I just wanted to report an update of how my IPSEC over OPTx is working.
It's been a few days, now since I set up the manual rules on the OPTx
interface that I wanted to use for IPSEC. Since I set up the rules
listed in my previous post, my IPSEC VPN's over the OPTx interface are
working well
Do you have static routes set up as well?
I just wanted to report an update of how my IPSEC over OPTx is working.
It's been a few days, now since I set up the manual rules on the OPTx
interface that I wanted to use for IPSEC. Since I set up the rules
listed in my previous post, my IPSEC
No. The only things that I added/changed were the firewall rules.
Actually, I don't have manually entered static routes configured for any
of my IPSEC connections, and they all work. When I pull up the routing
table, I have noticed that the pfsense box appears to automatically add
the
I should also add, in case it matters that all of the remote end-points
are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or
Netgear FVS338's.
All of the remote end-points are configured with static IP's and any ISP
supplied routers are configured solely as bridge devices. If
I still need to fix the OPTx firewall rule issue. I am hoping to
knock it out this weekend.
Scott
On 4/6/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
I should also add, in case it matters that all of the remote end-points
are either Linksys RV082's, Linksys RV016's, Hotbrick 800/2's, or
Tunge2 wrote:
If this is working it would be a great step a head :)
-Oorspronkelijk bericht-
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 30 maart 2007 1:08
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
Here are the rules for the interface in question that seem to make the
IPSEC tunnel work:
Rules in the format listed below:
Format: Protocol Source Port Destination Port
Gateway Schedule
1. UDP * * Interface IP Address 500 * Blank
2. ESP *
On 4/2/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
Here are the rules for the interface in question that seem to make the
IPSEC tunnel work:
[snip]
Look in /tmp/rules.debug and search for IPSEC.
Do you see rules permitting traffic to the interface?
Scott
Interesting,
This version of the firmware doesn't even list the VPN tunnel that is
configured for the OPT interface in the vpn section of /tmp/rules.debug.
The tunnel definition is listed in the GUI, and it's working with the
manual rules because I'm in the process of accessing remote resources
Just to be thorough, I added two more rules to the firewall's OPT
interface to make sure all the IPSEC stuff gets through. I'm fuzzy on
if the last two are needed, but just to be safe, I added them.
Here are all the rule that I've added:
Rules in the format listed below:
Format: Protocol
@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes been committed and built yet? I'm looking at the
update files, and they all still say March 27 2007. I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
Should I
be a great step a head :)
-Oorspronkelijk bericht-
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 30 maart 2007 1:08
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes been committed and built
: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes been committed and built yet? I'm looking
at the
update files, and they all still say March 27 2007. I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
Should I be looking somewhare else
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
I'm using the 3-27 snapshot on the pfsense box.
I've searched both the forum and the mailing list archives, and I can't
seem to find an updated listing of how to get IPSEC to work over an OPT
interface as well as over WAN at the Same time.
I've set up a test tunnel between my office and my customer site. The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface. When I change the interface to the OPT interface, It doesn't
seem to work. Here are some log entries.
racoon: ERROR: phase1 negotiation
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
I've set up a test tunnel between my office and my customer site. The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface. When I change the interface to the OPT interface, It doesn't
seem to work. Here are
I changed the My Identifier on the tunnel definition to IP Address and
then specified 75.44.169.169. I clicked save and apply. When I did
this, the tunnel still did not work. In addition, all mention of the
tunnel stopped in the IPSEC logs.
I have confirmed that I can ping the
I have only the default allow everything rule on the IPSEC tab. I
manually added rules to the firewall to allow UDP 500 to the OPT2
interface and to allow ESP to the OPT2 interface, and now I'm getting
different IPSEC log results (I changed the My Identifier back to
interface address).
Here
I changed the My Identifier on the tunnel definition to IP Address and
then specified 75.44.169.169. I clicked save and apply. When I did
this, the tunnel still did not work. In addition, all mention of the
tunnel stopped in the IPSEC logs.
I have confirmed that I can ping the
After I let the connection set for a couple minutes after manually
adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!!
Assuming that I will need to manually add the rules to the OPT2
interface, are there any additional rules that need to be added for IPSEC?
Also, here are
No, this sounds like a bug. I sent a request for information a few
minutes ago. Did you get it? If so please check /tmp/rules.debug for
IPSEC and see if the OPT interface rules are being addded.
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
After I let the connection set for a
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
I didn't get the request, but I'll be happy check to see if rules are
being added. Should I remove the manual rules that I created first
before checking?
Yes, please. Then open up /tmp/rules.debug and look for VPN
Rules.. Below that
Here is the relevant text of my rules.debug file. It looks like the
interface on the connection computer support has the same interface as
the rest of the tunnels. This is the test connection that should be
using OPT3.
# let out anything from the firewall host itself and decrypted IPsec
Here is the relevant text of my rules.debug file. It looks like the
interface on the connection computer support has the same interface as
the rest of the tunnels. This is the test connection that should be
using OPT3.
# let out anything from the firewall host itself and decrypted IPsec
Oops! Sorry for the double post.
Vaughn L. Reid III wrote:
Here is the relevant text of my rules.debug file. It looks like the
interface on the connection computer support has the same interface
as the rest of the tunnels. This is the test connection that should
be using OPT3.
# let out
Okay, so that I am on the same page as you. Those $wan rules should
have read $optX ??
Scott
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
Oops! Sorry for the double post.
Vaughn L. Reid III wrote:
Here is the relevant text of my rules.debug file. It looks like the
interface
The ones ones that say Computer Support are from the test tunnel that I
created to use OPT2.
The interfaces on this machine are labeled like this:
LAN = em0
WAN = em1
ATTDSL = em4 -- This is the OPT interface that I was using for the
Computer Support VPN test
wireless = em2
Vaughn
Scott
Okay, I see this bug as well. Will get it fixed soon.
Scott
On 3/29/07, Scott Ullrich [EMAIL PROTECTED] wrote:
Okay, so that I am on the same page as you. Those $wan rules should
have read $optX ??
Scott
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
Oops! Sorry for the
Thanks for your hard work. I appreciate it and I'm sure my customers do
too.
Vaughn
Vaughn L. Reid III wrote:
The ones ones that say Computer Support are from the test tunnel that
I created to use OPT2.
The interfaces on this machine are labeled like this:
LAN = em0
WAN = em1
ATTDSL = em4
On 3/29/07, Vaughn L. Reid III [EMAIL PROTECTED] wrote:
Thanks for your hard work. I appreciate it and I'm sure my customers do
too.
No problem, the bug should be fixed now. Please test a snapshot about
1-2 hours from now.
Scott
Have the IPSEC changes been committed and built yet? I'm looking at the
update files, and they all still say March 27 2007. I'm using this
repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
Should I be looking somewhare else for the update with the IPSEC fix?
Thanks,
Vaughn
If this is working it would be a great step a head :)
-Oorspronkelijk bericht-
Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 30 maart 2007 1:08
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
Have the IPSEC changes
32 matches
Mail list logo
