Re: [pfSense Support] IPSEC over an OPT interface Problems

[Vaughn L. Reid III]

I just tried implementing IPSEC over an OPT interface using the 
pfsense.iso file from March 29, 2007 at 7:19 p.m.

Here are my results.  IPSEC will not work over my OPT2 Interface without 
adding specific firewall rules to the OPT2 interface to allow UDP 500 
and ESP to connect to that interface's IP address.

Once I manually add the rules, the tunnels get created and work 
correctly over the OPT2 interface.  Before I manually added the rules to 
the OPT2 interface, I noticed that there was no SAD listing to the 
tunnel being tested.  Both ends of the tunnel were, however, listed on 
the SPD tab of the IPSEC tunnel diagnostic page.

Once I added the needed firewall rules to the OPT2 interface, the VPN 
tunnel immediately set up and started working.  At that time, the proper 
entries appeared in the SAD on the IPSEC diagnostic page.

Also, I noticed during the loading of the pfsense firewall software 
while it was connecting services, etc. that an error message appeared 
that stated that there was an invalid argument foreach on line 7 of the 
/etc/inc/vslb.inc file.  Don't quote me on the line number, but I'm 
pretty sure it was line 7.  I'm not sure if this is related to my IPSEC 
issue, but I thought I'd comment in case it is relevant.

Thanks,

Vaughn Reid III

Tunge2 wrote:
If this is working it would be a great step a head :) 

-----Oorspronkelijk bericht-----
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] 
Verzonden: vrijdag 30 maart 2007 1:08
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems

Have the IPSEC changes been committed and built yet?  I'm looking at the
update files, and they all still say March 27 2007.  I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

Should I be looking somewhare else for the update with the IPSEC fix?

Thanks,

Vaughn 

On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
<[EMAIL PROTECTED]> said:
  
Thanks for your hard work.  I appreciate it and I'm sure my customers 
do too.

Vaughn

Vaughn L. Reid III wrote:
    
The ones ones that say Computer Support are from the test tunnel 
that I created to use OPT2.

The interfaces on this machine are labeled like this:

LAN => em0
WAN => em1
ATTDSL => em4 -- This is the OPT interface that I was using for the 
Computer Support VPN test wireless => em2

Vaughn

Scott Ullrich wrote:
      
Okay, so that I am on the same page as you.  Those $wan rules 
should have read $optX ??

Scott


On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
        
Oops!  Sorry for the double post.

Vaughn L. Reid III wrote:
          
Here is the relevant text of my rules.debug file.  It looks like 
the interface on the connection "computer support" has the same 
interface as the rest of the tunnels.  This is the test 
connection that should be using OPT3.

# let out anything from the firewall host itself and decrypted 
IPsec traffic pass out quick on $lan proto icmp keep state label 
"let out anything from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out 
anything from firewall host itself"
pass out quick on em1 all keep state label "let out anything 
from firewall host itself"
# pass traffic from firewall -> out anchor "firewallout"
pass out quick on em1 all keep state label "let out anything 
from firewall host itself"
pass out quick on em0 all keep state label "let out anything 
from firewall host itself"
pass out quick on em4 all keep state label "let out anything 
from firewall host itself"
pass out quick on em2 all keep state label "let out anything 
from firewall host itself"
pass out quick on $pptp all keep state label "let out anything 
from firewall host itself pptp"
pass out quick on $enc0 keep state label "IPSEC internal host to
            
host"
          
# let out anything from the firewall host itself and decrypted IPsec
traffic
pass out quick on em4 proto icmp keep state label "let out anything
from firewall host itself"
pass out quick on em4 all keep state label "let out anything from
firewall host itself"


# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to
65.119.178.137 port = 500 keep state label "IPSEC: Fire Station 3 -
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 
            
209.218.218.138
          
port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to
65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound
            
esp
  
proto"
pass in quick on $wan proto esp from 65.119.178.137 to 
            
209.218.218.138
          
keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to
65.119.178.129 port = 500 keep state label "IPSEC: Street 
            
Department -
          
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.129 to 
            
209.218.218.138
          
port = 500 keep state label "IPSEC: Street Department - inbound 
            
isakmp"
          
pass out quick on $wan proto esp from 209.218.218.138 to
65.119.178.129 keep state label "IPSEC: Street Department - outbound
esp proto"
pass in quick on $wan proto esp from 65.119.178.129 to 
            
209.218.218.138
          
keep state label "IPSEC: Street Department - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to
65.119.178.154 port = 500 keep state label "IPSEC: Fire Station 2 -
outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.154 to 
            
209.218.218.138
          
port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to
65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound
            
esp
  
proto"
pass in quick on $wan proto esp from 65.119.178.154 to 
            
209.218.218.138
          
keep state label "IPSEC: Fire Station 2 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to
            
70.227.28.14
  
port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to
            
70.227.28.14
  
keep state label "IPSEC: EMS Building - outbound esp proto"
pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
keep state label "IPSEC: EMS Building - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 
            
70.237.44.110
          
port = 500 keep state label "IPSEC: Computer Support - outbound 
            
isakmp"
          
pass in quick on $wan proto udp from 70.237.44.110 to
            
209.218.218.138
  
port = 500 keep state label "IPSEC: Computer Support - inbound 
            
isakmp"
          
pass out quick on $wan proto esp from 209.218.218.138 to 
            
70.237.44.110
          
keep state label "IPSEC: Computer Support - outbound esp proto"
pass in quick on $wan proto esp from 70.237.44.110 to
            
209.218.218.138
  
keep state label "IPSEC: Computer Support - inbound esp proto"

pass in quick on em0 inet proto tcp from any to $loopback port 8021
keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 
            
keep
          
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 
            
49000
          
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
connection"
# enable ftp-proxy
pass in quick on em4 inet proto tcp from any to $loopback port 8022
keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em4 inet proto tcp from any to $loopback port 21 
            
keep
          
state label "FTP PROXY: Allow traffic to localhost"

Vaughn


Scott Ullrich wrote:
            
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> 
              
wrote:
          
I didn't get the request, but I'll be happy check to see if 
                
rules are
          
being added.  Should I remove the manual rules that I created
                
first
  
before checking?
                
Yes, please.   Then open up /tmp/rules.debug and look for "VPN
Rules"..  Below that marker is the system generated IPSEC rules.
              
Do
  
you see entries for the OPT interface?

Scott


              
---------------------------------------------------------------------
          
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

              
            
---------------------------------------------------------------------
  
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

            
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


          
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

        
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

      
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

    

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]