Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== Even setting up a port-forward for UDP/500 doesn't work. Any ideas? Very interesting. I looked back through the commits from 0.84 - 0.86 but I honestly don't see anything that altered the rules except for aliases. How are you allowing the traffic out (from the LAN interface I would guess)? Scott q - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== How bizarre...that's the pre-NAT'd address too. It's almost like the outbound NAT rule for this got re-arranged. Can I see your /tmp/rules.debug? Even setting up a port-forward for UDP/500 doesn't work. Without this of course :) You would have needed it to create a rule too...but my bet is that the outbound traffic is getting NATd wrong. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
At 02:28 PM 10/3/2005, Scott Ullrich wrote: On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== Even setting up a port-forward for UDP/500 doesn't work. Any ideas? Very interesting. I looked back through the commits from 0.84 - 0.86 but I honestly don't see anything that altered the rules except for aliases. How are you allowing the traffic out (from the LAN interface I would guess)? My laptop is on the LAN, and I am allowing all outbound traffic. I used the upgrade .tgz, is that supported at this time? Or was I jumping the gun? I can try a full install of .86, or go back to a full install of .84. I have a small Wrap box I have to take apart whenever I do a full install, so I'll take your best hint at the moment. Anything in particular I can post here from my rules.debug? -- [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
OK, this is now fixed in CVS. Expect this fix in the next release. --Bill On 10/3/05, Scott Ullrich [EMAIL PROTECTED] wrote: upgrade.tgz is a safe bet if you have a full install. upgrade.tgz is used by the BSD Installer to have an easy upgrade path although that may be slated for removal since it can be somewhat confusing. If you care to spend a few minutes to try a few things, it may be very helpful: Save a copy of /tmp/rules.debug from the version that does not work and downgrade back to 0.84. Send /tmp/rules.debug from both 0.84 and and the version that doesn't work to us so we can inspect it. Thanks! On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: At 02:28 PM 10/3/2005, Scott Ullrich wrote: On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== Even setting up a port-forward for UDP/500 doesn't work. Any ideas? Very interesting. I looked back through the commits from 0.84 - 0.86 but I honestly don't see anything that altered the rules except for aliases. How are you allowing the traffic out (from the LAN interface I would guess)? My laptop is on the LAN, and I am allowing all outbound traffic. I used the upgrade .tgz, is that supported at this time? Or was I jumping the gun? I can try a full install of .86, or go back to a full install of .84. I have a small Wrap box I have to take apart whenever I do a full install, so I'll take your best hint at the moment. Anything in particular I can post here from my rules.debug? -- [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]