[pfSense] Openvpn site to site problem
Hi list, i have a problem with a vpn site to site psk with 2 pfsense 2.0.1. My problem is that from the firewall everything looks correct, i can ping or ssh the remote client ( i use linux client with no personal firewall). But from the clients i can't reach the remote lan. I don't know where is my problem, i try to rewrite the configuration a lot of times. This is my configuration ( without public ip and psk ) : lan1 192.168.9.0 --- pfsense1 -- pfsense2 -- lan 2 192.168.8.0 pfsense2 - server: server mode: peer to peer ( shared key ) Protocol : udp Device : tun Tunnel network: 10.0.8.0/24 Local Network : 192.168.8.0/24 Remote network: 192.168.9.0/24 Compression : LZO pfsense1 - client: server mode: peer to peer ( shared key ) Protocol: udp Device: tun Tunnel network: 10.0.8.0/24 Remote Network : 192.168.8.0/24 Compression : LZO My firewall in both side is set to pass any protocol for openvpn device. Could you help me? Thanks in advance. Cristian Del Carlo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Not connect ipsec vpn remote with local network different to LAN
Thanks thanks thanks Jim, it works Very thanks. I love pfsense...is the best software firewall. Bye. 2012/12/10 Jim Pingle li...@pingle.org On 12/10/2012 11:31 AM, may...@maykel.sytes.net wrote: ok, well, then only connect with cisco vpn update to pfsense 2.1? It has nothing to do with Cisco - it's the NAT+IPsec feature you need. On 2.0.x (and even 1.2.x) it connects fine to Cisco in setups that do not require NAT+IPsec. Since you require NAT+IPsec, you need 2.1. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Stephan Wolf WolfSec Rairing 65 CH-8108 Dällikon +41 43 536 1191 +41 76 566 8222 http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi! Try this: pfsense2 - server: Tunnel network: 10.0.8.0/30 (no need for /24 on site2site) pfsense1 - client: Tunnel network: 10.0.8.0/30 (You can even keep it empty) Keeping or removing the remote network on the client side shouldn't be important, the difference being that if you keep it, you should see an error message that the route that has already been pushed by the server is re-issued by the client. hope it helps! Vassilis Cristian Del Carlo wrote on 19.12.2012 14:09: Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi, Thanks for your help. Even in LAN i have : My firewall rules are in both pfsense: Action: Pass Interface : LAN Protocol: Any Source: Any Destionation: Any If i ping the tunnel from a client seem ok: ping 10.0.8.1 -- Ok ping 10.8.8.2 -- OK ping 192.168.8.X -- 100% packet loss Thanks. 2012/12/19 WolfSec-Support supp...@wolfsec.ch: may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Stephan Wolf WolfSec Rairing 65 CH-8108 Dällikon +41 43 536 1191 +41 76 566 8222 http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hello, You might need a firewall rule for the remote network in your lan rules to force traffic to follow normal routing. In my case (2 WANs), I have a rule defining the defaut gateway for lan traffic. To permit the traffic to remote vpn site, I have to add a rule earlier for the remote network with no gateway so it will follow normal routing. My 2 cents... Le Wed, 19 Dec 2012 14:39:36 +0100, WolfSec-Support supp...@wolfsec.ch a écrit : may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Hi, even with 10.0.8.0/30 i have the same problem. Any other suggest? 2012/12/19 Vassilis V. bigracc...@gmx.net: Hi! Try this: pfsense2 - server: Tunnel network: 10.0.8.0/30 (no need for /24 on site2site) pfsense1 - client: Tunnel network: 10.0.8.0/30 (You can even keep it empty) Keeping or removing the remote network on the client side shouldn't be important, the difference being that if you keep it, you should see an error message that the route that has already been pushed by the server is re-issued by the client. hope it helps! Vassilis Cristian Del Carlo wrote on 19.12.2012 14:09: Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Sorry i don't understand, in my case i have only a WAN so wich type of rule i need? I need to force the packets to my tunnel network over the vpn even if my routing tables seem ok? My routing tables: 10.0.8.1 link#10UH 08 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 55 ovpnc2 192.168.9.0/24 link#2 U 0 38437351em1 Thanks, 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com: Hello, You might need a firewall rule for the remote network in your lan rules to force traffic to follow normal routing. In my case (2 WANs), I have a rule defining the defaut gateway for lan traffic. To permit the traffic to remote vpn site, I have to add a rule earlier for the remote network with no gateway so it will follow normal routing. My 2 cents... Le Wed, 19 Dec 2012 14:39:36 +0100, WolfSec-Support supp...@wolfsec.ch a écrit : may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
to make sure: - is tunnel up ? - can you ping from one pfsense the lan ip of the other one ? brgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Sorry i don't understand, in my case i have only a WAN so wich type of rule i need? I need to force the packets to my tunnel network over the vpn even if my routing tables seem ok? My routing tables: 10.0.8.1 link#10UH 08 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 55 ovpnc2 192.168.9.0/24 link#2 U 0 38437351em1 Thanks, 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com: Hello, You might need a firewall rule for the remote network in your lan rules to force traffic to follow normal routing. In my case (2 WANs), I have a rule defining the defaut gateway for lan traffic. To permit the traffic to remote vpn site, I have to add a rule earlier for the remote network with no gateway so it will follow normal routing. My 2 cents... Le Wed, 19 Dec 2012 14:39:36 +0100, WolfSec-Support supp...@wolfsec.ch a écrit : may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere,
Re: [pfSense] Openvpn site to site problem
My tunnel is up. From a client i can ping the tunnel interfaces of my vpn but i can't' reach the other network. # ping 10.0.8.1 - ok # ping 10.0.8.2 - ok # ping 192.168.8.10 - 100% packet lost From both firewall i can ping all the networks: # ping 192.168.8.10 - Ok # ping 10.0.8.1 - ok # ping 10.0.8.2 - ok # ping 192.168.9.10 - Ok The problem seems to be only from the network to reach the other one. Thanks for your help! 2012/12/19 WolfSec-Support supp...@wolfsec.ch: to make sure: - is tunnel up ? - can you ping from one pfsense the lan ip of the other one ? brgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Sorry i don't understand, in my case i have only a WAN so wich type of rule i need? I need to force the packets to my tunnel network over the vpn even if my routing tables seem ok? My routing tables: 10.0.8.1 link#10UH 08 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 55 ovpnc2 192.168.9.0/24 link#2 U 0 38437351em1 Thanks, 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com: Hello, You might need a firewall rule for the remote network in your lan rules to force traffic to follow normal routing. In my case (2 WANs), I have a rule defining the defaut gateway for lan traffic. To permit the traffic to remote vpn site, I have to add a rule earlier for the remote network with no gateway so it will follow normal routing. My 2 cents... Le Wed, 19 Dec 2012 14:39:36 +0100, WolfSec-Support supp...@wolfsec.ch a écrit : may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al
Re: [pfSense] Openvpn site to site problem
and the clients on each side can reach internet trough their local pfsense ? so GW info etc is ok ? sometimes it's simply a typo etc in mask/gw etc generally your setup seems to be fine rgds stephan http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Openvpn site to site problem
Ok, then no firewall rules forcing gateway, so let's try something else. Did you configure iroute ? http://openvpn.net/index.php/open-source/documentation/howto.html#scope Read : Including multiple machines on the client side when using a routed VPN It might work :-p Le Wed, 19 Dec 2012 15:19:25 +0100, Cristian Del Carlo cristian.delca...@gmail.com a écrit : Hi, Thanks for your help. Even in LAN i have : My firewall rules are in both pfsense: Action: Pass Interface : LAN Protocol: Any Source: Any Destionation: Any If i ping the tunnel from a client seem ok: ping 10.0.8.1 -- Ok ping 10.8.8.2 -- OK ping 192.168.8.X -- 100% packet loss Thanks. 2012/12/19 WolfSec-Support supp...@wolfsec.ch: may there are any fw rules there in LAN interface with similar IP's/networks ? some used this under 1.2.x and after upgrading to 2.x this caused issues. onto routing: looks good here a similar setup of mine / 1 side: 192.168.253.13 link#13 UH 0 0 1500 ovpnc1 192.168.253.14 link#13 UHS 0 0 16384 lo0 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500 ovpnc1 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0 rgds stephan 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com Hi, thanks for your help. My firewall rules are in both pfsense: Action: Pass Interface : Openvpn Protocol: Any Source: Any Destionation: Any This are my routing from firewall ( without public ip ): pfsense 1 - client: 10.0.8.1 link#10UH 0 15 ovpnc2 10.0.8.2 link#10UHS 00lo0 192.168.8.0/24 10.0.8.1 UGS 0 45 ovpnc2 192.168.9.0/24 link#2 U 0 37598040em1 pfsense 2 - server: 10.0.8.1 link#9 UHS 00lo0 10.0.8.2 link#9 UH 0 72 ovpns1 192.168.8.0/24 link#2 U 0 229122em1 192.168.8.1link#2 UHS 00lo0 192.168.9.0/24 10.0.8.2 UGS 01 ovpns1 Could be a routing problem? 2012/12/19 WolfSec-Support supp...@wolfsec.ch: Hi, do you have special rules in VPN tunnel ? make sure to open OpenVPN ruleset as necessary this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels but per default normally tunnel is open anyany br stephan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Cristian Del Carlo Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Stephan Wolf WolfSec Rairing 65 CH-8108 Dällikon +41 43 536 1191 +41 76 566 8222 http://www.wolfsec.ch ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
