Re: [pfSense Support] IPSEC over an OPT interface Problems
I still need to fix the OPTx firewall rule issue. I am hoping to knock it out this weekend. Scott On 4/6/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I should also add, in case it matters that all of the remote end-points are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or Netgear FVS338's. All of the remote end-points are configured with static IP's and any ISP supplied routers are configured solely as bridge devices. If PPPoE is being used, I have the remote Linksys, Netgear, or Hotbrick performing the PPPoE. These remote end points operate over a combination of Cable, ADSL, and wireless Internet access from their various ISP's. I have learned that, if the ISP's supplied router/firewall is doing any sort of NAT or port forwarding, it just kills IPSEC VPN stability. This seems especially true for the Linksys and Netgear devices that I've run across. Vaughn Vaughn L. Reid III wrote: > No. The only things that I added/changed were the firewall rules. > Actually, I don't have manually entered static routes configured for > any of my IPSEC connections, and they all work. When I pull up the > routing table, I have noticed that the pfsense box appears to > automatically add the routes. > > Vaughn > > [EMAIL PROTECTED] wrote: >> Do you have static routes set up as well? >> >> >>> I just wanted to report an update of how my IPSEC over OPTx is working. >>> It's been a few days, now since I set up the manual rules on the OPTx >>> interface that I wanted to use for IPSEC. Since I set up the rules >>> listed in my previous post, my IPSEC VPN's over the OPTx interface are >>> working well and seem very stable. >>> >>> Vaughn >>> >>> Vaughn L. Reid III wrote: >>> Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I should also add, in case it matters that all of the remote end-points are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or Netgear FVS338's. All of the remote end-points are configured with static IP's and any ISP supplied routers are configured solely as bridge devices. If PPPoE is being used, I have the remote Linksys, Netgear, or Hotbrick performing the PPPoE. These remote end points operate over a combination of Cable, ADSL, and wireless Internet access from their various ISP's. I have learned that, if the ISP's supplied router/firewall is doing any sort of NAT or port forwarding, it just kills IPSEC VPN stability. This seems especially true for the Linksys and Netgear devices that I've run across. Vaughn Vaughn L. Reid III wrote: No. The only things that I added/changed were the firewall rules. Actually, I don't have manually entered static routes configured for any of my IPSEC connections, and they all work. When I pull up the routing table, I have noticed that the pfsense box appears to automatically add the routes. Vaughn [EMAIL PROTECTED] wrote: Do you have static routes set up as well? I just wanted to report an update of how my IPSEC over OPTx is working. It's been a few days, now since I set up the manual rules on the OPTx interface that I wanted to use for IPSEC. Since I set up the rules listed in my previous post, my IPSEC VPN's over the OPTx interface are working well and seem very stable. Vaughn Vaughn L. Reid III wrote: Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
No. The only things that I added/changed were the firewall rules. Actually, I don't have manually entered static routes configured for any of my IPSEC connections, and they all work. When I pull up the routing table, I have noticed that the pfsense box appears to automatically add the routes. Vaughn [EMAIL PROTECTED] wrote: Do you have static routes set up as well? I just wanted to report an update of how my IPSEC over OPTx is working. It's been a few days, now since I set up the manual rules on the OPTx interface that I wanted to use for IPSEC. Since I set up the rules listed in my previous post, my IPSEC VPN's over the OPTx interface are working well and seem very stable. Vaughn Vaughn L. Reid III wrote: Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Do you have static routes set up as well? > I just wanted to report an update of how my IPSEC over OPTx is working. > It's been a few days, now since I set up the manual rules on the OPTx > interface that I wanted to use for IPSEC. Since I set up the rules > listed in my previous post, my IPSEC VPN's over the OPTx interface are > working well and seem very stable. > > Vaughn > > Vaughn L. Reid III wrote: >> Just to be thorough, I added two more rules to the firewall's OPT >> interface to make sure all the IPSEC stuff gets through. I'm fuzzy on >> if the last two are needed, but just to be safe, I added them. >> >> Here are all the rule that I've added: >> Rules in the format listed below: >> Format: Protocol Source Port Destination Port >> Gateway Schedule >> 1. UDP * * Interface IP Address 500 * Blank >> 2. ESP * * Interface IP Address * * Blank >> 3. AH * * Interface IP Address * * Blank >> 4. GRE * * Interface IP Address * * Blank >> >> Vaughn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I just wanted to report an update of how my IPSEC over OPTx is working. It's been a few days, now since I set up the manual rules on the OPTx interface that I wanted to use for IPSEC. Since I set up the rules listed in my previous post, my IPSEC VPN's over the OPTx interface are working well and seem very stable. Vaughn Vaughn L. Reid III wrote: Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn On Mon, 02 Apr 2007 20:43:38 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: Interesting, This version of the firmware doesn't even list the VPN tunnel that is configured for the OPT interface in the vpn section of /tmp/rules.debug. The tunnel definition is listed in the GUI, and it's working with the manual rules because I'm in the process of accessing remote resources now. In /tmp/rules.debug, however, it's like the vpn out the opt interface just doesn't exist. I checked the firewall rules section of /tmp/rules.debug, and the manual rules that I added are there. Also, the firmware version that I was using when I started this thread last week showed the VPN tunnel definition in /tmp/rules.debug, but it showed the wrong interface. Vaughn On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> said: On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Here are the rules for the interface in question that seem to make the IPSEC tunnel work: [snip] Look in /tmp/rules.debug and search for IPSEC. Do you see rules permitting traffic to the interface? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Just to be thorough, I added two more rules to the firewall's OPT interface to make sure all the IPSEC stuff gets through. I'm fuzzy on if the last two are needed, but just to be safe, I added them. Here are all the rule that I've added: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank 3. AH * * Interface IP Address * * Blank 4. GRE * * Interface IP Address * * Blank Vaughn On Mon, 02 Apr 2007 20:43:38 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > Interesting, > > This version of the firmware doesn't even list the VPN tunnel that is > configured for the OPT interface in the vpn section of /tmp/rules.debug. > The tunnel definition is listed in the GUI, and it's working with the > manual rules because I'm in the process of accessing remote resources > now. > > In /tmp/rules.debug, however, it's like the vpn out the opt interface > just doesn't exist. I checked the firewall rules section of > /tmp/rules.debug, and the manual rules that I added are there. > > Also, the firmware version that I was using when I started this thread > last week showed the VPN tunnel definition in /tmp/rules.debug, but it > showed the wrong interface. > > Vaughn > > > On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> > said: > > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > > Here are the rules for the interface in question that seem to make the > > > IPSEC tunnel work: > > [snip] > > > > Look in /tmp/rules.debug and search for IPSEC. > > > > Do you see rules permitting traffic to the interface? > > > > Scott > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Interesting, This version of the firmware doesn't even list the VPN tunnel that is configured for the OPT interface in the vpn section of /tmp/rules.debug. The tunnel definition is listed in the GUI, and it's working with the manual rules because I'm in the process of accessing remote resources now. In /tmp/rules.debug, however, it's like the vpn out the opt interface just doesn't exist. I checked the firewall rules section of /tmp/rules.debug, and the manual rules that I added are there. Also, the firmware version that I was using when I started this thread last week showed the VPN tunnel definition in /tmp/rules.debug, but it showed the wrong interface. Vaughn On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> said: > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > Here are the rules for the interface in question that seem to make the > > IPSEC tunnel work: > [snip] > > Look in /tmp/rules.debug and search for IPSEC. > > Do you see rules permitting traffic to the interface? > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Here are the rules for the interface in question that seem to make the IPSEC tunnel work: [snip] Look in /tmp/rules.debug and search for IPSEC. Do you see rules permitting traffic to the interface? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Here are the rules for the interface in question that seem to make the IPSEC tunnel work: Rules in the format listed below: Format: Protocol Source Port Destination Port Gateway Schedule 1. UDP * * Interface IP Address 500 * Blank 2. ESP * * Interface IP Address * * Blank Vaughn On Mon, 2 Apr 2007 20:11:10 -0400, "Scott Ullrich" <[EMAIL PROTECTED]> said: > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > > I've just tested the most recent pfsense update available on > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > > Please show the IPSEC rules that are relevant to the interface in > question as you did prior. > > Thanks! > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I've just tested the most recent pfsense update available on http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Please show the IPSEC rules that are relevant to the interface in question as you did prior. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I've just tested the most recent pfsense update available on http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Here is the system's firmware information: 1.0.1-SNAPSHOT-03-27-2007 built on Mon Apr 2 19:21:19 EDT 2007 My results indicate that IPSEC over OPTx still does not work without explicitly opening UDP 500 and ESP on the interface in question to allow the interface's IP address to accept these two items. I believe that this may still be an older firmware, but I do not see a newer firmware available in the update format. At this time, I am also not in a position to test an .iso file. To do that, I will need to wait for the weekend when firewall usage is low. Vaughn On Fri, 30 Mar 2007 12:23:44 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > I'll check back later this evening or Monday day sometime. > > Thanks, > > Vaughn > > Scott Ullrich wrote: > > This is an old image. The snapshot server has been down for some > > time... Try again 2-3 hours from now or on Monday. > > > > Scott > > > > > > On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >> I just tried implementing IPSEC over an OPT interface using the > >> pfsense.iso file from March 29, 2007 at 7:19 p.m. > >> > >> Here are my results. IPSEC will not work over my OPT2 Interface without > >> adding specific firewall rules to the OPT2 interface to allow UDP 500 > >> and ESP to connect to that interface's IP address. > >> > >> Once I manually add the rules, the tunnels get created and work > >> correctly over the OPT2 interface. Before I manually added the rules to > >> the OPT2 interface, I noticed that there was no SAD listing to the > >> tunnel being tested. Both ends of the tunnel were, however, listed on > >> the SPD tab of the IPSEC tunnel diagnostic page. > >> > >> Once I added the needed firewall rules to the OPT2 interface, the VPN > >> tunnel immediately set up and started working. At that time, the proper > >> entries appeared in the SAD on the IPSEC diagnostic page. > >> > >> Also, I noticed during the loading of the pfsense firewall software > >> while it was connecting services, etc. that an error message appeared > >> that stated that there was an invalid argument foreach on line 7 of the > >> /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm > >> pretty sure it was line 7. I'm not sure if this is related to my IPSEC > >> issue, but I thought I'd comment in case it is relevant. > >> > >> Thanks, > >> > >> Vaughn Reid III > >> > >> Tunge2 wrote: > >> > If this is working it would be a great step a head :) > >> > > >> > -Oorspronkelijk bericht- > >> > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] > >> > Verzonden: vrijdag 30 maart 2007 1:08 > >> > Aan: support@pfsense.com > >> > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems > >> > > >> > Have the IPSEC changes been committed and built yet? I'm looking > >> at the > >> > update files, and they all still say March 27 2007. I'm using this > >> > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > >> > > >> > Should I be looking somewhare else for the update with the IPSEC fix? > >> > > >> > Thanks, > >> > > >> > Vaughn > >> > > >> > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" > >> > <[EMAIL PROTECTED]> said: > >> > > >> >> Thanks for your hard work. I appreciate it and I'm sure my customers > >> >> do too. > >> >> > >> >> Vaughn > >> >> > >> >> Vaughn L. Reid III wrote: > >> >> > >> >>> The ones ones that say Computer Support are from the test tunnel > >> >>> that I created to use OPT2. > >> >>> > >> >>> The interfaces on this machine are labeled like this: > >> >>> > >> >>> LAN => em0 > >> >>> WAN => em1 > >> >>> ATTDSL => em4 -- This is the OPT interface that I was using for the > >> >>> Computer Support VPN test wireless => em2 > >> >>> > >> >>> Vaughn > >> >>> > >> >>> Scott Ullrich wrote: > >> >>> > >>
Re: [pfSense Support] IPSEC over an OPT interface Problems
I'll check back later this evening or Monday day sometime. Thanks, Vaughn Scott Ullrich wrote: This is an old image. The snapshot server has been down for some time... Try again 2-3 hours from now or on Monday. Scott On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I just tried implementing IPSEC over an OPT interface using the pfsense.iso file from March 29, 2007 at 7:19 p.m. Here are my results. IPSEC will not work over my OPT2 Interface without adding specific firewall rules to the OPT2 interface to allow UDP 500 and ESP to connect to that interface's IP address. Once I manually add the rules, the tunnels get created and work correctly over the OPT2 interface. Before I manually added the rules to the OPT2 interface, I noticed that there was no SAD listing to the tunnel being tested. Both ends of the tunnel were, however, listed on the SPD tab of the IPSEC tunnel diagnostic page. Once I added the needed firewall rules to the OPT2 interface, the VPN tunnel immediately set up and started working. At that time, the proper entries appeared in the SAD on the IPSEC diagnostic page. Also, I noticed during the loading of the pfsense firewall software while it was connecting services, etc. that an error message appeared that stated that there was an invalid argument foreach on line 7 of the /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm pretty sure it was line 7. I'm not sure if this is related to my IPSEC issue, but I thought I'd comment in case it is relevant. Thanks, Vaughn Reid III Tunge2 wrote: > If this is working it would be a great step a head :) > > -Oorspronkelijk bericht- > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] > Verzonden: vrijdag 30 maart 2007 1:08 > Aan: support@pfsense.com > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems > > Have the IPSEC changes been committed and built yet? I'm looking at the > update files, and they all still say March 27 2007. I'm using this > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > > Should I be looking somewhare else for the update with the IPSEC fix? > > Thanks, > > Vaughn > > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" > <[EMAIL PROTECTED]> said: > >> Thanks for your hard work. I appreciate it and I'm sure my customers >> do too. >> >> Vaughn >> >> Vaughn L. Reid III wrote: >> >>> The ones ones that say Computer Support are from the test tunnel >>> that I created to use OPT2. >>> >>> The interfaces on this machine are labeled like this: >>> >>> LAN => em0 >>> WAN => em1 >>> ATTDSL => em4 -- This is the OPT interface that I was using for the >>> Computer Support VPN test wireless => em2 >>> >>> Vaughn >>> >>> Scott Ullrich wrote: >>> >>>> Okay, so that I am on the same page as you. Those $wan rules >>>> should have read $optX ?? >>>> >>>> Scott >>>> >>>> >>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: >>>> >>>>> Oops! Sorry for the double post. >>>>> >>>>> Vaughn L. Reid III wrote: >>>>> >>>>>> Here is the relevant text of my rules.debug file. It looks like >>>>>> the interface on the connection "computer support" has the same >>>>>> interface as the rest of the tunnels. This is the test >>>>>> connection that should be using OPT3. >>>>>> >>>>>> # let out anything from the firewall host itself and decrypted >>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label >>>>>> "let out anything from firewall host itself" >>>>>> pass out quick on $wan proto icmp keep state label "let out >>>>>> anything from firewall host itself" >>>>>> pass out quick on em1 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> # pass traffic from firewall -> out anchor "firewallout" >>>>>> pass out quick on em1 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass out quick on em0 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass out quick on em4 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass
Re: [pfSense Support] IPSEC over an OPT interface Problems
This is an old image. The snapshot server has been down for some time... Try again 2-3 hours from now or on Monday. Scott On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I just tried implementing IPSEC over an OPT interface using the pfsense.iso file from March 29, 2007 at 7:19 p.m. Here are my results. IPSEC will not work over my OPT2 Interface without adding specific firewall rules to the OPT2 interface to allow UDP 500 and ESP to connect to that interface's IP address. Once I manually add the rules, the tunnels get created and work correctly over the OPT2 interface. Before I manually added the rules to the OPT2 interface, I noticed that there was no SAD listing to the tunnel being tested. Both ends of the tunnel were, however, listed on the SPD tab of the IPSEC tunnel diagnostic page. Once I added the needed firewall rules to the OPT2 interface, the VPN tunnel immediately set up and started working. At that time, the proper entries appeared in the SAD on the IPSEC diagnostic page. Also, I noticed during the loading of the pfsense firewall software while it was connecting services, etc. that an error message appeared that stated that there was an invalid argument foreach on line 7 of the /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm pretty sure it was line 7. I'm not sure if this is related to my IPSEC issue, but I thought I'd comment in case it is relevant. Thanks, Vaughn Reid III Tunge2 wrote: > If this is working it would be a great step a head :) > > -Oorspronkelijk bericht- > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] > Verzonden: vrijdag 30 maart 2007 1:08 > Aan: support@pfsense.com > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems > > Have the IPSEC changes been committed and built yet? I'm looking at the > update files, and they all still say March 27 2007. I'm using this > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > > Should I be looking somewhare else for the update with the IPSEC fix? > > Thanks, > > Vaughn > > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" > <[EMAIL PROTECTED]> said: > >> Thanks for your hard work. I appreciate it and I'm sure my customers >> do too. >> >> Vaughn >> >> Vaughn L. Reid III wrote: >> >>> The ones ones that say Computer Support are from the test tunnel >>> that I created to use OPT2. >>> >>> The interfaces on this machine are labeled like this: >>> >>> LAN => em0 >>> WAN => em1 >>> ATTDSL => em4 -- This is the OPT interface that I was using for the >>> Computer Support VPN test wireless => em2 >>> >>> Vaughn >>> >>> Scott Ullrich wrote: >>> >>>> Okay, so that I am on the same page as you. Those $wan rules >>>> should have read $optX ?? >>>> >>>> Scott >>>> >>>> >>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: >>>> >>>>> Oops! Sorry for the double post. >>>>> >>>>> Vaughn L. Reid III wrote: >>>>> >>>>>> Here is the relevant text of my rules.debug file. It looks like >>>>>> the interface on the connection "computer support" has the same >>>>>> interface as the rest of the tunnels. This is the test >>>>>> connection that should be using OPT3. >>>>>> >>>>>> # let out anything from the firewall host itself and decrypted >>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label >>>>>> "let out anything from firewall host itself" >>>>>> pass out quick on $wan proto icmp keep state label "let out >>>>>> anything from firewall host itself" >>>>>> pass out quick on em1 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> # pass traffic from firewall -> out anchor "firewallout" >>>>>> pass out quick on em1 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass out quick on em0 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass out quick on em4 all keep state label "let out anything >>>>>> from firewall host itself" >>>>>> pass out quick on em2 all keep state label "let out anything >>>>>> from firewall h
Re: [pfSense Support] IPSEC over an OPT interface Problems
I just tried implementing IPSEC over an OPT interface using the pfsense.iso file from March 29, 2007 at 7:19 p.m. Here are my results. IPSEC will not work over my OPT2 Interface without adding specific firewall rules to the OPT2 interface to allow UDP 500 and ESP to connect to that interface's IP address. Once I manually add the rules, the tunnels get created and work correctly over the OPT2 interface. Before I manually added the rules to the OPT2 interface, I noticed that there was no SAD listing to the tunnel being tested. Both ends of the tunnel were, however, listed on the SPD tab of the IPSEC tunnel diagnostic page. Once I added the needed firewall rules to the OPT2 interface, the VPN tunnel immediately set up and started working. At that time, the proper entries appeared in the SAD on the IPSEC diagnostic page. Also, I noticed during the loading of the pfsense firewall software while it was connecting services, etc. that an error message appeared that stated that there was an invalid argument foreach on line 7 of the /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm pretty sure it was line 7. I'm not sure if this is related to my IPSEC issue, but I thought I'd comment in case it is relevant. Thanks, Vaughn Reid III Tunge2 wrote: If this is working it would be a great step a head :) -Oorspronkelijk bericht- Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 30 maart 2007 1:08 Aan: support@pfsense.com Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems Have the IPSEC changes been committed and built yet? I'm looking at the update files, and they all still say March 27 2007. I'm using this repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Should I be looking somewhare else for the update with the IPSEC fix? Thanks, Vaughn On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: Thanks for your hard work. I appreciate it and I'm sure my customers do too. Vaughn Vaughn L. Reid III wrote: The ones ones that say Computer Support are from the test tunnel that I created to use OPT2. The interfaces on this machine are labeled like this: LAN => em0 WAN => em1 ATTDSL => em4 -- This is the OPT interface that I was using for the Computer Support VPN test wireless => em2 Vaughn Scott Ullrich wrote: Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Oops! Sorry for the double post. Vaughn L. Reid III wrote: Here is the relevant text of my rules.debug file. It looks like the interface on the connection "computer support" has the same interface as the rest of the tunnels. This is the test connection that should be using OPT3. # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself" pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself" pass out quick on em1 all keep state label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on em1 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" pass out quick on em2 all keep state label "let out anything from firewall host itself" pass out quick on $pptp all keep state label "let out anything from firewall host itself pptp" pass out quick on $enc0 keep state label "IPSEC internal host to host" # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on em4 proto icmp keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" # VPN Rules pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 keep state label "IPSEC: Fire Station 3 - inbound esp proto" pass out q
RE: [pfSense Support] IPSEC over an OPT interface Problems
If this is working it would be a great step a head :) -Oorspronkelijk bericht- Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 30 maart 2007 1:08 Aan: support@pfsense.com Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems Have the IPSEC changes been committed and built yet? I'm looking at the update files, and they all still say March 27 2007. I'm using this repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Should I be looking somewhare else for the update with the IPSEC fix? Thanks, Vaughn On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > Thanks for your hard work. I appreciate it and I'm sure my customers > do too. > > Vaughn > > Vaughn L. Reid III wrote: > > The ones ones that say Computer Support are from the test tunnel > > that I created to use OPT2. > > > > The interfaces on this machine are labeled like this: > > > > LAN => em0 > > WAN => em1 > > ATTDSL => em4 -- This is the OPT interface that I was using for the > > Computer Support VPN test wireless => em2 > > > > Vaughn > > > > Scott Ullrich wrote: > >> Okay, so that I am on the same page as you. Those $wan rules > >> should have read $optX ?? > >> > >> Scott > >> > >> > >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >>> Oops! Sorry for the double post. > >>> > >>> Vaughn L. Reid III wrote: > >>> > Here is the relevant text of my rules.debug file. It looks like > >>> > the interface on the connection "computer support" has the same > >>> > interface as the rest of the tunnels. This is the test > >>> > connection that should be using OPT3. > >>> > > >>> > # let out anything from the firewall host itself and decrypted > >>> > IPsec traffic pass out quick on $lan proto icmp keep state label > >>> > "let out anything from firewall host itself" > >>> > pass out quick on $wan proto icmp keep state label "let out > >>> > anything from firewall host itself" > >>> > pass out quick on em1 all keep state label "let out anything > >>> > from firewall host itself" > >>> > # pass traffic from firewall -> out anchor "firewallout" > >>> > pass out quick on em1 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em0 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em2 all keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on $pptp all keep state label "let out anything > >>> > from firewall host itself pptp" > >>> > pass out quick on $enc0 keep state label "IPSEC internal host to > >>> host" > >>> > > >>> > # let out anything from the firewall host itself and decrypted IPsec > >>> > traffic > >>> > pass out quick on em4 proto icmp keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything from > >>> > firewall host itself" > >>> > > >>> > > >>> > # VPN Rules > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > >>> > proto" > >>> > pass in quick on $wan proto esp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 6
Re: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes been committed and built yet? I'm looking at the update files, and they all still say March 27 2007. I'm using this repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Should I be looking somewhare else for the update with the IPSEC fix? Thanks, Vaughn On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > Thanks for your hard work. I appreciate it and I'm sure my customers do > too. > > Vaughn > > Vaughn L. Reid III wrote: > > The ones ones that say Computer Support are from the test tunnel that > > I created to use OPT2. > > > > The interfaces on this machine are labeled like this: > > > > LAN => em0 > > WAN => em1 > > ATTDSL => em4 -- This is the OPT interface that I was using for the > > Computer Support VPN test > > wireless => em2 > > > > Vaughn > > > > Scott Ullrich wrote: > >> Okay, so that I am on the same page as you. Those $wan rules should > >> have read $optX ?? > >> > >> Scott > >> > >> > >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >>> Oops! Sorry for the double post. > >>> > >>> Vaughn L. Reid III wrote: > >>> > Here is the relevant text of my rules.debug file. It looks like the > >>> > interface on the connection "computer support" has the same interface > >>> > as the rest of the tunnels. This is the test connection that should > >>> > be using OPT3. > >>> > > >>> > # let out anything from the firewall host itself and decrypted IPsec > >>> > traffic > >>> > pass out quick on $lan proto icmp keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on $wan proto icmp keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em1 all keep state label "let out anything from > >>> > firewall host itself" > >>> > # pass traffic from firewall -> out > >>> > anchor "firewallout" > >>> > pass out quick on em1 all keep state label "let out anything from > >>> > firewall host itself" > >>> > pass out quick on em0 all keep state label "let out anything from > >>> > firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything from > >>> > firewall host itself" > >>> > pass out quick on em2 all keep state label "let out anything from > >>> > firewall host itself" > >>> > pass out quick on $pptp all keep state label "let out anything from > >>> > firewall host itself pptp" > >>> > pass out quick on $enc0 keep state label "IPSEC internal host to > >>> host" > >>> > > >>> > # let out anything from the firewall host itself and decrypted IPsec > >>> > traffic > >>> > pass out quick on em4 proto icmp keep state label "let out anything > >>> > from firewall host itself" > >>> > pass out quick on em4 all keep state label "let out anything from > >>> > firewall host itself" > >>> > > >>> > > >>> > # VPN Rules > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > >>> > proto" > >>> > pass in quick on $wan proto esp from 65.119.178.137 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.129 port = 500 keep state label "IPSEC: Street > >>> Department - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.129 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Street Department - inbound > >>> isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > >>> > esp proto" > >>> > pass in quick on $wan proto esp from 65.119.178.129 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Street Department - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to > >>> > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > >>> > outbound isakmp" > >>> > pass in quick on $wan proto udp from 65.119.178.154 to > >>> 209.218.218.138 > >>> > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > >>> > pass out quick on $wan proto esp from 209.218.218.138 to > >>> > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > >>> > proto" > >>> > pass in quick on $wan proto esp from 65.119.178.154 to > >>> 209.218.218.138 > >>> > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > >>> > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > >>> > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > >>> > pass in quick on $wan prot
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Thanks for your hard work. I appreciate it and I'm sure my customers do too. No problem, the bug should be fixed now. Please test a snapshot about 1-2 hours from now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
Thanks for your hard work. I appreciate it and I'm sure my customers do too. Vaughn Vaughn L. Reid III wrote: The ones ones that say Computer Support are from the test tunnel that I created to use OPT2. The interfaces on this machine are labeled like this: LAN => em0 WAN => em1 ATTDSL => em4 -- This is the OPT interface that I was using for the Computer Support VPN test wireless => em2 Vaughn Scott Ullrich wrote: Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Oops! Sorry for the double post. Vaughn L. Reid III wrote: > Here is the relevant text of my rules.debug file. It looks like the > interface on the connection "computer support" has the same interface > as the rest of the tunnels. This is the test connection that should > be using OPT3. > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on $lan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on $wan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > # pass traffic from firewall -> out > anchor "firewallout" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > pass out quick on em2 all keep state label "let out anything from > firewall host itself" > pass out quick on $pptp all keep state label "let out anything from > firewall host itself pptp" > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on em4 proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > > > # VPN Rules > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > esp proto" > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > keep state label "IPSEC: Street Department - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > keep state label "IPSEC: EMS Building - outbound esp proto" > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > keep state label "IPSEC: EMS Building - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > keep state label "IPSEC: Computer Support - outbound esp proto" > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > keep state label "IPSEC: Computer Support - inbound esp prot
Re: [pfSense Support] IPSEC over an OPT interface Problems
Okay, I see this bug as well. Will get it fixed soon. Scott On 3/29/07, Scott Ullrich <[EMAIL PROTECTED]> wrote: Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > Oops! Sorry for the double post. > > Vaughn L. Reid III wrote: > > Here is the relevant text of my rules.debug file. It looks like the > > interface on the connection "computer support" has the same interface > > as the rest of the tunnels. This is the test connection that should > > be using OPT3. > > > > # let out anything from the firewall host itself and decrypted IPsec > > traffic > > pass out quick on $lan proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on $wan proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on em1 all keep state label "let out anything from > > firewall host itself" > > # pass traffic from firewall -> out > > anchor "firewallout" > > pass out quick on em1 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em0 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em4 all keep state label "let out anything from > > firewall host itself" > > pass out quick on em2 all keep state label "let out anything from > > firewall host itself" > > pass out quick on $pptp all keep state label "let out anything from > > firewall host itself pptp" > > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > > > # let out anything from the firewall host itself and decrypted IPsec > > traffic > > pass out quick on em4 proto icmp keep state label "let out anything > > from firewall host itself" > > pass out quick on em4 all keep state label "let out anything from > > firewall host itself" > > > > > > # VPN Rules > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > > proto" > > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > > esp proto" > > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > > keep state label "IPSEC: Street Department - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to > > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > > outbound isakmp" > > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to > > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > > proto" > > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > > keep state label "IPSEC: EMS Building - outbound esp proto" > > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > > keep state label "IPSEC: EMS Building - inbound esp proto" > > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > > keep state label "IPSEC: Computer Support - outbound esp proto" > > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > > keep state label "IPSEC: Computer Support - inbound esp proto" > > > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > > keep state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em0 i
Re: [pfSense Support] IPSEC over an OPT interface Problems
The ones ones that say Computer Support are from the test tunnel that I created to use OPT2. The interfaces on this machine are labeled like this: LAN => em0 WAN => em1 ATTDSL => em4 -- This is the OPT interface that I was using for the Computer Support VPN test wireless => em2 Vaughn Scott Ullrich wrote: Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Oops! Sorry for the double post. Vaughn L. Reid III wrote: > Here is the relevant text of my rules.debug file. It looks like the > interface on the connection "computer support" has the same interface > as the rest of the tunnels. This is the test connection that should > be using OPT3. > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on $lan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on $wan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > # pass traffic from firewall -> out > anchor "firewallout" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > pass out quick on em2 all keep state label "let out anything from > firewall host itself" > pass out quick on $pptp all keep state label "let out anything from > firewall host itself pptp" > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on em4 proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > > > # VPN Rules > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > esp proto" > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > keep state label "IPSEC: Street Department - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > keep state label "IPSEC: EMS Building - outbound esp proto" > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > keep state label "IPSEC: EMS Building - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > keep state label "IPSEC: Computer Support - outbound esp proto" > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > keep state label "IPSEC: Computer Support - inbound esp proto" > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > keep state label "FTP PROXY: Allow traffic to localhost"
Re: [pfSense Support] IPSEC over an OPT interface Problems
Okay, so that I am on the same page as you. Those $wan rules should have read $optX ?? Scott On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: Oops! Sorry for the double post. Vaughn L. Reid III wrote: > Here is the relevant text of my rules.debug file. It looks like the > interface on the connection "computer support" has the same interface > as the rest of the tunnels. This is the test connection that should > be using OPT3. > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on $lan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on $wan proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > # pass traffic from firewall -> out > anchor "firewallout" > pass out quick on em1 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > pass out quick on em2 all keep state label "let out anything from > firewall host itself" > pass out quick on $pptp all keep state label "let out anything from > firewall host itself pptp" > pass out quick on $enc0 keep state label "IPSEC internal host to host" > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on em4 proto icmp keep state label "let out anything > from firewall host itself" > pass out quick on em4 all keep state label "let out anything from > firewall host itself" > > > # VPN Rules > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 > keep state label "IPSEC: Fire Station 3 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 > port = 500 keep state label "IPSEC: Street Department - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.129 keep state label "IPSEC: Street Department - outbound > esp proto" > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 > keep state label "IPSEC: Street Department - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - > outbound isakmp" > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp > proto" > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 > keep state label "IPSEC: Fire Station 2 - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 > keep state label "IPSEC: EMS Building - outbound esp proto" > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 > keep state label "IPSEC: EMS Building - inbound esp proto" > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 > keep state label "IPSEC: Computer Support - outbound esp proto" > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 > keep state label "IPSEC: Computer Support - inbound esp proto" > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 > keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 > user proxy flags S/SA keep state label "FTP PROXY: PASV mode data > connection" > # enable ftp-proxy > pass in quick
Re: [pfSense Support] IPSEC over an OPT interface Problems
Oops! Sorry for the double post. Vaughn L. Reid III wrote: Here is the relevant text of my rules.debug file. It looks like the interface on the connection "computer support" has the same interface as the rest of the tunnels. This is the test connection that should be using OPT3. # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself" pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself" pass out quick on em1 all keep state label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on em1 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" pass out quick on em2 all keep state label "let out anything from firewall host itself" pass out quick on $pptp all keep state label "let out anything from firewall host itself pptp" pass out quick on $enc0 keep state label "IPSEC internal host to host" # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on em4 proto icmp keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" # VPN Rules pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 keep state label "IPSEC: Fire Station 3 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 port = 500 keep state label "IPSEC: Street Department - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129 keep state label "IPSEC: Street Department - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 keep state label "IPSEC: Street Department - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 keep state label "IPSEC: Fire Station 2 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 keep state label "IPSEC: EMS Building - outbound esp proto" pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 keep state label "IPSEC: EMS Building - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 keep state label "IPSEC: Computer Support - outbound esp proto" pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 keep state label "IPSEC: Computer Support - inbound esp proto" pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" # enable ftp-proxy pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em4 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" Vaughn Scott Ullrich wrote: On 3/29/07, Vau
Re: [pfSense Support] IPSEC over an OPT interface Problems
Here is the relevant text of my rules.debug file. It looks like the interface on the connection "computer support" has the same interface as the rest of the tunnels. This is the test connection that should be using OPT3. # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself" pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself" pass out quick on em1 all keep state label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on em1 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" pass out quick on em2 all keep state label "let out anything from firewall host itself" pass out quick on $pptp all keep state label "let out anything from firewall host itself pptp" pass out quick on $enc0 keep state label "IPSEC internal host to host" # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on em4 proto icmp keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" # VPN Rules pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 keep state label "IPSEC: Fire Station 3 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 port = 500 keep state label "IPSEC: Street Department - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129 keep state label "IPSEC: Street Department - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 keep state label "IPSEC: Street Department - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 keep state label "IPSEC: Fire Station 2 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 keep state label "IPSEC: EMS Building - outbound esp proto" pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 keep state label "IPSEC: EMS Building - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 keep state label "IPSEC: Computer Support - outbound esp proto" pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 keep state label "IPSEC: Computer Support - inbound esp proto" pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" # enable ftp-proxy pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em4 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I didn't get the request,
Re: [pfSense Support] IPSEC over an OPT interface Problems
Here is the relevant text of my rules.debug file. It looks like the interface on the connection "computer support" has the same interface as the rest of the tunnels. This is the test connection that should be using OPT3. # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself" pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself" pass out quick on em1 all keep state label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on em1 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" pass out quick on em2 all keep state label "let out anything from firewall host itself" pass out quick on $pptp all keep state label "let out anything from firewall host itself pptp" pass out quick on $enc0 keep state label "IPSEC internal host to host" # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on em4 proto icmp keep state label "let out anything from firewall host itself" pass out quick on em4 all keep state label "let out anything from firewall host itself" # VPN Rules pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 keep state label "IPSEC: Fire Station 3 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129 port = 500 keep state label "IPSEC: Street Department - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 port = 500 keep state label "IPSEC: Street Department - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129 keep state label "IPSEC: Street Department - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 keep state label "IPSEC: Street Department - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp" pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp proto" pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 keep state label "IPSEC: Fire Station 2 - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 port = 500 keep state label "IPSEC: EMS Building - outbound isakmp" pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 port = 500 keep state label "IPSEC: EMS Building - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 keep state label "IPSEC: EMS Building - outbound esp proto" pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 keep state label "IPSEC: EMS Building - inbound esp proto" pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 port = 500 keep state label "IPSEC: Computer Support - outbound isakmp" pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 port = 500 keep state label "IPSEC: Computer Support - inbound isakmp" pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 keep state label "IPSEC: Computer Support - outbound esp proto" pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 keep state label "IPSEC: Computer Support - inbound esp proto" pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" # enable ftp-proxy pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em4 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I didn't get the request,
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I didn't get the request, but I'll be happy check to see if rules are being added. Should I remove the manual rules that I created first before checking? Yes, please. Then open up /tmp/rules.debug and look for "VPN Rules".. Below that marker is the system generated IPSEC rules. Do you see entries for the OPT interface? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I didn't get the request, but I'll be happy check to see if rules are being added. Should I remove the manual rules that I created first before checking? Vaughn Scott Ullrich wrote: No, this sounds like a bug. I sent a request for information a few minutes ago. Did you get it? If so please check /tmp/rules.debug for IPSEC and see if the OPT interface rules are being addded. On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: After I let the connection set for a couple minutes after manually adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!! Assuming that I will need to manually add the rules to the OPT2 interface, are there any additional rules that need to be added for IPSEC? Also, here are the log entries now that the tunnel is up. Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41
Re: [pfSense Support] IPSEC over an OPT interface Problems
No, this sounds like a bug. I sent a request for information a few minutes ago. Did you get it? If so please check /tmp/rules.debug for IPSEC and see if the OPT interface rules are being addded. On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: After I let the connection set for a couple minutes after manually adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!! Assuming that I will need to manually add the rules to the OPT2 interface, are there any additional rules that need to be added for IPSEC? Also, here are the log entries now that the tunnel is up. Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500]
Re: [pfSense Support] IPSEC over an OPT interface Problems
After I let the connection set for a couple minutes after manually adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!! Assuming that I will need to manually add the rules to the OPT2 interface, are there any additional rules that need to be added for IPSEC? Also, here are the log entries now that the tunnel is up. Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Thanks, Vaughn Reid III Vaughn L. Reid III wrote: I have only the default allow everything rule on the IPSEC tab. I manually added rules to the firewall to allow UDP 500 to the OPT2 i
Re: [pfSense Support] IPSEC over an OPT interface Problems
I changed the My Identifier on the tunnel definition to IP Address and then specified 75.44.169.169. I clicked save and apply. When I did this, the tunnel still did not work. In addition, all mention of the tunnel stopped in the IPSEC logs. I have confirmed that I can ping the 75.44.169.169 IP from the remote gateway and that it is the OPT2 IP for the pfsense box. I also confirmed that I can ssh into the pfsense machine using the above IP address. Are there any special firewall or NAT rules that I need to set up the OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for WAN at least, that those rules are automatically created and are not visible on the rules page. Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I've set up a test tunnel between my office and my customer site. The VPN tunnel will work correctly when the pfsense interface is the WAN interface. When I change the interface to the OPT interface, It doesn't seem to work. Here are some log entries. racoon: ERROR: phase1 negotiation failed due to time up. 8c35cc8f9a4378c0: Mar 29 13:36:29 racoon: INFO: delete phase 2 handler. Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:35:58 racoon: INFO: begin Aggressive mode. Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time up. 022718bb87e94fd7: Mar 29 13:31:35 racoon: INFO: delete phase 2 handler. Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:31:04 racoon: INFO: begin Aggressive mode. Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. This set of responses just seem to repeat themselves over and over again. If I set the remote node to use the pfsense's WAN ip and change the tunnel definition on the pfsense box to use the WAN interface, then everything immediately works after hitting the save and apply buttons. Please verify that the IP addresses match up in the report below. You can also change "My Identifier" to "IP Address" and manually type in the OPT interface IP. Does that fix it? If so please show the log files differences. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I have only the default allow everything rule on the IPSEC tab. I manually added rules to the firewall to allow UDP 500 to the OPT2 interface and to allow ESP to the OPT2 interface, and now I'm getting different IPSEC log results (I changed the My Identifier back to interface address). Here are the new log entries: Mar 29 14:20:20 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel 75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20) Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel 70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d) Mar 29 14:19:21 racoon: INFO: respond new phase 2 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:19:21 racoon: INFO: ISAKMP-SA established 75.44.169.169[500]-70.237.44.110[500] spi:72fba3fecd3739c6:f7fb0fc1959fdf21 Mar 29 14:19:20 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Mar 29 14:19:20 racoon: INFO: begin Aggressive mode. Mar 29 14:19:20 racoon: INFO: respond new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0) Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0) Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel 70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55) Mar 29 14:17:03 racoon: INFO: respond new phase 2 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:17:03 racoon: INFO: ISAKMP-SA established 75.44.169.169[500]-70.237.44.110[500] spi:8203621148841b41:6ad562eb830dd2d5 Mar 29 14:17:02 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Mar 29 14:17:02 racoon: INFO: begin Aggressive mode. Mar 29 14:17:02 racoon: INFO: respond new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Look in /tmp/rules.debug and search for IPSEC. Do you see rules permitting traffic to the interface? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I have only the default allow everything rule on the IPSEC tab. I manually added rules to the firewall to allow UDP 500 to the OPT2 interface and to allow ESP to the OPT2 interface, and now I'm getting different IPSEC log results (I changed the My Identifier back to interface address). Here are the new log entries: Mar 29 14:20:20 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel 75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20) Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel 70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d) Mar 29 14:19:21 racoon: INFO: respond new phase 2 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:19:21 racoon: INFO: ISAKMP-SA established 75.44.169.169[500]-70.237.44.110[500] spi:72fba3fecd3739c6:f7fb0fc1959fdf21 Mar 29 14:19:20 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Mar 29 14:19:20 racoon: INFO: begin Aggressive mode. Mar 29 14:19:20 racoon: INFO: respond new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0) Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP 75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0) Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel 70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55) Mar 29 14:17:03 racoon: INFO: respond new phase 2 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 14:17:03 racoon: INFO: ISAKMP-SA established 75.44.169.169[500]-70.237.44.110[500] spi:8203621148841b41:6ad562eb830dd2d5 Mar 29 14:17:02 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Mar 29 14:17:02 racoon: INFO: begin Aggressive mode. Mar 29 14:17:02 racoon: INFO: respond new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I changed the My Identifier on the tunnel definition to IP Address and then specified 75.44.169.169. I clicked save and apply. When I did this, the tunnel still did not work. In addition, all mention of the tunnel stopped in the IPSEC logs. I have confirmed that I can ping the 75.44.169.169 IP from the remote gateway and that it is the OPT2 IP for the pfsense box. I also confirmed that I can ssh into the pfsense machine using the above IP address. Are there any special firewall or NAT rules that I need to set up the OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for WAN at least, that those rules are automatically created and are not visible on the rules page. Nothing else is required except for a pass rule on the IPSEC tab on recent snapshots. I am running a tunnel on a opt1 interface and it works fine here. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I changed the My Identifier on the tunnel definition to IP Address and then specified 75.44.169.169. I clicked save and apply. When I did this, the tunnel still did not work. In addition, all mention of the tunnel stopped in the IPSEC logs. I have confirmed that I can ping the 75.44.169.169 IP from the remote gateway and that it is the OPT2 IP for the pfsense box. I also confirmed that I can ssh into the pfsense machine using the above IP address. Are there any special firewall or NAT rules that I need to set up the OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for WAN at least, that those rules are automatically created and are not visible on the rules page. Nothing else is required except for a pass rule on the IPSEC tab on recent snapshots. I am running a tunnel on a opt1 interface and it works fine here. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I changed the My Identifier on the tunnel definition to IP Address and then specified 75.44.169.169. I clicked save and apply. When I did this, the tunnel still did not work. In addition, all mention of the tunnel stopped in the IPSEC logs. I have confirmed that I can ping the 75.44.169.169 IP from the remote gateway and that it is the OPT2 IP for the pfsense box. I also confirmed that I can ssh into the pfsense machine using the above IP address. Are there any special firewall or NAT rules that I need to set up the OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for WAN at least, that those rules are automatically created and are not visible on the rules page. Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I've set up a test tunnel between my office and my customer site. The VPN tunnel will work correctly when the pfsense interface is the WAN interface. When I change the interface to the OPT interface, It doesn't seem to work. Here are some log entries. racoon: ERROR: phase1 negotiation failed due to time up. 8c35cc8f9a4378c0: Mar 29 13:36:29 racoon: INFO: delete phase 2 handler. Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:35:58 racoon: INFO: begin Aggressive mode. Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time up. 022718bb87e94fd7: Mar 29 13:31:35 racoon: INFO: delete phase 2 handler. Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:31:04 racoon: INFO: begin Aggressive mode. Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. This set of responses just seem to repeat themselves over and over again. If I set the remote node to use the pfsense's WAN ip and change the tunnel definition on the pfsense box to use the WAN interface, then everything immediately works after hitting the save and apply buttons. Please verify that the IP addresses match up in the report below. You can also change "My Identifier" to "IP Address" and manually type in the OPT interface IP. Does that fix it? If so please show the log files differences. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I've set up a test tunnel between my office and my customer site. The VPN tunnel will work correctly when the pfsense interface is the WAN interface. When I change the interface to the OPT interface, It doesn't seem to work. Here are some log entries. racoon: ERROR: phase1 negotiation failed due to time up. 8c35cc8f9a4378c0: Mar 29 13:36:29 racoon: INFO: delete phase 2 handler. Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:35:58 racoon: INFO: begin Aggressive mode. Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time up. 022718bb87e94fd7: Mar 29 13:31:35 racoon: INFO: delete phase 2 handler. Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:31:04 racoon: INFO: begin Aggressive mode. Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. This set of responses just seem to repeat themselves over and over again. If I set the remote node to use the pfsense's WAN ip and change the tunnel definition on the pfsense box to use the WAN interface, then everything immediately works after hitting the save and apply buttons. Please verify that the IP addresses match up in the report below. You can also change "My Identifier" to "IP Address" and manually type in the OPT interface IP. Does that fix it? If so please show the log files differences. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
I've set up a test tunnel between my office and my customer site. The VPN tunnel will work correctly when the pfsense interface is the WAN interface. When I change the interface to the OPT interface, It doesn't seem to work. Here are some log entries. racoon: ERROR: phase1 negotiation failed due to time up. 8c35cc8f9a4378c0: Mar 29 13:36:29 racoon: INFO: delete phase 2 handler. Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:35:58 racoon: INFO: begin Aggressive mode. Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time up. 022718bb87e94fd7: Mar 29 13:31:35 racoon: INFO: delete phase 2 handler. Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500] Mar 29 13:31:04 racoon: INFO: begin Aggressive mode. Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. This set of responses just seem to repeat themselves over and over again. If I set the remote node to use the pfsense's WAN ip and change the tunnel definition on the pfsense box to use the WAN interface, then everything immediately works after hitting the save and apply buttons. Thanks, Vaughn Scott Ullrich wrote: On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I'm using the 3-27 snapshot on the pfsense box. I've searched both the forum and the mailing list archives, and I can't seem to find an updated listing of how to get IPSEC to work over an OPT interface as well as over WAN at the Same time. Here's what I want to do: I have several remote sites that use one of two companies for their Internet access. Our main office also has Internet access through these two ISP's. I want to configure the tunnels that have Internet access through ISP A to use our ISP A connection, which is WAN, and those that have ISP B, which is our OPT1, to use ISP B's interface on the pfsense box for IPSEC vpn's. I can get all of the VPN connections to work properly if they all use the WAN interface, but this adds about 5 hops and 50 milli-seconds to the round trip for those remotes that use ISP B. Here's what I tried without success: On the pfsense box, I changed the existing working configurations for the desired VPN tunnels to use the OPT interface. I then saved my changed settings and clicked the Apply button. At the desired remote sites, I changed the remote Gateway IP on their (previously working when using WAN) existing VPN tunnel configurations to use the OPT interface's IP address. After doing this, I rebooted both the pfsense box and the remote router. Also, the IPSEC interface has the default rule to allow all connections and all traffic. Both the pfsense machine and the remote sites have static IP's for their Internet connections. The remote sites are using linksys RV series firewalls. The dsl router at the main site for the OPT interface is a netopia 3500 and it is set to bridge mode so that the OPT interface has a real public IP. Please post the IPSEC logs from the pfSense box. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC over an OPT interface Problems
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: I'm using the 3-27 snapshot on the pfsense box. I've searched both the forum and the mailing list archives, and I can't seem to find an updated listing of how to get IPSEC to work over an OPT interface as well as over WAN at the Same time. Here's what I want to do: I have several remote sites that use one of two companies for their Internet access. Our main office also has Internet access through these two ISP's. I want to configure the tunnels that have Internet access through ISP A to use our ISP A connection, which is WAN, and those that have ISP B, which is our OPT1, to use ISP B's interface on the pfsense box for IPSEC vpn's. I can get all of the VPN connections to work properly if they all use the WAN interface, but this adds about 5 hops and 50 milli-seconds to the round trip for those remotes that use ISP B. Here's what I tried without success: On the pfsense box, I changed the existing working configurations for the desired VPN tunnels to use the OPT interface. I then saved my changed settings and clicked the Apply button. At the desired remote sites, I changed the remote Gateway IP on their (previously working when using WAN) existing VPN tunnel configurations to use the OPT interface's IP address. After doing this, I rebooted both the pfsense box and the remote router. Also, the IPSEC interface has the default rule to allow all connections and all traffic. Both the pfsense machine and the remote sites have static IP's for their Internet connections. The remote sites are using linksys RV series firewalls. The dsl router at the main site for the OPT interface is a netopia 3500 and it is set to bridge mode so that the OPT interface has a real public IP. Please post the IPSEC logs from the pfSense box. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
