Re: [pfSense] multi-tunnel routing
On Thu, Jan 5, 2012 at 12:27 AM, Andrew Mitchell wrote: > OK, I have added: > > route 192.168.16.0 255.255.255.0; > route 192.168.15.0 255.255.255.0; > route 192.168.8.0 255.255.255.0; > route 192.168.7.0 255.255.255.0; > route 192.168.1.0 255.255.255.0; > > to the 10.0.7.1 server. > > Now, a traceroute shows that traffic sent down the tunnel but it dies 1 hop > later: > > Tracing route to 192.168.16.10 over a maximum of 30 hops > > 1 1 ms 1 ms 2 ms watchdog.snarrow.com [10.0.7.1] > 2 76 ms 73 ms 77 ms 10.8.1.2 > 3 * * * Request timed out. > 4 * * * Request timed out. > 5 * ^C > > Nothing shows up in the firewall on the destination side of the tunnel. > > I can't figure out where I have gone wrong. I would appreciate any advise. > You need a return route on the other end as well. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] multi-tunnel routing
OK, I have added: route 192.168.16.0 255.255.255.0; route 192.168.15.0 255.255.255.0; route 192.168.8.0 255.255.255.0; route 192.168.7.0 255.255.255.0; route 192.168.1.0 255.255.255.0; to the 10.0.7.1 server. Now, a traceroute shows that traffic sent down the tunnel but it dies 1 hop later: Tracing route to 192.168.16.10 over a maximum of 30 hops 1 1 ms 1 ms 2 ms watchdog.snarrow.com [10.0.7.1] 276 ms73 ms77 ms 10.8.1.2 3 *** Request timed out. 4 *** Request timed out. 5 * ^C Nothing shows up in the firewall on the destination side of the tunnel. I can't figure out where I have gone wrong. I would appreciate any advise. Thanks, Andrew On Mon, Jan 2, 2012 at 8:04 AM, John Busch wrote: > On Thu, Dec 29, 2011 at 5:50 AM, Andrew Mitchell > wrote: > > I have 2 pfSense boxes on a peer-to-peer shared-key OpenVPN tunnel. The > LAN > > on the server is 10.0.7.0/24. The LAN on the client is 192.168.1.0/24. > > Server and client have bidirectional traffic just fine. > > > > The client has multiple seperate peer-to-peer shared-key OpenVPN tunnels > > tunnels to which it is also connected: 192.168.15.0/24, 192.168.16.0/24, > > 192.168.0.0/24, 192.168.7.0/24 and 192.168.8.0/24. All of those tunnels > have > > bidirectional traffic with the client just fine. Further, > 192.168.16.0/24 > > can not see 192.168.0.0/24 (for example) and vice versa. This is the > exact > > functionality I am looking for between those subnets on the other side of > > the client. > > > > However, I would like to be able to establish at least one way > communication > > between the server (10.0.7.0/24) and the 192.168.15.0/24, > 192.168.16.0/24, > > 192.168.0.0/24, 192.168.7.0/24 and 192.168.8.0/24 subnets using the > existing > > server/client tunnel. Nothing I have tried seems to work. > > > > I would be grateful for any advise. > > > > Thanks, > > > > Andrew > > Have you tried adding an additional route statement in the advanced > field on the server's OpenVPN config page? For example, adding > > route 192.168.15.0 255.255.255.0; > > will route server packets destined to that network across the OpenVPN > tunnel. If IP forwarding on the client is enabled, it will look at > its routing table and forward the packet appropriately. Adding a > statement like this for each of your listed subnets to the server's > OpenVPN config page should achieve your objective. Adding a similar > statement of > > route 10.0.7.0 255.255.255.0; > > to the 192.168.15.0/24 OpenVPN configuration will ensure > bi-directional traffic. This statement would need to be in the > OpenVPN config of each of the subnets you listed above. > > http://openvpn.net/index.php/manuals/427-openvpn-22.html > > - John > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Fatal trap 12 page fault
And another one: http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450091_525x290.jpg http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450095_525x291.jpg http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450097_525x294.jpg We're not upgrading to pfsence 2.0 and will change the memory over soon... Thanks for all the pointers so far. Josh. -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Russell Howe Sent: 03 January 2012 17:44 To: list@lists.pfsense.org Subject: Re: [pfSense] Fatal trap 12 page fault -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/12 06:45, Russell Howe wrote: > I've managed to get screen captures of two crashes, with backtraces: > > Crash #1 > http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312285.png > http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312283.png > > Crash #2 > http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312282.png > http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312286.png > http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312287.png > > Any ideas as to what might be going on? > I've also see the secondary node reboot when it takes over the CARP > addresses, although that doesn't happen every time. I assume it's > crashing but I'm not prepared to put the debug kernel on both nodes at > the same time. > We had another occurrence: http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367903.png http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367904.png We ran memtest for a few hours on this machine back in October when we first began to have these resets and it came back clean, although I know some memory errors can be quite hard to reproduce with memtest. Still, new RAM is on order so we'll see if that makes any difference. We're also going to try an upgrade to 2.0.x - -- Russell Howe rh...@moonfruit.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJPAz5DAAoJEJ2trZuuThLOo+IIAMvvF7LkMvhwFNVbw/ZL46sE R3fqG8lXz+ssuNsYPMUyXv7eSiMAaYjr1CH3qfWwamB5erHGqR/Bq7pZbE+K3vmZ 9L59UJeaURa6LNTOTi/f6op4I5N+7ryBuJ7VPKGKiMdFWMlOfRclXJSq+7lf7xuD V1kAWYBRbIp5E+fGPebeHPBRG4iEL4rpv3rfGBKauYesUIGFJWeMa9pMWJXGnRG6 kPkVbYOv6IQowf8OuWe7RMxb/vXR/mKHtoJFbI0gPEJFdl1MVaBO2nhtUgUnOOFW igZf0ptSp//z/mUtOfDJIUQxCuFiYSGCG76uehsmPDtISdYmsos13a2DJ7/y7C8= =5bkE -END PGP SIGNATURE- ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back
Chris good morning, Yes it was 3600 on the m0n0. I changed it to 5000 for phases 1/2 on both sides to see if that makes a difference. My understanding is that the smaller lifetime in phases 1/2 would be negotiated by Isakmp and thus not an issue to have different values on each end or one blank? -W On Tue, Jan 3, 2012 at 11:12 PM, Chris Buechler wrote: > On Tue, Jan 3, 2012 at 8:02 PM, Wade Blackwell wrote: > > Good evening all, > > I have an IPsec tunnel between a M0n0wall (1.33) and a pair of > > virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen > this > > issue in an IPsec implementation before. Short history, before I went to > a > > virtualized pair of PF boxes running CARP this tunnel would stay up for > .5 > > to a couple days. Once I changed to the CAP/VM setup about an hour is > all I > > get. To bring the tunnel back up all I have to do is go into the m0n0 and > > change phase 1 to another setting and change it back to the original > setting > > and the tunnel comes back for an hour. I can also change any Phase 1 > setting > > on both ends and the tunnel comes up, again only for about an hour. > Anyone > > seen anything like this? > > > > My first guess is 3600 is your lifetime on phase 2? And maybe it's not > the same on both sides? That's one common cause. Not enough info there > to tell you much more, check the SAs on both sides and see how those > match up. Logs could be telling if there are any. > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > -- Wade Blackwell C - 805.400.8485 D - 805.457.8825 S - CoC.WadeBlackwell www.upcycle-consulting.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
