(s) soft: 69120(s) last: Jan 17 16:07:04 2006 hard: 0(s) soft: 0(s) current: 240(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=0 pid=87725 refcnt=1 # echo dump; | setkey -c # echo dump; | setkey -c 200.204.120.145 200.179.214.104 esp mode=tunnel spi=207500804(0x0c5e3604) reqid=20455(0x4fe7) E: 3des-cbc 515a79d0 22fc55d5 fa4c619c 7e603b35 8533b85e d87e658a A: hmac-sha1 2aa06e6d 796b1e8c ec5147f3 d36ea746 ab676688 seq=0x0001 replay=4 flags=0x state=mature created: Jan 17 16:07:13 2006 current: Jan 17 16:07:18 2006 diff: 5(s) hard: 86400(s) soft: 69120(s) last: Jan 17 16:07:18 2006 hard: 0(s) soft: 0(s) current: 112(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=88013 refcnt=2 200.179.214.104 200.204.120.145 esp mode=tunnel spi=125972949(0x078231d5) reqid=20456(0x4fe8) E: 3des-cbc 65f17755 dbb290ec eb71744d ad09f2b2 35d4765b c0b8c41c A: hmac-sha1 4937f2d8 4a449373 d7016d9d 230ef1a8 98b08fd1 seq=0x replay=4 flags=0x state=mature created: Jan 17 16:07:13 2006 current: Jan 17 16:07:18 2006 diff: 5(s) hard: 86400(s) soft: 69120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=88013 refcnt=1 # echo dump; | setkey -c 200.204.120.145 200.179.214.104 esp mode=tunnel spi=8108862(0x007bbb3e) reqid=20459(0x4feb) E: 3des-cbc b4d9ac9e 2ed6fed8 73352152 b263db7c b8972025 10c9a4af A: hmac-sha1 a75d45ec 88c3f948 8701b8cd 59f8cb7a 93a4cf34 seq=0x replay=4 flags=0x state=mature created: Jan 17 16:07:44 2006 current: Jan 17 16:07:46 2006 diff: 2(s) hard: 86400(s) soft: 69120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=88591 refcnt=1 200.179.214.104 200.204.120.145 esp mode=tunnel spi=1917404(0x001d41dc) reqid=20460(0x4fec) E: 3des-cbc 5096d8e0 0fd681bb 4f423656 fe2e1713 8533d150 38c06245 A: hmac-sha1 f1325d52 bdd5ff9c 18e49ee2 a241c177 729b9086 seq=0x replay=4 flags=0x state=mature created: Jan 17 16:07:44 2006 current: Jan 17 16:07:46 2006 diff: 2(s) hard: 86400(s) soft: 69120(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=88591 refcnt=1 # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c The result of line 1: No SAD entries. # echo dump; | setkey -c 200.204.120.145 200.179.214.104 esp mode=tunnel spi=263104984(0x0faea9d8) reqid=20463(0x4fef) E: 3des-cbc e0d2bd58 c63dc210 ed18ad1e 58f77eb2 0ffaa5ff 04917dab A: hmac-sha1 bc719ae0 58892e01 54792ad1 69409e2e e26be914 seq=0x0007 replay=4 flags=0x state=mature created: Jan 17 16:08:11 2006 current: Jan 17 16:08:22 2006 diff: 11(s) hard: 86400(s) soft: 69120(s) last: Jan 17 16:08:22 2006 hard: 0(s) soft: 0(s) current: 784(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 7 hard: 0 soft: 0 sadb_seq=1 pid=89316 refcnt=2 200.179.214.104 200.204.120.145 esp mode=tunnel spi=218307469(0x0d031b8d) reqid=20464(0x4ff0) E: 3des-cbc 65e3fc82 6001600d 92daf1f9 6b0b6a67 6e2b7618 87046c27 A: hmac-sha1 472312c9 4cb3b560 6a555bd3 517912a9 37a68b3c seq=0x replay=4 flags=0x state=mature created: Jan 17 16:08:11 2006 current: Jan 17 16:08:22 2006 diff: 11(s) hard: 86400(s) soft: 69120(s) last: Jan 17 16:08:22 2006 hard: 0(s) soft: 0(s) current: 560(bytes)
RES: [pfSense Support] IPSec Problems
Regarding this e-mail: the shared keys are the same -Mensagem original- De: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 17 de janeiro de 2006 15:12 Para: support@pfsense.com Assunto: RES: [pfSense Support] IPSec Problems I'm experiencing some problems with this IPSEC version. My tunnel opens lasts sometimes and closes. My IPSEC section in both sides: Side 1: 200.204.120.145 Side 2: 200.179.214.104 Side 1: ipsec preferredoldsa/ enable/ tunnel auto/ interfacewan/interface local-subnet networklan/network /local-subnet remote-subnet192.168.0.0/24/remote-subnet remote-gateway200.179.214.104/remote-gateway p1 modeaggressive/mode myident myaddress/ /myident encryption-algorithm3des/encryption-algorithm hash-algorithmsha1/hash-algorithm dhgroup2/dhgroup lifetime86400/lifetime pre-shared-keysupersecret/pre-shared-key private-key/ cert/ peercert/ authentication_methodpre_shared_key/authentication_method /p1 p2 protocolesp/protocol encryption-algorithm-option3des/encryption-algorithm-option encryption-algorithm-optionblowfish/encryption-algorithm-option encryption-algorithm-optioncast128/encryption-algorithm-option encryption-algorithm-optionrijndael/encryption-algorithm-option hash-algorithm-optionhmac_sha1/hash-algorithm-option hash-algorithm-optionhmac_md5/hash-algorithm-option pfsgroup0/pfsgroup lifetime86400/lifetime /p2 descrNetfilterRJ/descr /tunnel /ipsec Side 2: ipsec preferredoldsa/ enable/ tunnel auto/ interfacewan/interface local-subnet networklan/network /local-subnet remote-subnet192.168.1.0/24/remote-subnet remote-gateway200.204.120.145/remote-gateway p1 modeaggressive/mode myident myaddress/ /myident encryption-algorithm3des/encryption-algorithm hash-algorithmsha1/hash-algorithm dhgroup2/dhgroup lifetime86400/lifetime pre-shared-key supersecret /pre-shared-key private-key/ cert/ peercert/ authentication_methodpre_shared_key/authentication_method /p1 p2 protocolesp/protocol encryption-algorithm-option3des/encryption-algorithm-option encryption-algorithm-optionblowfish/encryption-algorithm-option encryption-algorithm-optioncast128/encryption-algorithm-option encryption-algorithm-optionrijndael/encryption-algorithm-option hash-algorithm-optionhmac_sha1/hash-algorithm-option hash-algorithm-optionhmac_md5/hash-algorithm-option pfsgroup0/pfsgroup lifetime86400/lifetime /p2 descrNetfilter SP/descr /tunnel /ipsec -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:24 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec Problems Okay, if for some reason 0.6.5 is not out by the time we go to release I'll back down to 0.6.2. Scott On 1/16/06, John Cianfarani [EMAIL PROTECTED] wrote: From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug
RES: [pfSense Support] IPSec Problems
We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=13) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=15) Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any dir=out Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for ce.nt.ral.ip queued due to no phase1 found. Jan 16 10:16:01 gw-remote1 racoon: INFO: initiate new phase 1 negotiation: re.mo.te.ip[500]=ce.nt.ral.ip[500] Jan 16 10:16:01 gw-remote1 racoon: INFO: begin Aggressive mode. Jan 16 10:16:32 gw-remote1 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ce.nt.ral.ip[0]-re.mo.te.ip[0] Jan 16 10:16:32 gw-remote1 racoon: INFO: delete phase 2 handler. Jan 16 10:17:00 gw-remote1 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jan 16 10:17:01 gw-remote1 racoon: ERROR:
RES: [pfSense Support] IPSec Problems
Is the same problem. Racoon is dead. -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:07 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=13) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=15) Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any dir=out Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for ce.nt.ral.ip queued
RES: [pfSense Support] IPSec Problems
It seems that 0.6.2 is the last working version. -Mensagem original- De: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:19 Para: support@pfsense.com Assunto: RES: [pfSense Support] IPSec Problems Is the same problem. Racoon is dead. -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:07 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=13) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=15) Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace
RES: [pfSense Support] IPSec Problems
My problem is packet loss: C:\Documents and Settings\Administradorping -t 192.168.0.252 Sending to 192.168.0.252 with 32 bytes data: Request timeout. Reply from 192.168.0.252: bytes=32 tempo=146ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=72ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=158ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=169ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=210ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=266ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=63ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=139ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=131ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=136ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=234ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=57ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=62ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126 Ping to 192.168.0.252: Pacotes: Sent = 28, Received = 17, Lost = 11 (39% loss), Roundtrip: Mínimo = 57ms, Máximo = 266ms, Média = 131ms -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:21 Para: support@pfsense.com Assunto: RE: [pfSense Support] IPSec Problems From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10
[pfSense Support] Crash Disk problems
Hey Guys, Im using latest version of pfsense and experienced two disk crashs with two different machines in last days. This usually happens when simulate power failure (something that should happens in a client using pfsense) and when we power on again the loading process stops after the kernel load. Many times it can recover a power failure, but these times no. I dont know if it was bad luck or something wrong. One suggestion, we could keep some parts of pfsense in a Read-Only partition to keep safe. Regards, Pedro Paulo Jr
RES: [pfSense Support] Crash Disk problems
Yes. A UPS is one solution... But it seems that usual FreeBSD is more robust in this aspect. -Mensagem original- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 13 de janeiro de 2006 15:37 Para: support@pfsense.com Assunto: Re: [pfSense Support] Crash Disk problems Or a UPS On 1/13/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Hey Guys, I'm using latest version of pfsense and experienced two disk crashs with two different machines in last days. This usually happens when simulate power failure (something that should happens in a client using pfsense) and when we power on again the loading process stops after the kernel load. Many times it can recover a power failure, but these times no. I don't know if it was bad luck or something wrong. One suggestion, we could keep some parts of pfsense in a Read-Only partition to keep safe. Regards, Pedro Paulo Jr - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/228 - Release Date: 12/1/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]