[pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi list,

i have  a problem with a vpn site to site psk with 2 pfsense 2.0.1.

My problem is that from the firewall everything looks correct, i can
ping or ssh the remote client ( i use linux client with no personal
firewall).
But from the clients i can't reach the remote lan.
I don't know where is my problem, i try to rewrite the configuration a
lot of times.

This is my configuration ( without public ip and psk ) :

lan1 192.168.9.0  --- pfsense1 -- pfsense2 -- lan 2 192.168.8.0

pfsense2 - server:
server mode: peer to peer ( shared key )
Protocol : udp
Device : tun
Tunnel network: 10.0.8.0/24
Local Network : 192.168.8.0/24
Remote network: 192.168.9.0/24
Compression : LZO

pfsense1 - client:
server mode: peer to peer ( shared key )
Protocol: udp
Device: tun
Tunnel network: 10.0.8.0/24
Remote Network : 192.168.8.0/24
Compression : LZO

My firewall in both side is set to pass any protocol for openvpn device.

Could you help me?

Thanks in advance.



Cristian Del Carlo
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
Hi,

do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary

this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

but per default normally tunnel is open anyany

br
stephan

http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

thanks for your help.

My firewall rules  are  in both pfsense:
Action: Pass
Interface : Openvpn
Protocol: Any
Source: Any
Destionation: Any

This are my routing from firewall ( without public ip ):

pfsense 1 - client:
10.0.8.1   link#10UH  0   15 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
192.168.9.0/24 link#2 U   0 37598040em1

pfsense 2 - server:
10.0.8.1   link#9 UHS 00lo0
10.0.8.2   link#9 UH  0   72 ovpns1
192.168.8.0/24 link#2 U   0   229122em1
192.168.8.1link#2 UHS 00lo0
192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

Could be a routing problem?


2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Not connect ipsec vpn remote with local network different to LAN

2012-12-19 Thread Maykel Franco
Thanks thanks thanks Jim, it works

Very thanks. I love pfsense...is the best software firewall.

Bye.

2012/12/10 Jim Pingle li...@pingle.org

 On 12/10/2012 11:31 AM, may...@maykel.sytes.net wrote:
  ok, well, then only connect with cisco vpn update to pfsense 2.1?

 It has nothing to do with Cisco - it's the NAT+IPsec feature you need.

 On 2.0.x (and even 1.2.x) it connects fine to Cisco in setups that do
 not require NAT+IPsec.

 Since you require NAT+IPsec, you need 2.1.

 Jim

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
may there are any fw rules there in LAN interface with similar
IP's/networks ?
some used this under 1.2.x and after upgrading to 2.x this caused issues.

onto routing:

looks good

here a similar setup of mine / 1 side:

192.168.253.13 link#13 UH 0 0 1500 ovpnc1
192.168.253.14 link#13 UHS 0 0 16384 lo0
192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
ovpnc1
192.168.242.0/24 link#1 U 0 1191195015 1500 vr0


rgds
stephan



2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  Hi,
 
  do you have special rules in VPN tunnel ?
  make sure to open OpenVPN ruleset as necessary
 
  this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
 
  but per default normally tunnel is open anyany
 
  br
  stephan
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 immediatamente, alla sua distruzione.

 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 

Stephan Wolf

WolfSec
Rairing 65
CH-8108 Dällikon

+41 43 536 1191
+41 76 566 8222
http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Vassilis V.
Hi!

Try this:

pfsense2 - server:
Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)

pfsense1 - client:
Tunnel network: 10.0.8.0/30 (You can even keep it empty)

Keeping or removing the remote network on the client side shouldn't be
important, the difference being that if you keep it, you should see an
error message that the route that has already been pushed by the server
is re-issued by the client.


hope it helps!

Vassilis


Cristian Del Carlo wrote on 19.12.2012 14:09:
 Hi,
 
 thanks for your help.
 
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any
 
 This are my routing from firewall ( without public ip ):
 
 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1
 
 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
 Could be a routing problem?
 
 
 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

Thanks for your help.

Even in LAN i have :
My firewall rules  are  in both pfsense:
Action: Pass
Interface : LAN
Protocol: Any
Source: Any
Destionation: Any

If i ping the tunnel from a client seem ok:

ping 10.0.8.1 -- Ok
ping 10.8.8.2 -- OK
ping 192.168.8.X -- 100% packet loss

Thanks.

2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 may there are any fw rules there in LAN interface with similar IP's/networks
 ?
 some used this under 1.2.x and after upgrading to 2.x this caused issues.

 onto routing:

 looks good

 here a similar setup of mine / 1 side:

 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0

 rgds
 stephan




 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  Hi,
 
  do you have special rules in VPN tunnel ?
  make sure to open OpenVPN ruleset as necessary
 
  this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
 
  but per default normally tunnel is open anyany
 
  br
  stephan
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 immediatamente, alla sua distruzione.

 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --

 Stephan Wolf

 WolfSec
 Rairing 65
 CH-8108 Dällikon

 +41 43 536 1191
 +41 76 566 8222
 http://www.wolfsec.ch
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com
Hello,

You might need a firewall rule for the remote network in your lan rules
to force traffic to follow normal routing.

In my case (2 WANs), I have a rule defining the defaut gateway for lan
traffic. To permit the traffic to remote vpn site, I have to add a rule
earlier for the remote network with no gateway so it will follow
normal routing. 

My 2 cents...


Le Wed, 19 Dec 2012 14:39:36 +0100,
WolfSec-Support supp...@wolfsec.ch a écrit :

 may there are any fw rules there in LAN interface with similar
 IP's/networks ?
 some used this under 1.2.x and after upgrading to 2.x this caused
 issues.
 
 onto routing:
 
 looks good
 
 here a similar setup of mine / 1 side:
 
 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500
 vr0
 
 
 rgds
 stephan
 
 
 
 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono informazioni
  riservate al destinatario indicato. La seguente e-mail è
  confidenziale e la sua riservatezza è tutelata legalmente dal
  Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
  altra azione derivante dalla conoscenza di queste informazioni sono
  rigorosamente vietate. Qualora abbiate ricevuto questo documento
  per errore siete cortesemente pregati di darne immediata
  comunicazione al mittente e di provvedere, immediatamente, alla sua
  distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

even with 10.0.8.0/30 i have the same problem.

Any other suggest?


2012/12/19 Vassilis V. bigracc...@gmx.net:
 Hi!

 Try this:

 pfsense2 - server:
 Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)

 pfsense1 - client:
 Tunnel network: 10.0.8.0/30 (You can even keep it empty)

 Keeping or removing the remote network on the client side shouldn't be
 important, the difference being that if you keep it, you should see an
 error message that the route that has already been pushed by the server
 is re-issued by the client.


 hope it helps!

 Vassilis


 Cristian Del Carlo wrote on 19.12.2012 14:09:
 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list







-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Sorry i don't understand,

in my case i have only a WAN so wich type of rule i need?

I need to force the packets to my tunnel network over the vpn even if
my routing tables seem ok?

My routing tables:

10.0.8.1   link#10UH  08 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
192.168.9.0/24 link#2 U   0 38437351em1

Thanks,

2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
 Hello,

 You might need a firewall rule for the remote network in your lan rules
 to force traffic to follow normal routing.

 In my case (2 WANs), I have a rule defining the defaut gateway for lan
 traffic. To permit the traffic to remote vpn site, I have to add a rule
 earlier for the remote network with no gateway so it will follow
 normal routing.

 My 2 cents...


 Le Wed, 19 Dec 2012 14:39:36 +0100,
 WolfSec-Support supp...@wolfsec.ch a écrit :

 may there are any fw rules there in LAN interface with similar
 IP's/networks ?
 some used this under 1.2.x and after upgrading to 2.x this caused
 issues.

 onto routing:

 looks good

 here a similar setup of mine / 1 side:

 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500
 vr0


 rgds
 stephan



 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono informazioni
  riservate al destinatario indicato. La seguente e-mail è
  confidenziale e la sua riservatezza è tutelata legalmente dal
  Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
  altra azione derivante dalla conoscenza di queste informazioni sono
  rigorosamente vietate. Qualora abbiate ricevuto questo documento
  per errore siete cortesemente pregati di darne immediata
  comunicazione al mittente e di provvedere, immediatamente, alla sua
  distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
to make sure:
- is tunnel up ?
- can you ping from one pfsense the lan ip of the other one ?

brgds
stephan


2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Sorry i don't understand,

 in my case i have only a WAN so wich type of rule i need?

 I need to force the packets to my tunnel network over the vpn even if
 my routing tables seem ok?

 My routing tables:

 10.0.8.1   link#10UH  08 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
 192.168.9.0/24 link#2 U   0 38437351em1

 Thanks,

 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
  Hello,
 
  You might need a firewall rule for the remote network in your lan rules
  to force traffic to follow normal routing.
 
  In my case (2 WANs), I have a rule defining the defaut gateway for lan
  traffic. To permit the traffic to remote vpn site, I have to add a rule
  earlier for the remote network with no gateway so it will follow
  normal routing.
 
  My 2 cents...
 
 
  Le Wed, 19 Dec 2012 14:39:36 +0100,
  WolfSec-Support supp...@wolfsec.ch a écrit :
 
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
 
  rgds
  stephan
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
   Hi,
  
   thanks for your help.
  
   My firewall rules  are  in both pfsense:
   Action: Pass
   Interface : Openvpn
   Protocol: Any
   Source: Any
   Destionation: Any
  
   This are my routing from firewall ( without public ip ):
  
   pfsense 1 - client:
   10.0.8.1   link#10UH  0   15 ovpnc2
   10.0.8.2   link#10UHS 00lo0
   192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
   192.168.9.0/24 link#2 U   0 37598040em1
  
   pfsense 2 - server:
   10.0.8.1   link#9 UHS 00lo0
   10.0.8.2   link#9 UH  0   72 ovpns1
   192.168.8.0/24 link#2 U   0   229122em1
   192.168.8.1link#2 UHS 00lo0
   192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
  
   Could be a routing problem?
  
  
   2012/12/19 WolfSec-Support supp...@wolfsec.ch:
Hi,
   
do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary
   
this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
   
but per default normally tunnel is open anyany
   
br
stephan
   
   
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
   
  
  
  
   --
   
  
   Cristian Del Carlo
  
   Il testo e gli eventuali documenti trasmessi contengono informazioni
   riservate al destinatario indicato. La seguente e-mail è
   confidenziale e la sua riservatezza è tutelata legalmente dal
   Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
   privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
   altra azione derivante dalla conoscenza di queste informazioni sono
   rigorosamente vietate. Qualora abbiate ricevuto questo documento
   per errore siete cortesemente pregati di darne immediata
   comunicazione al mittente e di provvedere, immediatamente, alla sua
   distruzione.
  
   
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
My tunnel is up.

From a client i can ping the tunnel interfaces of my vpn but i can't'
reach the other network.

# ping 10.0.8.1 - ok
# ping 10.0.8.2 - ok
# ping 192.168.8.10 - 100% packet lost

From both firewall i can ping all the networks:
# ping 192.168.8.10 - Ok
# ping 10.0.8.1 - ok
# ping 10.0.8.2 - ok
# ping 192.168.9.10 - Ok

The problem seems to be only from the network to reach the other one.

Thanks for your help!

2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 to make sure:
 - is tunnel up ?
 - can you ping from one pfsense the lan ip of the other one ?

 brgds

 stephan


 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Sorry i don't understand,

 in my case i have only a WAN so wich type of rule i need?

 I need to force the packets to my tunnel network over the vpn even if
 my routing tables seem ok?

 My routing tables:

 10.0.8.1   link#10UH  08 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
 192.168.9.0/24 link#2 U   0 38437351em1

 Thanks,

 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
  Hello,
 
  You might need a firewall rule for the remote network in your lan rules
  to force traffic to follow normal routing.
 
  In my case (2 WANs), I have a rule defining the defaut gateway for lan
  traffic. To permit the traffic to remote vpn site, I have to add a rule
  earlier for the remote network with no gateway so it will follow
  normal routing.
 
  My 2 cents...
 
 
  Le Wed, 19 Dec 2012 14:39:36 +0100,
  WolfSec-Support supp...@wolfsec.ch a écrit :
 
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
 
  rgds
  stephan
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
   Hi,
  
   thanks for your help.
  
   My firewall rules  are  in both pfsense:
   Action: Pass
   Interface : Openvpn
   Protocol: Any
   Source: Any
   Destionation: Any
  
   This are my routing from firewall ( without public ip ):
  
   pfsense 1 - client:
   10.0.8.1   link#10UH  0   15 ovpnc2
   10.0.8.2   link#10UHS 00lo0
   192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
   192.168.9.0/24 link#2 U   0 37598040em1
  
   pfsense 2 - server:
   10.0.8.1   link#9 UHS 00lo0
   10.0.8.2   link#9 UH  0   72 ovpns1
   192.168.8.0/24 link#2 U   0   229122em1
   192.168.8.1link#2 UHS 00lo0
   192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
  
   Could be a routing problem?
  
  
   2012/12/19 WolfSec-Support supp...@wolfsec.ch:
Hi,
   
do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary
   
this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
   
but per default normally tunnel is open anyany
   
br
stephan
   
   
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
   
  
  
  
   --
   
  
   Cristian Del Carlo
  
   Il testo e gli eventuali documenti trasmessi contengono informazioni
   riservate al destinatario indicato. La seguente e-mail è
   confidenziale e la sua riservatezza è tutelata legalmente dal
   Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
   privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
   altra azione derivante dalla conoscenza di queste informazioni sono
   rigorosamente vietate. Qualora abbiate ricevuto questo documento
   per errore siete cortesemente pregati di darne immediata
   comunicazione al mittente e di provvedere, immediatamente, alla sua
   distruzione.
  
   
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al 

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
and the clients on each side can reach internet trough their local pfsense ?

so GW info etc is ok ?

sometimes it's simply a typo etc in mask/gw etc

generally your setup seems to be fine

rgds
stephan

http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com
Ok, then no firewall rules forcing gateway, so let's try something else.

Did you configure iroute ?
http://openvpn.net/index.php/open-source/documentation/howto.html#scope
Read : Including multiple machines on the client side when using a
routed VPN

It might work :-p


Le Wed, 19 Dec 2012 15:19:25 +0100,
Cristian Del Carlo cristian.delca...@gmail.com a écrit :

 Hi,
 
 Thanks for your help.
 
 Even in LAN i have :
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : LAN
 Protocol: Any
 Source: Any
 Destionation: Any
 
 If i ping the tunnel from a client seem ok:
 
 ping 10.0.8.1 -- Ok
 ping 10.8.8.2 -- OK
 ping 192.168.8.X -- 100% packet loss
 
 Thanks.
 
 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
  rgds
  stephan
 
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono
  informazioni riservate al destinatario indicato. La seguente
  e-mail è confidenziale e la sua riservatezza è tutelata legalmente
  dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o
  qualsiasi altra azione derivante dalla conoscenza di queste
  informazioni sono rigorosamente vietate. Qualora abbiate ricevuto
  questo documento per errore siete cortesemente pregati di darne
  immediata comunicazione al mittente e di provvedere,
  immediatamente, alla sua distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
  --
 
  Stephan Wolf
 
  WolfSec
  Rairing 65
  CH-8108 Dällikon
 
  +41 43 536 1191
  +41 76 566 8222
  http://www.wolfsec.ch
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list