Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-06 Thread Scott Ullrich

I still need to fix the OPTx firewall rule issue.   I am hoping to
knock it out this weekend.

Scott

On 4/6/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I should also add, in case it matters that all of the remote end-points
are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or
Netgear FVS338's.

All of the remote end-points are configured with static IP's and any ISP
supplied routers are configured solely as bridge devices.  If PPPoE is
being used, I have the remote Linksys, Netgear, or Hotbrick performing
the PPPoE.  These remote end points operate over a combination of Cable,
ADSL, and wireless Internet access from their various ISP's.  I have
learned that, if the ISP's supplied router/firewall is doing any sort of
NAT or port forwarding, it just kills IPSEC VPN stability.  This seems
especially true for the Linksys and Netgear devices that I've run across.

Vaughn

Vaughn L. Reid III wrote:
> No.  The only things that I added/changed were the firewall rules.
> Actually, I don't have manually entered static routes configured for
> any of my IPSEC connections, and they all work.  When I pull up the
> routing table, I have noticed that the pfsense box appears to
> automatically add the routes.
>
> Vaughn
>
> [EMAIL PROTECTED] wrote:
>> Do you have static routes set up as well?
>>
>>
>>> I just wanted to report an update of how my IPSEC over OPTx is working.
>>> It's been a few days, now since I set up the manual rules on the OPTx
>>> interface that I wanted to use for IPSEC.  Since I set up the rules
>>> listed in my previous post, my IPSEC VPN's over the OPTx interface are
>>> working well and seem very stable.
>>>
>>> Vaughn
>>>
>>> Vaughn L. Reid III wrote:
>>>
 Just to be thorough, I added two more rules to the firewall's OPT
 interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
 if the last two are needed, but just to be safe, I added them.

 Here are all the rule that I've added:
 Rules in the format listed below:
 Format:  Protocol Source Port Destination Port
 Gateway Schedule
 1.  UDP * * Interface IP Address 500 * Blank
 2.  ESP * * Interface IP Address * * Blank
 3.  AH * * Interface IP Address * * Blank
 4.  GRE * * Interface IP Address * * Blank

 Vaughn

>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-06 Thread Vaughn L. Reid III
I should also add, in case it matters that all of the remote end-points 
are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or 
Netgear FVS338's.


All of the remote end-points are configured with static IP's and any ISP 
supplied routers are configured solely as bridge devices.  If PPPoE is 
being used, I have the remote Linksys, Netgear, or Hotbrick performing 
the PPPoE.  These remote end points operate over a combination of Cable, 
ADSL, and wireless Internet access from their various ISP's.  I have 
learned that, if the ISP's supplied router/firewall is doing any sort of 
NAT or port forwarding, it just kills IPSEC VPN stability.  This seems 
especially true for the Linksys and Netgear devices that I've run across. 


Vaughn

Vaughn L. Reid III wrote:
No.  The only things that I added/changed were the firewall rules.  
Actually, I don't have manually entered static routes configured for 
any of my IPSEC connections, and they all work.  When I pull up the 
routing table, I have noticed that the pfsense box appears to 
automatically add the routes.


Vaughn

[EMAIL PROTECTED] wrote:

Do you have static routes set up as well?

 

I just wanted to report an update of how my IPSEC over OPTx is working.
It's been a few days, now since I set up the manual rules on the OPTx
interface that I wanted to use for IPSEC.  Since I set up the rules
listed in my previous post, my IPSEC VPN's over the OPTx interface are
working well and seem very stable.

Vaughn

Vaughn L. Reid III wrote:
   

Just to be thorough, I added two more rules to the firewall's OPT
interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
if the last two are needed, but just to be safe, I added them.

Here are all the rule that I've added:
Rules in the format listed below:
Format:  Protocol Source Port Destination Port
Gateway Schedule
1.  UDP * * Interface IP Address 500 * Blank
2.  ESP * * Interface IP Address * * Blank
3.  AH * * Interface IP Address * * Blank
4.  GRE * * Interface IP Address * * Blank

Vaughn
  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-06 Thread Vaughn L. Reid III
No.  The only things that I added/changed were the firewall rules.  
Actually, I don't have manually entered static routes configured for any 
of my IPSEC connections, and they all work.  When I pull up the routing 
table, I have noticed that the pfsense box appears to automatically add 
the routes.


Vaughn

[EMAIL PROTECTED] wrote:

Do you have static routes set up as well?

  

I just wanted to report an update of how my IPSEC over OPTx is working.
It's been a few days, now since I set up the manual rules on the OPTx
interface that I wanted to use for IPSEC.  Since I set up the rules
listed in my previous post, my IPSEC VPN's over the OPTx interface are
working well and seem very stable.

Vaughn

Vaughn L. Reid III wrote:


Just to be thorough, I added two more rules to the firewall's OPT
interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
if the last two are needed, but just to be safe, I added them.

Here are all the rule that I've added:
Rules in the format listed below:
Format:  Protocol Source Port Destination Port
Gateway Schedule
1.  UDP * * Interface IP Address 500 * Blank
2.  ESP * * Interface IP Address * * Blank
3.  AH * * Interface IP Address * * Blank
4.  GRE * * Interface IP Address * * Blank

Vaughn
  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-06 Thread dwadson
Do you have static routes set up as well?

> I just wanted to report an update of how my IPSEC over OPTx is working.
> It's been a few days, now since I set up the manual rules on the OPTx
> interface that I wanted to use for IPSEC.  Since I set up the rules
> listed in my previous post, my IPSEC VPN's over the OPTx interface are
> working well and seem very stable.
>
> Vaughn
>
> Vaughn L. Reid III wrote:
>> Just to be thorough, I added two more rules to the firewall's OPT
>> interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
>> if the last two are needed, but just to be safe, I added them.
>>
>> Here are all the rule that I've added:
>> Rules in the format listed below:
>> Format:  Protocol Source Port Destination Port
>> Gateway Schedule
>> 1.  UDP * * Interface IP Address 500 * Blank
>> 2.  ESP * * Interface IP Address * * Blank
>> 3.  AH * * Interface IP Address * * Blank
>> 4.  GRE * * Interface IP Address * * Blank
>>
>> Vaughn


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-06 Thread Vaughn L. Reid III
I just wanted to report an update of how my IPSEC over OPTx is working.  
It's been a few days, now since I set up the manual rules on the OPTx 
interface that I wanted to use for IPSEC.  Since I set up the rules 
listed in my previous post, my IPSEC VPN's over the OPTx interface are 
working well and seem very stable.


Vaughn

Vaughn L. Reid III wrote:

Just to be thorough, I added two more rules to the firewall's OPT
interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
if the last two are needed, but just to be safe, I added them.

Here are all the rule that I've added:
Rules in the format listed below:
Format:  Protocol Source Port Destination Port
Gateway Schedule

1.  UDP * * Interface IP Address 500 * Blank
2.  ESP * * Interface IP Address * * Blank
3.  AH * * Interface IP Address * * Blank
4.  GRE * * Interface IP Address * * Blank

Vaughn




On Mon, 02 Apr 2007 20:43:38 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
  

Interesting,

This version of the firmware doesn't even list the VPN tunnel that is
configured for the OPT interface in the vpn section of /tmp/rules.debug.
 The tunnel definition is listed in the GUI, and it's working with the
manual rules because I'm in the process of accessing remote resources
now.

In /tmp/rules.debug, however, it's like the vpn out the opt interface
just doesn't exist.  I checked the firewall rules section of
/tmp/rules.debug, and the manual rules that I added are there.

Also, the firmware version that I was using when I started this thread
last week showed the VPN tunnel definition in /tmp/rules.debug, but it
showed the wrong interface.

Vaughn


On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]>
said:


On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
  

Here are the rules for the interface in question that seem to make the
IPSEC tunnel work:


[snip]

Look in /tmp/rules.debug and search for IPSEC.

Do you see rules permitting traffic to the interface?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Vaughn L. Reid III
Just to be thorough, I added two more rules to the firewall's OPT
interface to make sure all the IPSEC stuff gets through.  I'm fuzzy on
if the last two are needed, but just to be safe, I added them.

Here are all the rule that I've added:
Rules in the format listed below:
Format:  Protocol Source Port Destination Port
Gateway Schedule
1.  UDP * * Interface IP Address 500 * Blank
2.  ESP * * Interface IP Address * * Blank
3.  AH * * Interface IP Address * * Blank
4.  GRE * * Interface IP Address * * Blank

Vaughn




On Mon, 02 Apr 2007 20:43:38 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
> Interesting,
> 
> This version of the firmware doesn't even list the VPN tunnel that is
> configured for the OPT interface in the vpn section of /tmp/rules.debug.
>  The tunnel definition is listed in the GUI, and it's working with the
> manual rules because I'm in the process of accessing remote resources
> now.
> 
> In /tmp/rules.debug, however, it's like the vpn out the opt interface
> just doesn't exist.  I checked the firewall rules section of
> /tmp/rules.debug, and the manual rules that I added are there.
> 
> Also, the firmware version that I was using when I started this thread
> last week showed the VPN tunnel definition in /tmp/rules.debug, but it
> showed the wrong interface.
> 
> Vaughn
> 
> 
> On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]>
> said:
> > On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> > > Here are the rules for the interface in question that seem to make the
> > > IPSEC tunnel work:
> > [snip]
> > 
> > Look in /tmp/rules.debug and search for IPSEC.
> > 
> > Do you see rules permitting traffic to the interface?
> > 
> > Scott
> > 
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > 
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Vaughn L. Reid III
Interesting,

This version of the firmware doesn't even list the VPN tunnel that is
configured for the OPT interface in the vpn section of /tmp/rules.debug.
 The tunnel definition is listed in the GUI, and it's working with the
manual rules because I'm in the process of accessing remote resources
now.

In /tmp/rules.debug, however, it's like the vpn out the opt interface
just doesn't exist.  I checked the firewall rules section of
/tmp/rules.debug, and the manual rules that I added are there.

Also, the firmware version that I was using when I started this thread
last week showed the VPN tunnel definition in /tmp/rules.debug, but it
showed the wrong interface.

Vaughn


On Mon, 2 Apr 2007 20:32:47 -0400, "Scott Ullrich" <[EMAIL PROTECTED]>
said:
> On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> > Here are the rules for the interface in question that seem to make the
> > IPSEC tunnel work:
> [snip]
> 
> Look in /tmp/rules.debug and search for IPSEC.
> 
> Do you see rules permitting traffic to the interface?
> 
> Scott
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Scott Ullrich

On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

Here are the rules for the interface in question that seem to make the
IPSEC tunnel work:

[snip]

Look in /tmp/rules.debug and search for IPSEC.

Do you see rules permitting traffic to the interface?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Vaughn L. Reid III
Here are the rules for the interface in question that seem to make the
IPSEC tunnel work:

Rules in the format listed below:
Format:  Protocol Source Port Destination Port
Gateway Schedule
1.  UDP * * Interface IP Address 500 * Blank
2.  ESP * * Interface IP Address * * Blank

Vaughn 


On Mon, 2 Apr 2007 20:11:10 -0400, "Scott Ullrich" <[EMAIL PROTECTED]>
said:
> On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> > I've just tested the most recent pfsense update available on
> > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
> 
> Please show the IPSEC rules that are relevant to the interface in
> question as you did prior.
> 
> Thanks!
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Scott Ullrich

On 4/2/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I've just tested the most recent pfsense update available on
http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/


Please show the IPSEC rules that are relevant to the interface in
question as you did prior.

Thanks!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-04-02 Thread Vaughn L. Reid III
I've just tested the most recent pfsense update available on
http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

Here is the system's firmware information:
1.0.1-SNAPSHOT-03-27-2007
built on Mon Apr 2 19:21:19 EDT 2007

My results indicate that IPSEC over OPTx still does not work without
explicitly opening UDP 500 and ESP on the interface in question to allow
the interface's IP address to accept these two items.

I believe that this may still be an older firmware, but I do not see a
newer firmware available in the update format.  At this time, I am also
not in a position to test an .iso file.  To do that, I will need to wait
for the weekend when firewall usage is low.


Vaughn


On Fri, 30 Mar 2007 12:23:44 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
> I'll check back later this evening or Monday day sometime.
> 
> Thanks,
> 
> Vaughn
> 
> Scott Ullrich wrote:
> > This is an old image.  The snapshot server has been down for some
> > time...  Try again 2-3 hours from now or on Monday.
> >
> > Scott
> >
> >
> > On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> >> I just tried implementing IPSEC over an OPT interface using the
> >> pfsense.iso file from March 29, 2007 at 7:19 p.m.
> >>
> >> Here are my results.  IPSEC will not work over my OPT2 Interface without
> >> adding specific firewall rules to the OPT2 interface to allow UDP 500
> >> and ESP to connect to that interface's IP address.
> >>
> >> Once I manually add the rules, the tunnels get created and work
> >> correctly over the OPT2 interface.  Before I manually added the rules to
> >> the OPT2 interface, I noticed that there was no SAD listing to the
> >> tunnel being tested.  Both ends of the tunnel were, however, listed on
> >> the SPD tab of the IPSEC tunnel diagnostic page.
> >>
> >> Once I added the needed firewall rules to the OPT2 interface, the VPN
> >> tunnel immediately set up and started working.  At that time, the proper
> >> entries appeared in the SAD on the IPSEC diagnostic page.
> >>
> >> Also, I noticed during the loading of the pfsense firewall software
> >> while it was connecting services, etc. that an error message appeared
> >> that stated that there was an invalid argument foreach on line 7 of the
> >> /etc/inc/vslb.inc file.  Don't quote me on the line number, but I'm
> >> pretty sure it was line 7.  I'm not sure if this is related to my IPSEC
> >> issue, but I thought I'd comment in case it is relevant.
> >>
> >> Thanks,
> >>
> >> Vaughn Reid III
> >>
> >> Tunge2 wrote:
> >> > If this is working it would be a great step a head :)
> >> >
> >> > -Oorspronkelijk bericht-
> >> > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
> >> > Verzonden: vrijdag 30 maart 2007 1:08
> >> > Aan: support@pfsense.com
> >> > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
> >> >
> >> > Have the IPSEC changes been committed and built yet?  I'm looking 
> >> at the
> >> > update files, and they all still say March 27 2007.  I'm using this
> >> > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
> >> >
> >> > Should I be looking somewhare else for the update with the IPSEC fix?
> >> >
> >> > Thanks,
> >> >
> >> > Vaughn
> >> >
> >> > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
> >> > <[EMAIL PROTECTED]> said:
> >> >
> >> >> Thanks for your hard work.  I appreciate it and I'm sure my customers
> >> >> do too.
> >> >>
> >> >> Vaughn
> >> >>
> >> >> Vaughn L. Reid III wrote:
> >> >>
> >> >>> The ones ones that say Computer Support are from the test tunnel
> >> >>> that I created to use OPT2.
> >> >>>
> >> >>> The interfaces on this machine are labeled like this:
> >> >>>
> >> >>> LAN => em0
> >> >>> WAN => em1
> >> >>> ATTDSL => em4 -- This is the OPT interface that I was using for the
> >> >>> Computer Support VPN test wireless => em2
> >> >>>
> >> >>> Vaughn
> >> >>>
> >> >>> Scott Ullrich wrote:
> >> >>>
> >>

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-30 Thread Vaughn L. Reid III

I'll check back later this evening or Monday day sometime.

Thanks,

Vaughn

Scott Ullrich wrote:

This is an old image.  The snapshot server has been down for some
time...  Try again 2-3 hours from now or on Monday.

Scott


On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I just tried implementing IPSEC over an OPT interface using the
pfsense.iso file from March 29, 2007 at 7:19 p.m.

Here are my results.  IPSEC will not work over my OPT2 Interface without
adding specific firewall rules to the OPT2 interface to allow UDP 500
and ESP to connect to that interface's IP address.

Once I manually add the rules, the tunnels get created and work
correctly over the OPT2 interface.  Before I manually added the rules to
the OPT2 interface, I noticed that there was no SAD listing to the
tunnel being tested.  Both ends of the tunnel were, however, listed on
the SPD tab of the IPSEC tunnel diagnostic page.

Once I added the needed firewall rules to the OPT2 interface, the VPN
tunnel immediately set up and started working.  At that time, the proper
entries appeared in the SAD on the IPSEC diagnostic page.

Also, I noticed during the loading of the pfsense firewall software
while it was connecting services, etc. that an error message appeared
that stated that there was an invalid argument foreach on line 7 of the
/etc/inc/vslb.inc file.  Don't quote me on the line number, but I'm
pretty sure it was line 7.  I'm not sure if this is related to my IPSEC
issue, but I thought I'd comment in case it is relevant.

Thanks,

Vaughn Reid III

Tunge2 wrote:
> If this is working it would be a great step a head :)
>
> -Oorspronkelijk bericht-
> Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
> Verzonden: vrijdag 30 maart 2007 1:08
> Aan: support@pfsense.com
> Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
>
> Have the IPSEC changes been committed and built yet?  I'm looking 
at the

> update files, and they all still say March 27 2007.  I'm using this
> repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
>
> Should I be looking somewhare else for the update with the IPSEC fix?
>
> Thanks,
>
> Vaughn
>
> On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
> <[EMAIL PROTECTED]> said:
>
>> Thanks for your hard work.  I appreciate it and I'm sure my customers
>> do too.
>>
>> Vaughn
>>
>> Vaughn L. Reid III wrote:
>>
>>> The ones ones that say Computer Support are from the test tunnel
>>> that I created to use OPT2.
>>>
>>> The interfaces on this machine are labeled like this:
>>>
>>> LAN => em0
>>> WAN => em1
>>> ATTDSL => em4 -- This is the OPT interface that I was using for the
>>> Computer Support VPN test wireless => em2
>>>
>>> Vaughn
>>>
>>> Scott Ullrich wrote:
>>>
>>>> Okay, so that I am on the same page as you.  Those $wan rules
>>>> should have read $optX ??
>>>>
>>>> Scott
>>>>
>>>>
>>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> 
wrote:

>>>>
>>>>> Oops!  Sorry for the double post.
>>>>>
>>>>> Vaughn L. Reid III wrote:
>>>>>
>>>>>> Here is the relevant text of my rules.debug file.  It looks like
>>>>>> the interface on the connection "computer support" has the same
>>>>>> interface as the rest of the tunnels.  This is the test
>>>>>> connection that should be using OPT3.
>>>>>>
>>>>>> # let out anything from the firewall host itself and decrypted
>>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label
>>>>>> "let out anything from firewall host itself"
>>>>>> pass out quick on $wan proto icmp keep state label "let out
>>>>>> anything from firewall host itself"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> # pass traffic from firewall -> out anchor "firewallout"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em0 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em4 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-30 Thread Scott Ullrich

This is an old image.  The snapshot server has been down for some
time...  Try again 2-3 hours from now or on Monday.

Scott


On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I just tried implementing IPSEC over an OPT interface using the
pfsense.iso file from March 29, 2007 at 7:19 p.m.

Here are my results.  IPSEC will not work over my OPT2 Interface without
adding specific firewall rules to the OPT2 interface to allow UDP 500
and ESP to connect to that interface's IP address.

Once I manually add the rules, the tunnels get created and work
correctly over the OPT2 interface.  Before I manually added the rules to
the OPT2 interface, I noticed that there was no SAD listing to the
tunnel being tested.  Both ends of the tunnel were, however, listed on
the SPD tab of the IPSEC tunnel diagnostic page.

Once I added the needed firewall rules to the OPT2 interface, the VPN
tunnel immediately set up and started working.  At that time, the proper
entries appeared in the SAD on the IPSEC diagnostic page.

Also, I noticed during the loading of the pfsense firewall software
while it was connecting services, etc. that an error message appeared
that stated that there was an invalid argument foreach on line 7 of the
/etc/inc/vslb.inc file.  Don't quote me on the line number, but I'm
pretty sure it was line 7.  I'm not sure if this is related to my IPSEC
issue, but I thought I'd comment in case it is relevant.

Thanks,

Vaughn Reid III

Tunge2 wrote:
> If this is working it would be a great step a head :)
>
> -Oorspronkelijk bericht-
> Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
> Verzonden: vrijdag 30 maart 2007 1:08
> Aan: support@pfsense.com
> Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
>
> Have the IPSEC changes been committed and built yet?  I'm looking at the
> update files, and they all still say March 27 2007.  I'm using this
> repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
>
> Should I be looking somewhare else for the update with the IPSEC fix?
>
> Thanks,
>
> Vaughn
>
> On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
> <[EMAIL PROTECTED]> said:
>
>> Thanks for your hard work.  I appreciate it and I'm sure my customers
>> do too.
>>
>> Vaughn
>>
>> Vaughn L. Reid III wrote:
>>
>>> The ones ones that say Computer Support are from the test tunnel
>>> that I created to use OPT2.
>>>
>>> The interfaces on this machine are labeled like this:
>>>
>>> LAN => em0
>>> WAN => em1
>>> ATTDSL => em4 -- This is the OPT interface that I was using for the
>>> Computer Support VPN test wireless => em2
>>>
>>> Vaughn
>>>
>>> Scott Ullrich wrote:
>>>
>>>> Okay, so that I am on the same page as you.  Those $wan rules
>>>> should have read $optX ??
>>>>
>>>> Scott
>>>>
>>>>
>>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
>>>>
>>>>> Oops!  Sorry for the double post.
>>>>>
>>>>> Vaughn L. Reid III wrote:
>>>>>
>>>>>> Here is the relevant text of my rules.debug file.  It looks like
>>>>>> the interface on the connection "computer support" has the same
>>>>>> interface as the rest of the tunnels.  This is the test
>>>>>> connection that should be using OPT3.
>>>>>>
>>>>>> # let out anything from the firewall host itself and decrypted
>>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label
>>>>>> "let out anything from firewall host itself"
>>>>>> pass out quick on $wan proto icmp keep state label "let out
>>>>>> anything from firewall host itself"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> # pass traffic from firewall -> out anchor "firewallout"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em0 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em4 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em2 all keep state label "let out anything
>>>>>> from firewall h

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-30 Thread Vaughn L. Reid III
I just tried implementing IPSEC over an OPT interface using the 
pfsense.iso file from March 29, 2007 at 7:19 p.m.


Here are my results.  IPSEC will not work over my OPT2 Interface without 
adding specific firewall rules to the OPT2 interface to allow UDP 500 
and ESP to connect to that interface's IP address.


Once I manually add the rules, the tunnels get created and work 
correctly over the OPT2 interface.  Before I manually added the rules to 
the OPT2 interface, I noticed that there was no SAD listing to the 
tunnel being tested.  Both ends of the tunnel were, however, listed on 
the SPD tab of the IPSEC tunnel diagnostic page.


Once I added the needed firewall rules to the OPT2 interface, the VPN 
tunnel immediately set up and started working.  At that time, the proper 
entries appeared in the SAD on the IPSEC diagnostic page.


Also, I noticed during the loading of the pfsense firewall software 
while it was connecting services, etc. that an error message appeared 
that stated that there was an invalid argument foreach on line 7 of the 
/etc/inc/vslb.inc file.  Don't quote me on the line number, but I'm 
pretty sure it was line 7.  I'm not sure if this is related to my IPSEC 
issue, but I thought I'd comment in case it is relevant.


Thanks,

Vaughn Reid III

Tunge2 wrote:
If this is working it would be a great step a head :) 


-Oorspronkelijk bericht-
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] 
Verzonden: vrijdag 30 maart 2007 1:08

Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems

Have the IPSEC changes been committed and built yet?  I'm looking at the
update files, and they all still say March 27 2007.  I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

Should I be looking somewhare else for the update with the IPSEC fix?

Thanks,

Vaughn 


On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
  
Thanks for your hard work.  I appreciate it and I'm sure my customers 
do too.


Vaughn

Vaughn L. Reid III wrote:

The ones ones that say Computer Support are from the test tunnel 
that I created to use OPT2.


The interfaces on this machine are labeled like this:

LAN => em0
WAN => em1
ATTDSL => em4 -- This is the OPT interface that I was using for the 
Computer Support VPN test wireless => em2


Vaughn

Scott Ullrich wrote:
  
Okay, so that I am on the same page as you.  Those $wan rules 
should have read $optX ??


Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:


Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
  
Here is the relevant text of my rules.debug file.  It looks like 
the interface on the connection "computer support" has the same 
interface as the rest of the tunnels.  This is the test 
connection that should be using OPT3.


# let out anything from the firewall host itself and decrypted 
IPsec traffic pass out quick on $lan proto icmp keep state label 
"let out anything from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out 
anything from firewall host itself"
pass out quick on em1 all keep state label "let out anything 
from firewall host itself"

# pass traffic from firewall -> out anchor "firewallout"
pass out quick on em1 all keep state label "let out anything 
from firewall host itself"
pass out quick on em0 all keep state label "let out anything 
from firewall host itself"
pass out quick on em4 all keep state label "let out anything 
from firewall host itself"
pass out quick on em2 all keep state label "let out anything 
from firewall host itself"
pass out quick on $pptp all keep state label "let out anything 
from firewall host itself pptp"

pass out quick on $enc0 keep state label "IPSEC internal host to


host"
  

# let out anything from the firewall host itself and decrypted IPsec
traffic
pass out quick on em4 proto icmp keep state label "let out anything
from firewall host itself"
pass out quick on em4 all keep state label "let out anything from
firewall host itself"


# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to
65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 


209.218.218.138
  

port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to
65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound


esp
  

proto"
pass in quick on $wan proto esp from 65.119.178.137 to 


209.218.218.138
  

keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out q

RE: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Tunge2
If this is working it would be a great step a head :) 

-Oorspronkelijk bericht-
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] 
Verzonden: vrijdag 30 maart 2007 1:08
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems

Have the IPSEC changes been committed and built yet?  I'm looking at the
update files, and they all still say March 27 2007.  I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

Should I be looking somewhare else for the update with the IPSEC fix?

Thanks,

Vaughn 

On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
> Thanks for your hard work.  I appreciate it and I'm sure my customers 
> do too.
> 
> Vaughn
> 
> Vaughn L. Reid III wrote:
> > The ones ones that say Computer Support are from the test tunnel 
> > that I created to use OPT2.
> >
> > The interfaces on this machine are labeled like this:
> >
> > LAN => em0
> > WAN => em1
> > ATTDSL => em4 -- This is the OPT interface that I was using for the 
> > Computer Support VPN test wireless => em2
> >
> > Vaughn
> >
> > Scott Ullrich wrote:
> >> Okay, so that I am on the same page as you.  Those $wan rules 
> >> should have read $optX ??
> >>
> >> Scott
> >>
> >>
> >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> >>> Oops!  Sorry for the double post.
> >>>
> >>> Vaughn L. Reid III wrote:
> >>> > Here is the relevant text of my rules.debug file.  It looks like 
> >>> > the interface on the connection "computer support" has the same 
> >>> > interface as the rest of the tunnels.  This is the test 
> >>> > connection that should be using OPT3.
> >>> >
> >>> > # let out anything from the firewall host itself and decrypted 
> >>> > IPsec traffic pass out quick on $lan proto icmp keep state label 
> >>> > "let out anything from firewall host itself"
> >>> > pass out quick on $wan proto icmp keep state label "let out 
> >>> > anything from firewall host itself"
> >>> > pass out quick on em1 all keep state label "let out anything 
> >>> > from firewall host itself"
> >>> > # pass traffic from firewall -> out anchor "firewallout"
> >>> > pass out quick on em1 all keep state label "let out anything 
> >>> > from firewall host itself"
> >>> > pass out quick on em0 all keep state label "let out anything 
> >>> > from firewall host itself"
> >>> > pass out quick on em4 all keep state label "let out anything 
> >>> > from firewall host itself"
> >>> > pass out quick on em2 all keep state label "let out anything 
> >>> > from firewall host itself"
> >>> > pass out quick on $pptp all keep state label "let out anything 
> >>> > from firewall host itself pptp"
> >>> > pass out quick on $enc0 keep state label "IPSEC internal host to
> >>> host"
> >>> >
> >>> > # let out anything from the firewall host itself and decrypted IPsec
> >>> > traffic
> >>> > pass out quick on em4 proto icmp keep state label "let out anything
> >>> > from firewall host itself"
> >>> > pass out quick on em4 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> >
> >>> >
> >>> > # VPN Rules
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to
> >>> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> >>> > outbound isakmp"
> >>> > pass in quick on $wan proto udp from 65.119.178.137 to 
> >>> 209.218.218.138
> >>> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> >>> > pass out quick on $wan proto esp from 209.218.218.138 to
> >>> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound
esp
> >>> > proto"
> >>> > pass in quick on $wan proto esp from 65.119.178.137 to 
> >>> 209.218.218.138
> >>> > keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to
> >>> > 6

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
Have the IPSEC changes been committed and built yet?  I'm looking at the
update files, and they all still say March 27 2007.  I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

Should I be looking somewhare else for the update with the IPSEC fix?

Thanks,

Vaughn 

On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
> Thanks for your hard work.  I appreciate it and I'm sure my customers do 
> too.
> 
> Vaughn
> 
> Vaughn L. Reid III wrote:
> > The ones ones that say Computer Support are from the test tunnel that 
> > I created to use OPT2.
> >
> > The interfaces on this machine are labeled like this:
> >
> > LAN => em0
> > WAN => em1
> > ATTDSL => em4 -- This is the OPT interface that I was using for the 
> > Computer Support VPN test
> > wireless => em2
> >
> > Vaughn
> >
> > Scott Ullrich wrote:
> >> Okay, so that I am on the same page as you.  Those $wan rules should
> >> have read $optX ??
> >>
> >> Scott
> >>
> >>
> >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> >>> Oops!  Sorry for the double post.
> >>>
> >>> Vaughn L. Reid III wrote:
> >>> > Here is the relevant text of my rules.debug file.  It looks like the
> >>> > interface on the connection "computer support" has the same interface
> >>> > as the rest of the tunnels.  This is the test connection that should
> >>> > be using OPT3.
> >>> >
> >>> > # let out anything from the firewall host itself and decrypted IPsec
> >>> > traffic
> >>> > pass out quick on $lan proto icmp keep state label "let out anything
> >>> > from firewall host itself"
> >>> > pass out quick on $wan proto icmp keep state label "let out anything
> >>> > from firewall host itself"
> >>> > pass out quick on em1 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> > # pass traffic from firewall -> out
> >>> > anchor "firewallout"
> >>> > pass out quick on em1 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> > pass out quick on em0 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> > pass out quick on em4 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> > pass out quick on em2 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> > pass out quick on $pptp all keep state label "let out anything from
> >>> > firewall host itself pptp"
> >>> > pass out quick on $enc0 keep state label "IPSEC internal host to 
> >>> host"
> >>> >
> >>> > # let out anything from the firewall host itself and decrypted IPsec
> >>> > traffic
> >>> > pass out quick on em4 proto icmp keep state label "let out anything
> >>> > from firewall host itself"
> >>> > pass out quick on em4 all keep state label "let out anything from
> >>> > firewall host itself"
> >>> >
> >>> >
> >>> > # VPN Rules
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to
> >>> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> >>> > outbound isakmp"
> >>> > pass in quick on $wan proto udp from 65.119.178.137 to 
> >>> 209.218.218.138
> >>> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> >>> > pass out quick on $wan proto esp from 209.218.218.138 to
> >>> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp
> >>> > proto"
> >>> > pass in quick on $wan proto esp from 65.119.178.137 to 
> >>> 209.218.218.138
> >>> > keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to
> >>> > 65.119.178.129 port = 500 keep state label "IPSEC: Street 
> >>> Department -
> >>> > outbound isakmp"
> >>> > pass in quick on $wan proto udp from 65.119.178.129 to 
> >>> 209.218.218.138
> >>> > port = 500 keep state label "IPSEC: Street Department - inbound 
> >>> isakmp"
> >>> > pass out quick on $wan proto esp from 209.218.218.138 to
> >>> > 65.119.178.129 keep state label "IPSEC: Street Department - outbound
> >>> > esp proto"
> >>> > pass in quick on $wan proto esp from 65.119.178.129 to 
> >>> 209.218.218.138
> >>> > keep state label "IPSEC: Street Department - inbound esp proto"
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to
> >>> > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
> >>> > outbound isakmp"
> >>> > pass in quick on $wan proto udp from 65.119.178.154 to 
> >>> 209.218.218.138
> >>> > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
> >>> > pass out quick on $wan proto esp from 209.218.218.138 to
> >>> > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp
> >>> > proto"
> >>> > pass in quick on $wan proto esp from 65.119.178.154 to 
> >>> 209.218.218.138
> >>> > keep state label "IPSEC: Fire Station 2 - inbound esp proto"
> >>> > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
> >>> > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
> >>> > pass in quick on $wan prot

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

Thanks for your hard work.  I appreciate it and I'm sure my customers do
too.


No problem, the bug should be fixed now.  Please test a snapshot about
1-2 hours from now.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
Thanks for your hard work.  I appreciate it and I'm sure my customers do 
too.


Vaughn

Vaughn L. Reid III wrote:
The ones ones that say Computer Support are from the test tunnel that 
I created to use OPT2.


The interfaces on this machine are labeled like this:

LAN => em0
WAN => em1
ATTDSL => em4 -- This is the OPT interface that I was using for the 
Computer Support VPN test

wireless => em2

Vaughn

Scott Ullrich wrote:

Okay, so that I am on the same page as you.  Those $wan rules should
have read $optX ??

Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
> Here is the relevant text of my rules.debug file.  It looks like the
> interface on the connection "computer support" has the same interface
> as the rest of the tunnels.  This is the test connection that should
> be using OPT3.
>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on $lan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on $wan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> # pass traffic from firewall -> out
> anchor "firewallout"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em0 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em2 all keep state label "let out anything from
> firewall host itself"
> pass out quick on $pptp all keep state label "let out anything from
> firewall host itself pptp"
> pass out quick on $enc0 keep state label "IPSEC internal host to 
host"

>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on em4 proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
>
>
> # VPN Rules
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.137 to 
209.218.218.138

> port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.137 to 
209.218.218.138

> keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.129 port = 500 keep state label "IPSEC: Street 
Department -

> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.129 to 
209.218.218.138
> port = 500 keep state label "IPSEC: Street Department - inbound 
isakmp"

> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.129 keep state label "IPSEC: Street Department - outbound
> esp proto"
> pass in quick on $wan proto esp from 65.119.178.129 to 
209.218.218.138

> keep state label "IPSEC: Street Department - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.154 to 
209.218.218.138

> port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.154 to 
209.218.218.138

> keep state label "IPSEC: Fire Station 2 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
> port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
> pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
> port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14
> keep state label "IPSEC: EMS Building - outbound esp proto"
> pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
> keep state label "IPSEC: EMS Building - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 
70.237.44.110
> port = 500 keep state label "IPSEC: Computer Support - outbound 
isakmp"

> pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138
> port = 500 keep state label "IPSEC: Computer Support - inbound 
isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 
70.237.44.110

> keep state label "IPSEC: Computer Support - outbound esp proto"
> pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138
> keep state label "IPSEC: Computer Support - inbound esp prot

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

Okay, I see this bug as well.   Will get it fixed soon.

Scott


On 3/29/07, Scott Ullrich <[EMAIL PROTECTED]> wrote:

Okay, so that I am on the same page as you.  Those $wan rules should
have read $optX ??

Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
> Oops!  Sorry for the double post.
>
> Vaughn L. Reid III wrote:
> > Here is the relevant text of my rules.debug file.  It looks like the
> > interface on the connection "computer support" has the same interface
> > as the rest of the tunnels.  This is the test connection that should
> > be using OPT3.
> >
> > # let out anything from the firewall host itself and decrypted IPsec
> > traffic
> > pass out quick on $lan proto icmp keep state label "let out anything
> > from firewall host itself"
> > pass out quick on $wan proto icmp keep state label "let out anything
> > from firewall host itself"
> > pass out quick on em1 all keep state label "let out anything from
> > firewall host itself"
> > # pass traffic from firewall -> out
> > anchor "firewallout"
> > pass out quick on em1 all keep state label "let out anything from
> > firewall host itself"
> > pass out quick on em0 all keep state label "let out anything from
> > firewall host itself"
> > pass out quick on em4 all keep state label "let out anything from
> > firewall host itself"
> > pass out quick on em2 all keep state label "let out anything from
> > firewall host itself"
> > pass out quick on $pptp all keep state label "let out anything from
> > firewall host itself pptp"
> > pass out quick on $enc0 keep state label "IPSEC internal host to host"
> >
> > # let out anything from the firewall host itself and decrypted IPsec
> > traffic
> > pass out quick on em4 proto icmp keep state label "let out anything
> > from firewall host itself"
> > pass out quick on em4 all keep state label "let out anything from
> > firewall host itself"
> >
> >
> > # VPN Rules
> > pass out quick on $wan proto udp from 209.218.218.138 to
> > 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> > outbound isakmp"
> > pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138
> > port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> > pass out quick on $wan proto esp from 209.218.218.138 to
> > 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp
> > proto"
> > pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138
> > keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> > pass out quick on $wan proto udp from 209.218.218.138 to
> > 65.119.178.129 port = 500 keep state label "IPSEC: Street Department -
> > outbound isakmp"
> > pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138
> > port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
> > pass out quick on $wan proto esp from 209.218.218.138 to
> > 65.119.178.129 keep state label "IPSEC: Street Department - outbound
> > esp proto"
> > pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138
> > keep state label "IPSEC: Street Department - inbound esp proto"
> > pass out quick on $wan proto udp from 209.218.218.138 to
> > 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
> > outbound isakmp"
> > pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138
> > port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
> > pass out quick on $wan proto esp from 209.218.218.138 to
> > 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp
> > proto"
> > pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138
> > keep state label "IPSEC: Fire Station 2 - inbound esp proto"
> > pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
> > port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
> > pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
> > port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
> > pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14
> > keep state label "IPSEC: EMS Building - outbound esp proto"
> > pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
> > keep state label "IPSEC: EMS Building - inbound esp proto"
> > pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110
> > port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
> > pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138
> > port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
> > pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110
> > keep state label "IPSEC: Computer Support - outbound esp proto"
> > pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138
> > keep state label "IPSEC: Computer Support - inbound esp proto"
> >
> > pass in quick on em0 inet proto tcp from any to $loopback port 8021
> > keep state label "FTP PROXY: Allow traffic to localhost"
> > pass in quick on em0 i

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
The ones ones that say Computer Support are from the test tunnel that I 
created to use OPT2.


The interfaces on this machine are labeled like this:

LAN => em0
WAN => em1
ATTDSL => em4 -- This is the OPT interface that I was using for the 
Computer Support VPN test

wireless => em2

Vaughn

Scott Ullrich wrote:

Okay, so that I am on the same page as you.  Those $wan rules should
have read $optX ??

Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
> Here is the relevant text of my rules.debug file.  It looks like the
> interface on the connection "computer support" has the same interface
> as the rest of the tunnels.  This is the test connection that should
> be using OPT3.
>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on $lan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on $wan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> # pass traffic from firewall -> out
> anchor "firewallout"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em0 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em2 all keep state label "let out anything from
> firewall host itself"
> pass out quick on $pptp all keep state label "let out anything from
> firewall host itself pptp"
> pass out quick on $enc0 keep state label "IPSEC internal host to host"
>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on em4 proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
>
>
> # VPN Rules
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138
> port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138
> keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.129 port = 500 keep state label "IPSEC: Street Department -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138
> port = 500 keep state label "IPSEC: Street Department - inbound 
isakmp"

> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.129 keep state label "IPSEC: Street Department - outbound
> esp proto"
> pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138
> keep state label "IPSEC: Street Department - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138
> port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138
> keep state label "IPSEC: Fire Station 2 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
> port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
> pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
> port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14
> keep state label "IPSEC: EMS Building - outbound esp proto"
> pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
> keep state label "IPSEC: EMS Building - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110
> port = 500 keep state label "IPSEC: Computer Support - outbound 
isakmp"

> pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138
> port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110
> keep state label "IPSEC: Computer Support - outbound esp proto"
> pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138
> keep state label "IPSEC: Computer Support - inbound esp proto"
>
> pass in quick on em0 inet proto tcp from any to $loopback port 8021
> keep state label "FTP PROXY: Allow traffic to localhost"

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

Okay, so that I am on the same page as you.  Those $wan rules should
have read $optX ??

Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
> Here is the relevant text of my rules.debug file.  It looks like the
> interface on the connection "computer support" has the same interface
> as the rest of the tunnels.  This is the test connection that should
> be using OPT3.
>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on $lan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on $wan proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> # pass traffic from firewall -> out
> anchor "firewallout"
> pass out quick on em1 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em0 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
> pass out quick on em2 all keep state label "let out anything from
> firewall host itself"
> pass out quick on $pptp all keep state label "let out anything from
> firewall host itself pptp"
> pass out quick on $enc0 keep state label "IPSEC internal host to host"
>
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on em4 proto icmp keep state label "let out anything
> from firewall host itself"
> pass out quick on em4 all keep state label "let out anything from
> firewall host itself"
>
>
> # VPN Rules
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138
> port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138
> keep state label "IPSEC: Fire Station 3 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.129 port = 500 keep state label "IPSEC: Street Department -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138
> port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.129 keep state label "IPSEC: Street Department - outbound
> esp proto"
> pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138
> keep state label "IPSEC: Street Department - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to
> 65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
> outbound isakmp"
> pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138
> port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to
> 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp
> proto"
> pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138
> keep state label "IPSEC: Fire Station 2 - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
> port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
> pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
> port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14
> keep state label "IPSEC: EMS Building - outbound esp proto"
> pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
> keep state label "IPSEC: EMS Building - inbound esp proto"
> pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110
> port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
> pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138
> port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
> pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110
> keep state label "IPSEC: Computer Support - outbound esp proto"
> pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138
> keep state label "IPSEC: Computer Support - inbound esp proto"
>
> pass in quick on em0 inet proto tcp from any to $loopback port 8021
> keep state label "FTP PROXY: Allow traffic to localhost"
> pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> state label "FTP PROXY: Allow traffic to localhost"
> pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000
> user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
> connection"
> # enable ftp-proxy
> pass in quick 

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III

Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
Here is the relevant text of my rules.debug file.  It looks like the 
interface on the connection "computer support" has the same interface 
as the rest of the tunnels.  This is the test connection that should 
be using OPT3.


# let out anything from the firewall host itself and decrypted IPsec 
traffic
pass out quick on $lan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"

# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"
pass out quick on em0 all keep state label "let out anything from 
firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"
pass out quick on em2 all keep state label "let out anything from 
firewall host itself"
pass out quick on $pptp all keep state label "let out anything from 
firewall host itself pptp"

pass out quick on $enc0 keep state label "IPSEC internal host to host"

# let out anything from the firewall host itself and decrypted IPsec 
traffic
pass out quick on em4 proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"



# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to 
65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 - 
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 
65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound esp 
proto"
pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 
keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 
65.119.178.129 port = 500 keep state label "IPSEC: Street Department - 
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 
port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 
65.119.178.129 keep state label "IPSEC: Street Department - outbound 
esp proto"
pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 
keep state label "IPSEC: Street Department - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 
65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 - 
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 
65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound esp 
proto"
pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 
keep state label "IPSEC: Fire Station 2 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 
port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 
port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 
keep state label "IPSEC: EMS Building - outbound esp proto"
pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 
keep state label "IPSEC: EMS Building - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 
port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 
port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 
keep state label "IPSEC: Computer Support - outbound esp proto"
pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 
keep state label "IPSEC: Computer Support - inbound esp proto"


pass in quick on em0 inet proto tcp from any to $loopback port 8021 
keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data 
connection"

# enable ftp-proxy
pass in quick on em4 inet proto tcp from any to $loopback port 8022 
keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em4 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"


Vaughn


Scott Ullrich wrote:

On 3/29/07, Vau

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
Here is the relevant text of my rules.debug file.  It looks like the 
interface on the connection "computer support" has the same interface as 
the rest of the tunnels.  This is the test connection that should be 
using OPT3.


# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"

# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"
pass out quick on em0 all keep state label "let out anything from 
firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"
pass out quick on em2 all keep state label "let out anything from 
firewall host itself"
pass out quick on $pptp all keep state label "let out anything from 
firewall host itself pptp"

pass out quick on $enc0 keep state label "IPSEC internal host to host"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em4 proto icmp keep state label "let out anything from 
firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"



# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 
port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 
keep state label "IPSEC: Fire Station 3 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 
keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129 
port = 500 keep state label "IPSEC: Street Department - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 
port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129 
keep state label "IPSEC: Street Department - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 
keep state label "IPSEC: Street Department - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154 
port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154 
keep state label "IPSEC: Fire Station 2 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 
keep state label "IPSEC: Fire Station 2 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 
port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 
port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 
keep state label "IPSEC: EMS Building - outbound esp proto"
pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 
keep state label "IPSEC: EMS Building - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 
port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 
port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 
keep state label "IPSEC: Computer Support - outbound esp proto"
pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 
keep state label "IPSEC: Computer Support - inbound esp proto"


pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data 
connection"

# enable ftp-proxy
pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em4 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"


Vaughn


Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I didn't get the request, 

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
Here is the relevant text of my rules.debug file.  It looks like the 
interface on the connection "computer support" has the same interface as 
the rest of the tunnels.  This is the test connection that should be 
using OPT3.


# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything 
from firewall host itself"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"

# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on em1 all keep state label "let out anything from 
firewall host itself"
pass out quick on em0 all keep state label "let out anything from 
firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"
pass out quick on em2 all keep state label "let out anything from 
firewall host itself"
pass out quick on $pptp all keep state label "let out anything from 
firewall host itself pptp"

pass out quick on $enc0 keep state label "IPSEC internal host to host"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em4 proto icmp keep state label "let out anything from 
firewall host itself"
pass out quick on em4 all keep state label "let out anything from 
firewall host itself"



# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137 
port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137 
keep state label "IPSEC: Fire Station 3 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138 
keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129 
port = 500 keep state label "IPSEC: Street Department - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138 
port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129 
keep state label "IPSEC: Street Department - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138 
keep state label "IPSEC: Street Department - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154 
port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138 
port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154 
keep state label "IPSEC: Fire Station 2 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138 
keep state label "IPSEC: Fire Station 2 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14 
port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138 
port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14 
keep state label "IPSEC: EMS Building - outbound esp proto"
pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138 
keep state label "IPSEC: EMS Building - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110 
port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138 
port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110 
keep state label "IPSEC: Computer Support - outbound esp proto"
pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138 
keep state label "IPSEC: Computer Support - inbound esp proto"


pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000 
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data 
connection"

# enable ftp-proxy
pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep 
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em4 inet proto tcp from any to $loopback port 21 keep 
state label "FTP PROXY: Allow traffic to localhost"


Vaughn


Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I didn't get the request, 

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I didn't get the request, but I'll be happy check to see if rules are
being added.  Should I remove the manual rules that I created first
before checking?


Yes, please.   Then open up /tmp/rules.debug and look for "VPN
Rules"..  Below that marker is the system generated IPSEC rules.  Do
you see entries for the OPT interface?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
I didn't get the request, but I'll be happy check to see if rules are 
being added.  Should I remove the manual rules that I created first 
before checking?


Vaughn

Scott Ullrich wrote:

No, this sounds like a bug.  I sent a request for information a few
minutes ago.  Did you get it?  If so please check /tmp/rules.debug for
IPSEC and see if the OPT interface rules are being addded.

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

After I let the connection set for a couple minutes after manually
adding the UDP 500 and ESP rules, the tunnel started working.  Yeah!!!

Assuming that I will need to manually add the rules to the OPT2
interface, are there any additional rules that need to be added for 
IPSEC?


Also, here are the log entries now that the tunnel is up.
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as 
isakmp port

(fd=22)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%em0[500] used as

isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as 
isakmp port

(fd=20)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b8a6%em1[500] used as

isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as 
isakmp port

(fd=18)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b88d%em4[500] used as

isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp 
port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port 
(fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp 
port (fd=14)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%ng1[500] used as

isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as 
isakmp port

(fd=22)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%em0[500] used as

isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as 
isakmp port

(fd=20)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b8a6%em1[500] used as

isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as 
isakmp port

(fd=18)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b88d%em4[500] used as

isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp 
port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port 
(fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp 
port (fd=14)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%ng1[500] used as

isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as 
isakmp port

(fd=22)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%em0[500] used as

isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as 
isakmp port

(fd=20)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b8a6%em1[500] used as

isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as 
isakmp port

(fd=18)
Mar 29 14:24:41 racoon: INFO: 
fe80::204:23ff:fede:b88d%em4[500] used as

isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp 
port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port 
(fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp 
port (fd=14)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%ng1[500] used as

isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as 
isakmp port

(fd=22)
Mar 29 14:24:41 racoon: INFO: 
fe80::2e0:81ff:fe74:bb24%em0[500] used as

isakmp port (fd=21)
Mar 29 14:24:41

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

No, this sounds like a bug.  I sent a request for information a few
minutes ago.  Did you get it?  If so please check /tmp/rules.debug for
IPSEC and see if the OPT interface rules are being addded.

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

After I let the connection set for a couple minutes after manually
adding the UDP 500 and ESP rules, the tunnel started working.  Yeah!!!

Assuming that I will need to manually add the rules to the OPT2
interface, are there any additional rules that need to be added for IPSEC?

Also, here are the log entries now that the tunnel is up.
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] 

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
After I let the connection set for a couple minutes after manually 
adding the UDP 500 and ESP rules, the tunnel started working.  Yeah!!!


Assuming that I will need to manually add the rules to the OPT2 
interface, are there any additional rules that need to be added for IPSEC?


Also, here are the log entries now that the tunnel is up.
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 192.168.10.1[500] used as isakmp port 
(fd=22)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as 
isakmp port (fd=21)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 209.218.218.138[500] used as isakmp port 
(fd=20)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as 
isakmp port (fd=19)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 75.44.169.169[500] used as isakmp port 
(fd=18)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as 
isakmp port (fd=17)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as 
isakmp port (fd=13)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 192.168.10.1[500] used as isakmp port 
(fd=22)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as 
isakmp port (fd=21)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 209.218.218.138[500] used as isakmp port 
(fd=20)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as 
isakmp port (fd=19)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 75.44.169.169[500] used as isakmp port 
(fd=18)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as 
isakmp port (fd=17)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as 
isakmp port (fd=13)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 192.168.10.1[500] used as isakmp port 
(fd=22)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as 
isakmp port (fd=21)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 209.218.218.138[500] used as isakmp port 
(fd=20)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as 
isakmp port (fd=19)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 75.44.169.169[500] used as isakmp port 
(fd=18)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as 
isakmp port (fd=17)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port 
(fd=14)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as 
isakmp port (fd=13)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 192.168.10.1[500] used as isakmp port 
(fd=22)
Mar 29 14:24:41 	racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as 
isakmp port (fd=21)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 209.218.218.138[500] used as isakmp port 
(fd=20)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as 
isakmp port (fd=19)
Mar 29 14:24:41 	racoon: WARNING: 
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 	racoon: INFO: 75.44.169.169[500] used as isakmp port 
(fd=18)
Mar 29 14:24:41 	racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as 
isakmp port (fd=17)




Thanks,

Vaughn Reid III


Vaughn L. Reid III wrote:
I have only the default allow everything rule on the IPSEC tab.  I 
manually added rules to the firewall to allow UDP 500 to the OPT2 
i

Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
I changed the My Identifier on the tunnel definition to IP Address and 
then specified  75.44.169.169.  I clicked save and apply.  When I did 
this, the tunnel still did not work.  In addition, all mention of the 
tunnel stopped in the IPSEC logs. 

I have confirmed that I can ping the 75.44.169.169 IP from the remote 
gateway and that it is the OPT2 IP for the pfsense box.  I also 
confirmed that I can ssh into the pfsense machine using the above IP 
address.


Are there any special firewall or NAT rules that I need to set up the 
OPT2 interface to get it to accept an IPSEC tunnel?  I noticed that, for 
WAN at least, that those rules are automatically created and are not 
visible on the rules page.


Vaughn


Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I've set up a test tunnel between my office and my customer site.  The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface.  When I change the interface to the OPT interface, It doesn't
seem to work.  Here are some log entries.

racoon: ERROR: phase1 negotiation failed due to time up.
8c35cc8f9a4378c0:
Mar 29 13:36:29 racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due 
to time up

waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58 racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 
70.237.44.110 queued

due to no phase1 found.
Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due 
to time

up. 022718bb87e94fd7:
Mar 29 13:31:35 racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due 
to time up

waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04 racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 
70.237.44.110 queued

due to no phase1 found.



This set of responses just seem to repeat themselves over and over
again.  If I set the remote node to use the pfsense's WAN ip and change
the tunnel definition on the pfsense box to use the WAN interface, then
everything immediately works after hitting the save and apply buttons.


Please verify that the IP addresses match up in the report below.

You can also change "My Identifier" to "IP Address" and manually type
in the OPT interface IP.  Does that fix it?  If so please show the log
files differences.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I have only the default allow everything rule on the IPSEC tab.  I
manually added rules to the firewall to allow UDP 500 to the OPT2
interface and to allow ESP to the OPT2 interface, and now I'm getting
different IPSEC log results (I changed the My Identifier back to
interface address).

Here are the new log entries:

Mar 29 14:20:20 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20)
Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d)
Mar 29 14:19:21 racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:19:21 racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500] spi:72fba3fecd3739c6:f7fb0fc1959fdf21
Mar 29 14:19:20 racoon: NOTIFY: couldn't find the proper pskey, try to
get one by the peer's address.
Mar 29 14:19:20 racoon: INFO: begin Aggressive mode.
Mar 29 14:19:20 racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0)
Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0)
Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55)
Mar 29 14:17:03 racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:03 racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500] spi:8203621148841b41:6ad562eb830dd2d5
Mar 29 14:17:02 racoon: NOTIFY: couldn't find the proper pskey, try to
get one by the peer's address.
Mar 29 14:17:02 racoon: INFO: begin Aggressive mode.
Mar 29 14:17:02 racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]


Look in /tmp/rules.debug and search for IPSEC.

Do you see rules permitting traffic to the interface?

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
I have only the default allow everything rule on the IPSEC tab.  I 
manually added rules to the firewall to allow UDP 500 to the OPT2 
interface and to allow ESP to the OPT2 interface, and now I'm getting 
different IPSEC log results (I changed the My Identifier back to 
interface address).


Here are the new log entries:

Mar 29 14:20:20 	racoon: ERROR: pfkey DELETE received: ESP 
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:19:21 	racoon: INFO: IPsec-SA established: ESP/Tunnel 
75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20)
Mar 29 14:19:21 	racoon: INFO: IPsec-SA established: ESP/Tunnel 
70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d)
Mar 29 14:19:21 	racoon: INFO: respond new phase 2 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:19:21 	racoon: INFO: ISAKMP-SA established 
75.44.169.169[500]-70.237.44.110[500] spi:72fba3fecd3739c6:f7fb0fc1959fdf21
Mar 29 14:19:20 	racoon: NOTIFY: couldn't find the proper pskey, try to 
get one by the peer's address.

Mar 29 14:19:20 racoon: INFO: begin Aggressive mode.
Mar 29 14:19:20 	racoon: INFO: respond new phase 1 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:43 	racoon: ERROR: pfkey DELETE received: ESP 
75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0)
Mar 29 14:17:43 	racoon: ERROR: pfkey DELETE received: ESP 
75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0)
Mar 29 14:17:03 	racoon: INFO: IPsec-SA established: ESP/Tunnel 
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:17:03 	racoon: INFO: IPsec-SA established: ESP/Tunnel 
70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55)
Mar 29 14:17:03 	racoon: INFO: respond new phase 2 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:03 	racoon: INFO: ISAKMP-SA established 
75.44.169.169[500]-70.237.44.110[500] spi:8203621148841b41:6ad562eb830dd2d5
Mar 29 14:17:02 	racoon: NOTIFY: couldn't find the proper pskey, try to 
get one by the peer's address.

Mar 29 14:17:02 racoon: INFO: begin Aggressive mode.
Mar 29 14:17:02 	racoon: INFO: respond new phase 1 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]



Vaughn

Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I changed the My Identifier on the tunnel definition to IP Address and
then specified  75.44.169.169.  I clicked save and apply.  When I did
this, the tunnel still did not work.  In addition, all mention of the
tunnel stopped in the IPSEC logs.

I have confirmed that I can ping the 75.44.169.169 IP from the remote
gateway and that it is the OPT2 IP for the pfsense box.  I also
confirmed that I can ssh into the pfsense machine using the above IP
address.

Are there any special firewall or NAT rules that I need to set up the
OPT2 interface to get it to accept an IPSEC tunnel?  I noticed that, for
WAN at least, that those rules are automatically created and are not
visible on the rules page.


Nothing else is required except for a pass rule on the IPSEC tab on
recent snapshots.

I am running a tunnel on a opt1 interface and it works fine here.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I changed the My Identifier on the tunnel definition to IP Address and
then specified  75.44.169.169.  I clicked save and apply.  When I did
this, the tunnel still did not work.  In addition, all mention of the
tunnel stopped in the IPSEC logs.

I have confirmed that I can ping the 75.44.169.169 IP from the remote
gateway and that it is the OPT2 IP for the pfsense box.  I also
confirmed that I can ssh into the pfsense machine using the above IP
address.

Are there any special firewall or NAT rules that I need to set up the
OPT2 interface to get it to accept an IPSEC tunnel?  I noticed that, for
WAN at least, that those rules are automatically created and are not
visible on the rules page.


Nothing else is required except for a pass rule on the IPSEC tab on
recent snapshots.

I am running a tunnel on a opt1 interface and it works fine here.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
I changed the My Identifier on the tunnel definition to IP Address and 
then specified  75.44.169.169.  I clicked save and apply.  When I did 
this, the tunnel still did not work.  In addition, all mention of the 
tunnel stopped in the IPSEC logs. 

I have confirmed that I can ping the 75.44.169.169 IP from the remote 
gateway and that it is the OPT2 IP for the pfsense box.  I also 
confirmed that I can ssh into the pfsense machine using the above IP 
address.


Are there any special firewall or NAT rules that I need to set up the 
OPT2 interface to get it to accept an IPSEC tunnel?  I noticed that, for 
WAN at least, that those rules are automatically created and are not 
visible on the rules page.


Vaughn


Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I've set up a test tunnel between my office and my customer site.  The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface.  When I change the interface to the OPT interface, It doesn't
seem to work.  Here are some log entries.

racoon: ERROR: phase1 negotiation failed due to time up.
8c35cc8f9a4378c0:
Mar 29 13:36:29 racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due 
to time up

waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58 racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 
70.237.44.110 queued

due to no phase1 found.
Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due 
to time

up. 022718bb87e94fd7:
Mar 29 13:31:35 racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due 
to time up

waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04 racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 
70.237.44.110 queued

due to no phase1 found.



This set of responses just seem to repeat themselves over and over
again.  If I set the remote node to use the pfsense's WAN ip and change
the tunnel definition on the pfsense box to use the WAN interface, then
everything immediately works after hitting the save and apply buttons.


Please verify that the IP addresses match up in the report below.

You can also change "My Identifier" to "IP Address" and manually type
in the OPT interface IP.  Does that fix it?  If so please show the log
files differences.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I've set up a test tunnel between my office and my customer site.  The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface.  When I change the interface to the OPT interface, It doesn't
seem to work.  Here are some log entries.

racoon: ERROR: phase1 negotiation failed due to time up.
8c35cc8f9a4378c0:
Mar 29 13:36:29 racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58 racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued
due to no phase1 found.
Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time
up. 022718bb87e94fd7:
Mar 29 13:31:35 racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04 racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued
due to no phase1 found.



This set of responses just seem to repeat themselves over and over
again.  If I set the remote node to use the pfsense's WAN ip and change
the tunnel definition on the pfsense box to use the WAN interface, then
everything immediately works after hitting the save and apply buttons.


Please verify that the IP addresses match up in the report below.

You can also change "My Identifier" to "IP Address" and manually type
in the OPT interface IP.  Does that fix it?  If so please show the log
files differences.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Vaughn L. Reid III
I've set up a test tunnel between my office and my customer site.  The 
VPN tunnel will work correctly when the pfsense interface is the WAN 
interface.  When I change the interface to the OPT interface, It doesn't 
seem to work.  Here are some log entries.


racoon: ERROR: phase1 negotiation failed due to time up. 
8c35cc8f9a4378c0:

Mar 29 13:36:29 racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 	racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]

Mar 29 13:35:58 racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 	racoon: INFO: initiate new phase 1 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 	racoon: INFO: IPsec-SA request for 70.237.44.110 queued 
due to no phase1 found.
Mar 29 13:32:04 	racoon: ERROR: phase1 negotiation failed due to time 
up. 022718bb87e94fd7:

Mar 29 13:31:35 racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 	racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]

Mar 29 13:31:04 racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 	racoon: INFO: initiate new phase 1 negotiation: 
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 	racoon: INFO: IPsec-SA request for 70.237.44.110 queued 
due to no phase1 found.




This set of responses just seem to repeat themselves over and over 
again.  If I set the remote node to use the pfsense's WAN ip and change 
the tunnel definition on the pfsense box to use the WAN interface, then 
everything immediately works after hitting the save and apply buttons. 


Thanks,

Vaughn

Scott Ullrich wrote:

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I'm using the 3-27 snapshot on the pfsense box.

I've searched both the forum and the mailing list archives, and I can't
seem to find an updated listing of how to get IPSEC to work over an OPT
interface as well as over WAN at the Same time.

Here's what I want to do:

I have several remote sites that use one of two companies for their
Internet access.  Our main office also has Internet access through these
two ISP's.  I want to configure the tunnels that have Internet access
through ISP A to use our ISP A connection, which is WAN, and those that
have ISP B, which is our OPT1, to use ISP B's interface on the pfsense
box for IPSEC vpn's.

I can get all of the VPN connections to work properly if they all use
the WAN interface, but this adds about 5 hops and 50 milli-seconds to
the round trip for those remotes that use ISP B.

Here's what I tried without success:
On the pfsense box, I changed the existing working configurations for
the desired VPN tunnels to use the OPT interface.  I then saved my
changed settings and clicked the Apply button.  At the desired remote
sites, I changed the remote Gateway IP on their (previously working when
using WAN) existing VPN tunnel configurations to use the OPT interface's
IP address.  After doing this, I rebooted both the pfsense box and the
remote router.   Also, the IPSEC interface has the default rule to allow
all connections and all traffic.

Both the pfsense machine and the remote sites have static IP's for their
Internet connections.  The remote sites are using linksys RV series
firewalls.  The dsl router at the main site for the OPT interface is a
netopia 3500 and it is set to bridge mode so that the OPT interface has
a real public IP.


Please post the IPSEC logs from the pfSense box.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [pfSense Support] IPSEC over an OPT interface Problems

2007-03-29 Thread Scott Ullrich

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I'm using the 3-27 snapshot on the pfsense box.

I've searched both the forum and the mailing list archives, and I can't
seem to find an updated listing of how to get IPSEC to work over an OPT
interface as well as over WAN at the Same time.

Here's what I want to do:

I have several remote sites that use one of two companies for their
Internet access.  Our main office also has Internet access through these
two ISP's.  I want to configure the tunnels that have Internet access
through ISP A to use our ISP A connection, which is WAN, and those that
have ISP B, which is our OPT1, to use ISP B's interface on the pfsense
box for IPSEC vpn's.

I can get all of the VPN connections to work properly if they all use
the WAN interface, but this adds about 5 hops and 50 milli-seconds to
the round trip for those remotes that use ISP B.

Here's what I tried without success:
On the pfsense box, I changed the existing working configurations for
the desired VPN tunnels to use the OPT interface.  I then saved my
changed settings and clicked the Apply button.  At the desired remote
sites, I changed the remote Gateway IP on their (previously working when
using WAN) existing VPN tunnel configurations to use the OPT interface's
IP address.  After doing this, I rebooted both the pfsense box and the
remote router.   Also, the IPSEC interface has the default rule to allow
all connections and all traffic.

Both the pfsense machine and the remote sites have static IP's for their
Internet connections.  The remote sites are using linksys RV series
firewalls.  The dsl router at the main site for the OPT interface is a
netopia 3500 and it is set to bridge mode so that the OPT interface has
a real public IP.


Please post the IPSEC logs from the pfSense box.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]