Re: [pfSense] Too many VIPs
On 6/17/2015 2:53 PM, Jordan K wrote: > Do someone solved this? I've got the same issue I saw a commit in the repo for this at some point, and it's mentioned on the 2.2.3 release notes draft: https://doc.pfsense.org/index.php/2.2.3_New_Features_and_Changes#Rules.2FAliases.2FNAT Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Too many VIPs
Do someone solved this? I've got the same issue ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pf 2.2.2: "random" php core dump
Have an install of pf 2.2.2 on a x86_64 PC with 4GB RAM that have php core dumped at "random" times. It does not affect the use, but I'm investigating the reason. Anyone with this kind of errors: *kernel: pid 99380 (php), uid 0: exited on signal 11 (core dumped)* *gdb /usr/local/bin/php /usr/local/captiveportal/php.core* *backtrace* #0 0x000801924a45 in memcpy () from /lib/libc.so.7 #1 0x000802818f18 in apc_pmemcpy () from /usr/local/lib/php/20121212/apc.so #2 0x00080281182d in ?? () from /usr/local/lib/php/20121212/apc.so #3 0x0008028139e0 in ?? () from /usr/local/lib/php/20121212/apc.so #4 0x000802813d1b in ?? () from /usr/local/lib/php/20121212/apc.so #5 0x000802811750 in ?? () from /usr/local/lib/php/20121212/apc.so #6 0x0008028139e0 in ?? () from /usr/local/lib/php/20121212/apc.so #7 0x000802813d1b in ?? () from /usr/local/lib/php/20121212/apc.so #8 0x000802812fc6 in apc_copy_op_array_for_execution () from /usr/local/lib/php/20121212/apc.so #9 0x0008028134c3 in apc_copy_function_for_execution_ex () from /usr/local/lib/php/20121212/apc.so #10 0x000802813d1b in ?? () from /usr/local/lib/php/20121212/apc.so #11 0x000802813697 in apc_copy_class_entry_for_execution () from /usr/local/lib/php/20121212/apc.so #12 0x000802814f6a in ?? () from /usr/local/lib/php/20121212/apc.so #13 0x00080281631e in ?? () from /usr/local/lib/php/20121212/apc.so #14 0x005c6526 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () #15 0x005a7288 in execute_ex () #16 0x000807b0ca36 in ?? () from /usr/local/lib/php/20121212/suhosin.so #17 0x005c64b8 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () #18 0x005a7288 in execute_ex () #19 0x000807b0ca36 in ?? () from /usr/local/lib/php/20121212/suhosin.so #20 0x005c64b8 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () #21 0x005a7288 in execute_ex () #22 0x000807b0ca36 in ?? () from /usr/local/lib/php/20121212/suhosin.so #23 0x005c64b8 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () #24 0x005a7288 in execute_ex () #25 0x000807b0ca36 in ?? () from /usr/local/lib/php/20121212/suhosin.so #26 0x00582a43 in zend_execute_scripts () #27 0x0052cd93 in php_execute_script () #28 0x0060bc2c in main () ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
Ermal Luçi wrote on Wed, Jun 17 2015 at 10:22 am: > On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates wrote: >> OpenVPN requires a self-signed cert. >> > > Can you report the issue with OpenVPN on self-signed cert? It's been a few months but if I recall correctly, on page Services/OpenVPN, While "Server Certificate" allows others to be chosen, "Peer Certificate Authority" (i.e., pfSense's CA) is a required field. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
See my comment on another email, but I discovered that works fine if you import each cert in the chain and then select the intermediate signing cert as the CA. -Adam On June 17, 2015 10:43:20 AM CDT, Steve Yates wrote: >Ermal Luçi wrote on Wed, Jun 17 2015 at 10:22 am: > >> On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates >wrote: >>> OpenVPN requires a self-signed cert. >>> >> >> Can you report the issue with OpenVPN on self-signed cert? > > It's been a few months but if I recall correctly, on page >Services/OpenVPN, While "Server Certificate" allows others to be >chosen, "Peer Certificate Authority" (i.e., pfSense's CA) is a required >field. > >-- > >Steve Yates >ITS, Inc. > > >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
The "issue" with OpenVPN is merely that I have to prime each client system with both software and configuration file(s), which isn't always possible or feasible in my environment. -Adam On June 17, 2015 10:22:04 AM CDT, "Ermal Luçi" wrote: >On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates wrote: > >> Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am: >> >> > are with the certificate, either with generating the cert (missing >the >> > SAN, for example) >> >> I banged my head against Windows VPN for a bit before finding >out >> it doesn't support wildcard certs...seems *.example.com doesn't match >the >> hostname if the hostname doesn't have the * in it... >> >> OpenVPN requires a self-signed cert. >> > >Can you report the issue with OpenVPN on self-signed cert? > >> >> -- >> >> Steve Yates >> ITS, Inc. >> >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
Whoops, that wasn't aimed at me in the first place. Nonetheless, I have a pretty good example of why OpenVPN "requires" a self-signed cert in CB's answer to issue #4756. -Adam On June 17, 2015 10:41:28 AM CDT, Adam Thompson wrote: >The "issue" with OpenVPN is merely that I have to prime each client >system with both software and configuration file(s), which isn't always >possible or feasible in my environment. >-Adam > > >On June 17, 2015 10:22:04 AM CDT, "Ermal Luçi" wrote: >>On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates >wrote: >> >>> Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am: >>> >>> > are with the certificate, either with generating the cert (missing >>the >>> > SAN, for example) >>> >>> I banged my head against Windows VPN for a bit before >finding >>out >>> it doesn't support wildcard certs...seems *.example.com doesn't >match >>the >>> hostname if the hostname doesn't have the * in it... >>> >>> OpenVPN requires a self-signed cert. >>> >> >>Can you report the issue with OpenVPN on self-signed cert? >> >>> >>> -- >>> >>> Steve Yates >>> ITS, Inc. >>> >>> >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >>___ >>pfSense mailing list >>https://lists.pfsense.org/mailman/listinfo/list >>Support the project with Gold! https://pfsense.org/gold > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates wrote: > Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am: > > > are with the certificate, either with generating the cert (missing the > > SAN, for example) > > I banged my head against Windows VPN for a bit before finding out > it doesn't support wildcard certs...seems *.example.com doesn't match the > hostname if the hostname doesn't have the * in it... > > OpenVPN requires a self-signed cert. > Can you report the issue with OpenVPN on self-signed cert? > > -- > > Steve Yates > ITS, Inc. > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am: > are with the certificate, either with generating the cert (missing the > SAN, for example) I banged my head against Windows VPN for a bit before finding out it doesn't support wildcard certs...seems *.example.com doesn't match the hostname if the hostname doesn't have the * in it... OpenVPN requires a self-signed cert. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
On 06/17/2015 09:53 AM, Adam Thompson wrote: > So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only > options, and while PPTP works fine, it's insecure. (This isn't actually > a problem for my use case, but since it's going away and certainly isn't > getting any love in pfSense, I'm leaving it behind.) > > IKEv2 just... never works. I'm pretty darn sure (99.999%) my > certificate meets the requirements. > > Are there any tricks that aren't obvious? I've set it up several times, all of the knowledge I've been able to gather has been dumped into the wiki: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS I marked the most commonly missed and most important parts of the configs with a warning graphic to help them stand out. Usually problems are with the certificate, either with generating the cert (missing the SAN, for example) or importing it into the client properly (perhaps it wasn't imported into "Trusted Root Certification Authorities" under "Local Machine"). Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
OK, I talked to Chris last week and he confirmed that using the built-in IKEv2 VPN client in Win7/win8 with pfSense is definitely possible. He even knows of a few people who do it. The StrongSwan documentation is OK, but I've tried to follow it... and no success. The IKEv2 client itself, of course, is renowned for crummy diagnostics - you get one generic error, almost no matter what happens. (Kind of reminds me of using ed(1). Maybe Rob Pike works for MS now? ) I need to achieve zero-touch remote VPN users - I don't want to have to send them a file, install a certificate or CA on their device, configure their device, etc. Put another way, I need to be able to use an arbitrary device, never before connected to my network, to establish a VPN connection from anywhere, by anyone. So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only options, and while PPTP works fine, it's insecure. (This isn't actually a problem for my use case, but since it's going away and certainly isn't getting any love in pfSense, I'm leaving it behind.) IKEv2 just... never works. I'm pretty darn sure (99.999%) my certificate meets the requirements. Are there any tricks that aren't obvious? Thanks, -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
