I just tried implementing IPSEC over an OPT interface using the
pfsense.iso file from March 29, 2007 at 7:19 p.m.
Here are my results. IPSEC will not work over my OPT2 Interface without
adding specific firewall rules to the OPT2 interface to allow UDP 500
and ESP to connect to that interface's IP address.
Once I manually add the rules, the tunnels get created and work
correctly over the OPT2 interface. Before I manually added the rules to
the OPT2 interface, I noticed that there was no SAD listing to the
tunnel being tested. Both ends of the tunnel were, however, listed on
the SPD tab of the IPSEC tunnel diagnostic page.
Once I added the needed firewall rules to the OPT2 interface, the VPN
tunnel immediately set up and started working. At that time, the proper
entries appeared in the SAD on the IPSEC diagnostic page.
Also, I noticed during the loading of the pfsense firewall software
while it was connecting services, etc. that an error message appeared
that stated that there was an invalid argument foreach on line 7 of the
/etc/inc/vslb.inc file. Don't quote me on the line number, but I'm
pretty sure it was line 7. I'm not sure if this is related to my IPSEC
issue, but I thought I'd comment in case it is relevant.
Thanks,
Vaughn Reid III
Tunge2 wrote:
> If this is working it would be a great step a head :)
>
> -----Oorspronkelijk bericht-----
> Van: Vaughn L. Reid III [mailto:[EMAIL PROTECTED]
> Verzonden: vrijdag 30 maart 2007 1:08
> Aan: support@pfsense.com
> Onderwerp: Re: [pfSense Support] IPSEC over an OPT interface Problems
>
> Have the IPSEC changes been committed and built yet? I'm looking
at the
> update files, and they all still say March 27 2007. I'm using this
> repository http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/
>
> Should I be looking somewhare else for the update with the IPSEC fix?
>
> Thanks,
>
> Vaughn
>
> On Thu, 29 Mar 2007 15:26:58 -0400, "Vaughn L. Reid III"
> <[EMAIL PROTECTED]> said:
>
>> Thanks for your hard work. I appreciate it and I'm sure my customers
>> do too.
>>
>> Vaughn
>>
>> Vaughn L. Reid III wrote:
>>
>>> The ones ones that say Computer Support are from the test tunnel
>>> that I created to use OPT2.
>>>
>>> The interfaces on this machine are labeled like this:
>>>
>>> LAN => em0
>>> WAN => em1
>>> ATTDSL => em4 -- This is the OPT interface that I was using for the
>>> Computer Support VPN test wireless => em2
>>>
>>> Vaughn
>>>
>>> Scott Ullrich wrote:
>>>
>>>> Okay, so that I am on the same page as you. Those $wan rules
>>>> should have read $optX ??
>>>>
>>>> Scott
>>>>
>>>>
>>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]>
wrote:
>>>>
>>>>> Oops! Sorry for the double post.
>>>>>
>>>>> Vaughn L. Reid III wrote:
>>>>>
>>>>>> Here is the relevant text of my rules.debug file. It looks like
>>>>>> the interface on the connection "computer support" has the same
>>>>>> interface as the rest of the tunnels. This is the test
>>>>>> connection that should be using OPT3.
>>>>>>
>>>>>> # let out anything from the firewall host itself and decrypted
>>>>>> IPsec traffic pass out quick on $lan proto icmp keep state label
>>>>>> "let out anything from firewall host itself"
>>>>>> pass out quick on $wan proto icmp keep state label "let out
>>>>>> anything from firewall host itself"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> # pass traffic from firewall -> out anchor "firewallout"
>>>>>> pass out quick on em1 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em0 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em4 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em2 all keep state label "let out anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on $pptp all keep state label "let out anything
>>>>>> from firewall host itself pptp"
>>>>>> pass out quick on $enc0 keep state label "IPSEC internal host to
>>>>>>
>>>>> host"
>>>>>
>>>>>> # let out anything from the firewall host itself and decrypted
IPsec
>>>>>> traffic
>>>>>> pass out quick on em4 proto icmp keep state label "let out
anything
>>>>>> from firewall host itself"
>>>>>> pass out quick on em4 all keep state label "let out anything from
>>>>>> firewall host itself"
>>>>>>
>>>>>>
>>>>>> # VPN Rules
>>>>>> pass out quick on $wan proto udp from 209.218.218.138 to
>>>>>> 65.119.178.137 port = 500 keep state label "IPSEC: Fire
Station 3 -
>>>>>> outbound isakmp"
>>>>>> pass in quick on $wan proto udp from 65.119.178.137 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> port = 500 keep state label "IPSEC: Fire Station 3 - inbound
isakmp"
>>>>>> pass out quick on $wan proto esp from 209.218.218.138 to
>>>>>> 65.119.178.137 keep state label "IPSEC: Fire Station 3 - outbound
>>>>>>
> esp
>
>>>>>> proto"
>>>>>> pass in quick on $wan proto esp from 65.119.178.137 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> keep state label "IPSEC: Fire Station 3 - inbound esp proto"
>>>>>> pass out quick on $wan proto udp from 209.218.218.138 to
>>>>>> 65.119.178.129 port = 500 keep state label "IPSEC: Street
>>>>>>
>>>>> Department -
>>>>>
>>>>>> outbound isakmp"
>>>>>> pass in quick on $wan proto udp from 65.119.178.129 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> port = 500 keep state label "IPSEC: Street Department - inbound
>>>>>>
>>>>> isakmp"
>>>>>
>>>>>> pass out quick on $wan proto esp from 209.218.218.138 to
>>>>>> 65.119.178.129 keep state label "IPSEC: Street Department -
outbound
>>>>>> esp proto"
>>>>>> pass in quick on $wan proto esp from 65.119.178.129 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> keep state label "IPSEC: Street Department - inbound esp proto"
>>>>>> pass out quick on $wan proto udp from 209.218.218.138 to
>>>>>> 65.119.178.154 port = 500 keep state label "IPSEC: Fire
Station 2 -
>>>>>> outbound isakmp"
>>>>>> pass in quick on $wan proto udp from 65.119.178.154 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> port = 500 keep state label "IPSEC: Fire Station 2 - inbound
isakmp"
>>>>>> pass out quick on $wan proto esp from 209.218.218.138 to
>>>>>> 65.119.178.154 keep state label "IPSEC: Fire Station 2 - outbound
>>>>>>
> esp
>
>>>>>> proto"
>>>>>> pass in quick on $wan proto esp from 65.119.178.154 to
>>>>>>
>>>>> 209.218.218.138
>>>>>
>>>>>> keep state label "IPSEC: Fire Station 2 - inbound esp proto"
>>>>>> pass out quick on $wan proto udp from 209.218.218.138 to
>>>>>>
> 70.227.28.14
>
>>>>>> port = 500 keep state label "IPSEC: EMS Building - outbound
isakmp"
>>>>>> pass in quick on $wan proto udp from 70.227.28.14 to
209.218.218.138
>>>>>> port = 500 keep state label "IPSEC: EMS Building - inbound
isakmp"
>>>>>> pass out quick on $wan proto esp from 209.218.218.138 to
>>>>>>
> 70.227.28.14
>
>>>>>> keep state label "IPSEC: EMS Building - outbound esp proto"
>>>>>> pass in quick on $wan proto esp from 70.227.28.14 to
209.218.218.138
>>>>>> keep state label "IPSEC: EMS Building - inbound esp proto"
>>>>>> pass out quick on $wan proto udp from 209.218.218.138 to
>>>>>>
>>>>> 70.237.44.110
>>>>>
>>>>>> port = 500 keep state label "IPSEC: Computer Support - outbound
>>>>>>
>>>>> isakmp"
>>>>>
>>>>>> pass in quick on $wan proto udp from 70.237.44.110 to
>>>>>>
> 209.218.218.138
>
>>>>>> port = 500 keep state label "IPSEC: Computer Support - inbound
>>>>>>
>>>>> isakmp"
>>>>>
>>>>>> pass out quick on $wan proto esp from 209.218.218.138 to
>>>>>>
>>>>> 70.237.44.110
>>>>>
>>>>>> keep state label "IPSEC: Computer Support - outbound esp proto"
>>>>>> pass in quick on $wan proto esp from 70.237.44.110 to
>>>>>>
> 209.218.218.138
>
>>>>>> keep state label "IPSEC: Computer Support - inbound esp proto"
>>>>>>
>>>>>> pass in quick on em0 inet proto tcp from any to $loopback port
8021
>>>>>> keep state label "FTP PROXY: Allow traffic to localhost"
>>>>>> pass in quick on em0 inet proto tcp from any to $loopback port 21
>>>>>>
>>>>> keep
>>>>>
>>>>>> state label "FTP PROXY: Allow traffic to localhost"
>>>>>> pass in quick on em1 inet proto tcp from port 20 to (em1) port >
>>>>>>
>>>>> 49000
>>>>>
>>>>>> user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
>>>>>> connection"
>>>>>> # enable ftp-proxy
>>>>>> pass in quick on em4 inet proto tcp from any to $loopback port
8022
>>>>>> keep state label "FTP PROXY: Allow traffic to localhost"
>>>>>> pass in quick on em4 inet proto tcp from any to $loopback port 21
>>>>>>
>>>>> keep
>>>>>
>>>>>> state label "FTP PROXY: Allow traffic to localhost"
>>>>>>
>>>>>> Vaughn
>>>>>>
>>>>>>
>>>>>> Scott Ullrich wrote:
>>>>>>
>>>>>>> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]>
>>>>>>>
>>>>> wrote:
>>>>>
>>>>>>>> I didn't get the request, but I'll be happy check to see if
>>>>>>>>
>>>>> rules are
>>>>>
>>>>>>>> being added. Should I remove the manual rules that I created
>>>>>>>>
> first
>
>>>>>>>> before checking?
>>>>>>>>
>>>>>>> Yes, please. Then open up /tmp/rules.debug and look for "VPN
>>>>>>> Rules".. Below that marker is the system generated IPSEC rules.
>>>>>>>
> Do
>
>>>>>>> you see entries for the OPT interface?
>>>>>>>
>>>>>>> Scott
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
---------------------------------------------------------------------
>>>>>
>>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>>
>>>>>>>
>>>>>>
> ---------------------------------------------------------------------
>
>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>
>>>>>>
>>>>>
---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>
>>>>>
>>>>>
>>>>
---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>
>>>>
>>>
---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
