I've just tested the most recent pfsense update available on http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
Here is the system's firmware information: 1.0.1-SNAPSHOT-03-27-2007 built on Mon Apr 2 19:21:19 EDT 2007 My results indicate that IPSEC over OPTx still does not work without explicitly opening UDP 500 and ESP on the interface in question to allow the interface's IP address to accept these two items. I believe that this may still be an older firmware, but I do not see a newer firmware available in the update format. At this time, I am also not in a position to test an .iso file. To do that, I will need to wait for the weekend when firewall usage is low. Vaughn On Fri, 30 Mar 2007 12:23:44 -0400, "Vaughn L. Reid III" <[EMAIL PROTECTED]> said: > I'll check back later this evening or Monday day sometime. > > Thanks, > > Vaughn > > Scott Ullrich wrote: > > This is an old image. The snapshot server has been down for some > > time... Try again 2-3 hours from now or on Monday. > > > > Scott > > > > > > On 3/30/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > >> I just tried implementing IPSEC over an OPT interface using the > >> pfsense.iso file from March 29, 2007 at 7:19 p.m. > >> > >> Here are my results. IPSEC will not work over my OPT2 Interface without > >> adding specific firewall rules to the OPT2 interface to allow UDP 500 > >> and ESP to connect to that interface's IP address. > >> > >> Once I manually add the rules, the tunnels get created and work > >> correctly over the OPT2 interface. Before I manually added the rules to > >> the OPT2 interface, I noticed that there was no SAD listing to the > >> tunnel being tested. Both ends of the tunnel were, however, listed on > >> the SPD tab of the IPSEC tunnel diagnostic page. > >> > >> Once I added the needed firewall rules to the OPT2 interface, the VPN > >> tunnel immediately set up and started working. At that time, the proper > >> entries appeared in the SAD on the IPSEC diagnostic page. > >> > >> Also, I noticed during the loading of the pfsense firewall software > >> while it was connecting services, etc. that an error message appeared > >> that stated that there was an invalid argument foreach on line 7 of the > >> /etc/inc/vslb.inc file. Don't quote me on the line number, but I'm > >> pretty sure it was line 7. I'm not sure if this is related to my IPSEC > >> issue, but I thought I'd comment in case it is relevant. > >> > >> Thanks, > >> > >> Vaughn Reid III > >> > >> Tunge2 wrote: > >> > If this is working it would be a great step a head :) > >> > > >> > -----Oorspronkelijk bericht----- > >> > Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] > >> > Verzonden: vrijdag 30 maart 2007 1:08 > >> > Aan: support@pfsense.com > >> > Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems > >> > > >> > Have the IPSEC changes been committed and built yet? I'm looking > >> at the > >> > update files, and they all still say March 27 2007. I'm using this > >> > repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ > >> > > >> > Should I be looking somewhare else for the update with the IPSEC fix? > >> > > >> > Thanks, > >> > > >> > Vaughn > >> > > >> > On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III" > >> > <[EMAIL PROTECTED]> said: > >> > > >> >> Thanks for your hard work. I appreciate it and I'm sure my customers > >> >> do too. > >> >> > >> >> Vaughn > >> >> > >> >> Vaughn L. Reid III wrote: > >> >> > >> >>> The ones ones that say Computer Support are from the test tunnel > >> >>> that I created to use OPT2. > >> >>> > >> >>> The interfaces on this machine are labeled like this: > >> >>> > >> >>> LAN => em0 > >> >>> WAN => em1 > >> >>> ATTDSL => em4 -- This is the OPT interface that I was using for the > >> >>> Computer Support VPN test wireless => em2 > >> >>> > >> >>> Vaughn > >> >>> > >> >>> Scott Ullrich wrote: > >> >>> > >> >>>> Okay, so that I am on the same page as you. Those $wan rules > >> >>>> should have read $optX ?? > >> >>>> > >> >>>> Scott > >> >>>> > >> >>>> > >> >>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> > >> wrote: > >> >>>> > >> >>>>> Oops! Sorry for the double post. > >> >>>>> > >> >>>>> Vaughn L. Reid III wrote: > >> >>>>> > >> >>>>>> Here is the relevant text of my rules.debug file. It looks like > >> >>>>>> the interface on the connection "computer support" has the same > >> >>>>>> interface as the rest of the tunnels. This is the test > >> >>>>>> connection that should be using OPT3. > >> >>>>>> > >> >>>>>> # let out anything from the firewall host itself and decrypted > >> >>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label > >> >>>>>> "let out anything from firewall host itself" > >> >>>>>> pass out quick on $wan proto icmp keep state label "let out > >> >>>>>> anything from firewall host itself" > >> >>>>>> pass out quick on em1 all keep state label "let out anything > >> >>>>>> from firewall host itself" > >> >>>>>> # pass traffic from firewall -> out anchor "firewallout" > >> >>>>>> pass out quick on em1 all keep state label "let out anything > >> >>>>>> from firewall host itself" > >> >>>>>> pass out quick on em0 all keep state label "let out anything > >> >>>>>> from firewall host itself" > >> >>>>>> pass out quick on em4 all keep state label "let out anything > >> >>>>>> from firewall host itself" > >> >>>>>> pass out quick on em2 all keep state label "let out anything > >> >>>>>> from firewall host itself" > >> >>>>>> pass out quick on $pptp all keep state label "let out anything > >> >>>>>> from firewall host itself pptp" > >> >>>>>> pass out quick on $enc0 keep state label "IPSEC internal host to > >> >>>>>> > >> >>>>> host" > >> >>>>> > >> >>>>>> # let out anything from the firewall host itself and decrypted > >> IPsec > >> >>>>>> traffic > >> >>>>>> pass out quick on em4 proto icmp keep state label "let out > >> anything > >> >>>>>> from firewall host itself" > >> >>>>>> pass out quick on em4 all keep state label "let out anything from > >> >>>>>> firewall host itself" > >> >>>>>> > >> >>>>>> > >> >>>>>> # VPN Rules > >> >>>>>> pass out quick on $wan proto udp from 209.218.218.138 to > >> >>>>>> 65.119.178.137 port = 500 keep state label "IPSEC: Fire > >> Station 3 - > >> >>>>>> outbound isakmp" > >> >>>>>> pass in quick on $wan proto udp from 65.119.178.137 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> port = 500 keep state label "IPSEC: Fire Station 3 - inbound > >> isakmp" > >> >>>>>> pass out quick on $wan proto esp from 209.218.218.138 to > >> >>>>>> 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound > >> >>>>>> > >> > esp > >> > > >> >>>>>> proto" > >> >>>>>> pass in quick on $wan proto esp from 65.119.178.137 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> keep state label "IPSEC: Fire Station 3 - inbound esp proto" > >> >>>>>> pass out quick on $wan proto udp from 209.218.218.138 to > >> >>>>>> 65.119.178.129 port = 500 keep state label "IPSEC: Street > >> >>>>>> > >> >>>>> Department - > >> >>>>> > >> >>>>>> outbound isakmp" > >> >>>>>> pass in quick on $wan proto udp from 65.119.178.129 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> port = 500 keep state label "IPSEC: Street Department - inbound > >> >>>>>> > >> >>>>> isakmp" > >> >>>>> > >> >>>>>> pass out quick on $wan proto esp from 209.218.218.138 to > >> >>>>>> 65.119.178.129 keep state label "IPSEC: Street Department - > >> outbound > >> >>>>>> esp proto" > >> >>>>>> pass in quick on $wan proto esp from 65.119.178.129 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> keep state label "IPSEC: Street Department - inbound esp proto" > >> >>>>>> pass out quick on $wan proto udp from 209.218.218.138 to > >> >>>>>> 65.119.178.154 port = 500 keep state label "IPSEC: Fire > >> Station 2 - > >> >>>>>> outbound isakmp" > >> >>>>>> pass in quick on $wan proto udp from 65.119.178.154 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> port = 500 keep state label "IPSEC: Fire Station 2 - inbound > >> isakmp" > >> >>>>>> pass out quick on $wan proto esp from 209.218.218.138 to > >> >>>>>> 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound > >> >>>>>> > >> > esp > >> > > >> >>>>>> proto" > >> >>>>>> pass in quick on $wan proto esp from 65.119.178.154 to > >> >>>>>> > >> >>>>> 209.218.218.138 > >> >>>>> > >> >>>>>> keep state label "IPSEC: Fire Station 2 - inbound esp proto" > >> >>>>>> pass out quick on $wan proto udp from 209.218.218.138 to > >> >>>>>> > >> > 70.227.28.14 > >> > > >> >>>>>> port = 500 keep state label "IPSEC: EMS Building - outbound > >> isakmp" > >> >>>>>> pass in quick on $wan proto udp from 70.227.28.14 to > >> 209.218.218.138 > >> >>>>>> port = 500 keep state label "IPSEC: EMS Building - inbound > >> isakmp" > >> >>>>>> pass out quick on $wan proto esp from 209.218.218.138 to > >> >>>>>> > >> > 70.227.28.14 > >> > > >> >>>>>> keep state label "IPSEC: EMS Building - outbound esp proto" > >> >>>>>> pass in quick on $wan proto esp from 70.227.28.14 to > >> 209.218.218.138 > >> >>>>>> keep state label "IPSEC: EMS Building - inbound esp proto" > >> >>>>>> pass out quick on $wan proto udp from 209.218.218.138 to > >> >>>>>> > >> >>>>> 70.237.44.110 > >> >>>>> > >> >>>>>> port = 500 keep state label "IPSEC: Computer Support - outbound > >> >>>>>> > >> >>>>> isakmp" > >> >>>>> > >> >>>>>> pass in quick on $wan proto udp from 70.237.44.110 to > >> >>>>>> > >> > 209.218.218.138 > >> > > >> >>>>>> port = 500 keep state label "IPSEC: Computer Support - inbound > >> >>>>>> > >> >>>>> isakmp" > >> >>>>> > >> >>>>>> pass out quick on $wan proto esp from 209.218.218.138 to > >> >>>>>> > >> >>>>> 70.237.44.110 > >> >>>>> > >> >>>>>> keep state label "IPSEC: Computer Support - outbound esp proto" > >> >>>>>> pass in quick on $wan proto esp from 70.237.44.110 to > >> >>>>>> > >> > 209.218.218.138 > >> > > >> >>>>>> keep state label "IPSEC: Computer Support - inbound esp proto" > >> >>>>>> > >> >>>>>> pass in quick on em0 inet proto tcp from any to $loopback port > >> 8021 > >> >>>>>> keep state label "FTP PROXY: Allow traffic to localhost" > >> >>>>>> pass in quick on em0 inet proto tcp from any to $loopback port 21 > >> >>>>>> > >> >>>>> keep > >> >>>>> > >> >>>>>> state label "FTP PROXY: Allow traffic to localhost" > >> >>>>>> pass in quick on em1 inet proto tcp from port 20 to (em1) port > > >> >>>>>> > >> >>>>> 49000 > >> >>>>> > >> >>>>>> user proxy flags S/SA keep state label "FTP PROXY: PASV mode data > >> >>>>>> connection" > >> >>>>>> # enable ftp-proxy > >> >>>>>> pass in quick on em4 inet proto tcp from any to $loopback port > >> 8022 > >> >>>>>> keep state label "FTP PROXY: Allow traffic to localhost" > >> >>>>>> pass in quick on em4 inet proto tcp from any to $loopback port 21 > >> >>>>>> > >> >>>>> keep > >> >>>>> > >> >>>>>> state label "FTP PROXY: Allow traffic to localhost" > >> >>>>>> > >> >>>>>> Vaughn > >> >>>>>> > >> >>>>>> > >> >>>>>> Scott Ullrich wrote: > >> >>>>>> > >> >>>>>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> > >> >>>>>>> > >> >>>>> wrote: > >> >>>>> > >> >>>>>>>> I didn't get the request, but I'll be happy check to see if > >> >>>>>>>> > >> >>>>> rules are > >> >>>>> > >> >>>>>>>> being added. Should I remove the manual rules that I created > >> >>>>>>>> > >> > first > >> > > >> >>>>>>>> before checking? > >> >>>>>>>> > >> >>>>>>> Yes, please. Then open up /tmp/rules.debug and look for "VPN > >> >>>>>>> Rules".. Below that marker is the system generated IPSEC rules. > >> >>>>>>> > >> > Do > >> > > >> >>>>>>> you see entries for the OPT interface? > >> >>>>>>> > >> >>>>>>> Scott > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>> > >> --------------------------------------------------------------------- > >> >>>>> > >> >>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >>>>>>> For additional commands, e-mail: [EMAIL PROTECTED] > >> >>>>>>> > >> >>>>>>> > >> >>>>>> > >> > --------------------------------------------------------------------- > >> > > >> >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >>>>>> For additional commands, e-mail: [EMAIL PROTECTED] > >> >>>>>> > >> >>>>>> > >> >>>>> > >> --------------------------------------------------------------------- > >> >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >>>>> For additional commands, e-mail: [EMAIL PROTECTED] > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>> > >> --------------------------------------------------------------------- > >> >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >>>> For additional commands, e-mail: [EMAIL PROTECTED] > >> >>>> > >> >>>> > >> >>> > >> --------------------------------------------------------------------- > >> >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >>> For additional commands, e-mail: [EMAIL PROTECTED] > >> >>> > >> >>> > >> >> --------------------------------------------------------------------- > >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >> For additional commands, e-mail: [EMAIL PROTECTED] > >> >> > >> >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Vaughn L. Reid III [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
