Another information. If from a client in lan i do: # ping 192.168.8.10 ( a client in the other network)
And in pfsense (client openvpn): tcpdump -i ovpnc2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes 0 packets captured 0 packets received by filter 0 packets dropped by kernel I can't see any packet. It Is like the packets is not routed under the tunnel. But i don't know why and how fix the problem. If i use the command: tcpdump -i pflog0 icmp tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 0 packets captured I can't see any packets blocked by the firewall. Thanks for your help. 2012/12/20 Cristian Del Carlo <[email protected]>: > Hi try this configuration but i hace the same problem i am very confused. > > This is my network: > > lan1 192.168.9.0 <---> pfsense1 (client openvpn) <--> pfsense2 > (server openvpn) <--> lan 2 192.168.8.0 > > This are now with certificates my configuration files: > > Pfsense server: > > /var/etc/openvpn/server1.conf > > dev ovpns1 > dev-type tun > dev-node /dev/tun1 > writepid /var/run/openvpn_server1.pid > #user nobody > #group nobody > script-security 3 > daemon > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > proto udp > cipher AES-128-CBC > up /usr/local/sbin/ovpn-linkup > down /usr/local/sbin/ovpn-linkdown > local X.X.X.X > tls-server > ifconfig 10.0.8.1 10.0.8.2 > tls-verify /var/etc/openvpn/server1.tls-verify.php > lport 1195 > management /var/etc/openvpn/server1.sock unix > ca /var/etc/openvpn/server1.ca > cert /var/etc/openvpn/server1.cert > key /var/etc/openvpn/server1.key > dh /etc/dh-parameters.1024 > comp-lzo > route 192.168.9.0 255.255.255.0 > push "route 192.168.8.0 255.255.255.0" > > /var/etc/openvpn-csc/fw-target > > iroute 192.168.9.0 255.255.255.0 > > Pfsense client: > > /var/etc/openvpn/client2.conf > > dev ovpnc2 > dev-type tun > dev-node /dev/tun2 > writepid /var/run/openvpn_client2.pid > #user nobody > #group nobody > script-security 3 > daemon > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > proto udp > cipher AES-128-CBC > up /usr/local/sbin/ovpn-linkup > down /usr/local/sbin/ovpn-linkdown > local X.X:X.X > tls-client > client > lport 0 > management /var/etc/openvpn/client2.sock unix > remote X.X.X.X 1195 > ifconfig 10.0.8.2 10.0.8.1 > route 192.168.8.0 255.255.255.0 > ca /var/etc/openvpn/client2.ca > cert /var/etc/openvpn/client2.cert > key /var/etc/openvpn/client2.key > comp-lzo > > Thanks for your help. > > > 2012/12/19 [email protected] <[email protected]>: >> Ok, then no firewall rules forcing gateway, so let's try something else. >> >> Did you configure iroute ? >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope >> Read : Including multiple machines on the client side when using a >> routed VPN >> >> It might work :-p >> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100, >> Cristian Del Carlo <[email protected]> a écrit : >> >>> Hi, >>> >>> Thanks for your help. >>> >>> Even in LAN i have : >>> My firewall rules are in both pfsense: >>> Action: Pass >>> Interface : LAN >>> Protocol: Any >>> Source: Any >>> Destionation: Any >>> >>> If i ping the tunnel from a client seem ok: >>> >>> ping 10.0.8.1 --> Ok >>> ping 10.8.8.2 --> OK >>> ping 192.168.8.X --> 100% packet loss >>> >>> Thanks. >>> >>> 2012/12/19 WolfSec-Support <[email protected]>: >>> > may there are any fw rules there in LAN interface with similar >>> > IP's/networks ? >>> > some used this under 1.2.x and after upgrading to 2.x this caused >>> > issues. >>> > >>> > onto routing: >>> > >>> > looks good >>> > >>> > here a similar setup of mine / 1 side: >>> > >>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 >>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0 >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 >>> > ovpnc1 >>> > 192.168.242.0/24 link#1 U 0 1191195015 1500 >>> > vr0 >>> > >>> > rgds >>> > stephan >>> > >>> > >>> > >>> > >>> > 2012/12/19 Cristian Del Carlo <[email protected]> >>> >> >>> >> Hi, >>> >> >>> >> thanks for your help. >>> >> >>> >> My firewall rules are in both pfsense: >>> >> Action: Pass >>> >> Interface : Openvpn >>> >> Protocol: Any >>> >> Source: Any >>> >> Destionation: Any >>> >> >>> >> This are my routing from firewall ( without public ip ): >>> >> >>> >> pfsense 1 - client: >>> >> 10.0.8.1 link#10 UH 0 15 ovpnc2 >>> >> 10.0.8.2 link#10 UHS 0 0 lo0 >>> >> 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 >>> >> 192.168.9.0/24 link#2 U 0 37598040 em1 >>> >> >>> >> pfsense 2 - server: >>> >> 10.0.8.1 link#9 UHS 0 0 lo0 >>> >> 10.0.8.2 link#9 UH 0 72 ovpns1 >>> >> 192.168.8.0/24 link#2 U 0 229122 em1 >>> >> 192.168.8.1 link#2 UHS 0 0 lo0 >>> >> 192.168.9.0/24 10.0.8.2 UGS 0 1 ovpns1 >>> >> >>> >> Could be a routing problem? >>> >> >>> >> >>> >> 2012/12/19 WolfSec-Support <[email protected]>: >>> >> > Hi, >>> >> > >>> >> > do you have special rules in VPN tunnel ? >>> >> > make sure to open OpenVPN ruleset as necessary >>> >> > >>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels >>> >> > >>> >> > but per default normally tunnel is open any<>any >>> >> > >>> >> > br >>> >> > stephan >>> >> > >>> >> > >>> >> > _______________________________________________ >>> >> > List mailing list >>> >> > [email protected] >>> >> > http://lists.pfsense.org/mailman/listinfo/list >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> -------------------------------------------------------- >>> >> >>> >> Cristian Del Carlo >>> >> >>> >> Il testo e gli eventuali documenti trasmessi contengono >>> >> informazioni riservate al destinatario indicato. La seguente >>> >> e-mail è confidenziale e la sua riservatezza è tutelata legalmente >>> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della >>> >> privacy). La lettura, copia o altro uso non autorizzato o >>> >> qualsiasi altra azione derivante dalla conoscenza di queste >>> >> informazioni sono rigorosamente vietate. Qualora abbiate ricevuto >>> >> questo documento per errore siete cortesemente pregati di darne >>> >> immediata comunicazione al mittente e di provvedere, >>> >> immediatamente, alla sua distruzione. >>> >> >>> >> -------------------------------------------------------- >>> >> _______________________________________________ >>> >> List mailing list >>> >> [email protected] >>> >> http://lists.pfsense.org/mailman/listinfo/list >>> > >>> > >>> > >>> > >>> > -- >>> > >>> > Stephan Wolf >>> > >>> > WolfSec >>> > Rairing 65 >>> > CH-8108 Dällikon >>> > >>> > +41 43 536 1191 >>> > +41 76 566 8222 >>> > http://www.wolfsec.ch >>> > _______________________________________________ >>> > List mailing list >>> > [email protected] >>> > http://lists.pfsense.org/mailman/listinfo/list >>> > >>> >>> >>> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list > > > > -- > -------------------------------------------------------- > > Cristian Del Carlo > > Il testo e gli eventuali documenti trasmessi contengono informazioni > riservate al destinatario indicato. La seguente e-mail è confidenziale e > la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 > del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o > altro uso non autorizzato o qualsiasi altra azione derivante dalla > conoscenza di queste informazioni sono rigorosamente vietate. Qualora > abbiate ricevuto questo documento per errore siete cortesemente pregati > di darne immediata comunicazione al mittente e di provvedere, > immediatamente, alla sua distruzione. > > -------------------------------------------------------- -- -------------------------------------------------------- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. -------------------------------------------------------- _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
