Re: [pfSense Support] openvpn and road warrior issues

Wed, 03 Sep 2008 07:46:32 -0700

i made all the changes you suggested and restarted the server and client but still to no avail. here is my current config files; 

Server:

daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.1.0 255.255.255.0"
lport 1194
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
ifconfig 192.168.1.1 192.168.2.2



Client:

float
port 1194
dev tun
dev-node /sbin/ifconfig en1
proto tcp-client
remote hostname1194
keepalive       10 60
persist-tun
persist-key
ifconfig 192.168.2.2 192.168.1.1
tls-client
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
pull
comp-lzo
verb 4
nobind


and the tail end of my client log file;


 3 09:43:13 UNIXBOX openvpn[4284]: Data Channel Encrypt: Cipher 'BF- 
CBC' initialized with 128 bit key
Sep  3 09:43:13 UNIXBOX openvpn[4284]: Data Channel Encrypt: Using  
160 bit message hash 'SHA1' for HMAC authentication
Sep  3 09:43:13 UNIXBOX openvpn[4284]: Data Channel Decrypt: Cipher  
'BF-CBC' initialized with 128 bit key
Sep  3 09:43:13 UNIXBOX openvpn[4284]: Data Channel Decrypt: Using  
160 bit message hash 'SHA1' for HMAC authentication
Sep  3 09:43:13 UNIXBOX openvpn[4284]: Control Channel: TLSv1, cipher  
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep  3 09:43:13 UNIXBOX openvpn[4284]: [server] Peer Connection  
Initiated with xx.xx.xx.xx:1194
Sep  3 09:43:14 UNIXBOX openvpn[4284]: SENT CONTROL [server]:  
'PUSH_REQUEST' (status=1)
Sep  3 09:43:14 UNIXBOX openvpn[4284]: PUSH: Received control  
message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route  
192.168.2.1,ping 10,ping-restart 60,ifconfig 192.168.2.6 192.168.2.5'
Sep  3 09:43:14 UNIXBOX openvpn[4284]: OPTIONS IMPORT: timers and/or  
timeouts modified
Sep  3 09:43:14 UNIXBOX openvpn[4284]: OPTIONS IMPORT: --ifconfig/up  
options modified
Sep  3 09:43:14 UNIXBOX openvpn[4284]: OPTIONS IMPORT: route options  
modified

Sep  3 09:43:14 UNIXBOX openvpn[4284]: gw 172.16.0.1

Sep  3 09:43:14 UNIXBOX openvpn[4284]: TUN/TAP device /sbin/ifconfig  
opened

Sep  3 09:43:14 UNIXBOX openvpn[4284]: /sbin/ifconfig tun delete

Sep  3 09:43:14 UNIXBOX openvpn[4284]: NOTE: Tried to delete pre- 
existing tun/tap instance -- No Problem if failure
Sep  3 09:43:14 UNIXBOX openvpn[4284]: /sbin/ifconfig tun 192.168.2.6  
192.168.2.5 mtu 1500 netmask 255.255.255.255 up

Sep  3 09:43:14 UNIXBOX openvpn[4284]: MANAGEMENT: Client disconnected

Sep  3 09:43:14 UNIXBOX openvpn[4284]: Mac OS X ifconfig failed:  
shell command exited with error status: 126
Sep  3 09:43:14 UNIXBOX openvpn[4284]: MANAGEMENT: TCP send error:  
Bad file descriptor

Sep  3 09:43:14 UNIXBOX openvpn[4284]: MANAGEMENT: Client disconnected
Sep  3 09:43:14 UNIXBOX openvpn[4284]: Exiting




A few lines of logs from the openvpn server side:



Sep 3 09:43:19 	openvpn[36034]: fw-bsd-1/xx.xx.xx.xx:63604 Connection  
reset, restarting [0]
Sep 3 09:43:18 	openvpn[36034]: xx.xx.xx.xx:63604 [fw-bsd-1] Peer  
Connection Initiated with xx.xx.xx.xx:63604
Sep 3 09:43:17 	openvpn[36034]: TCPv4_SERVER link remote: xx.xx.xx.xx: 
63604

Sep 3 09:43:17  openvpn[36034]: TCPv4_SERVER link local: [undef]

Sep 3 09:43:17 	openvpn[36034]: TCP connection established with  
xx.xx.xx.xx:63604

Sep 3 09:43:17  openvpn[36034]: LZO compression initialized
Sep 3 09:43:17  openvpn[36034]: Re-using SSL/TLS context


The 192.168.1.1 is the ip of the pfsense box LAN interface.

thanks,

-phil

On Sep 3, 2008, at 4:07 AM, Paul Mansfield wrote:



just for testing, maybe change the server to have an explicit ifconfig
line this:

ifconfig 192.168.X.1 192.168.X.2


and put the opposite in the client

ifconfig 192.168.X.2 192.168.X.1


perhaps drop the ping statements and simply use, at both ends
        keepalive       10 60


you can also add to *both* ends, which could help performance a little
        comp-lzo



if you don't care about the client's src port, "nobind" will make  
it use

a "random" udp high port.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to