subject:"\"\\\[pfSense\\\] Openvpn site to site problem\""

Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread WolfSec-Support

single /24 to single 24 site2site needs no push of routes

only if multiple subnets are on end of tunnel and not described in VPN
info/routing

I would simplyfy this issue to a simple site2site vpn

additional:
- is it a plain v2 install, or an upgraded v1.2.x to v2

I had some isues with upgrades pfsense boxes

same config workes well after new install

rgds
stephan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread Adam Stasiak

I had a similar problem where pfSense wouldn't route packets to remote LAN
over tunnel (it was due to a gateway issue and it wasn't using the default
routes) I think someone mentioned a similar issue.
Maybe it would be worth trying adding an additional gateway (10.100.8.1 or
.2 depending on which side)
Then add a FW rule on the LAN interface specifying that is use that gateway
for the traffic.

On Thu, Dec 20, 2012 at 8:28 AM, Cristian Del Carlo <
cristian.delca...@gmail.com> wrote:

> In lan e openvpn i have only one rule that pass everything.
>
> This problem make me crazy
>
> 2012/12/20 WolfSec-Support :
> > can you open also all trafic lan > internet / remove other blocking
> rules,
> > and try again
> >
> > routing table was fine on your post.
> >
> > brgds
> >
> > stephan
> >
> >
> > 2012/12/20 Cristian Del Carlo 
> >>
> >> 100% sure, the 2 boxes are the gateway of the two lans.
> >>
> >> If from a client in lan i do:
> >>  # ping 192.168.8.10 ( a client in the other network)
> >>
> >> I see the packets in the interface LAN of the pfsense but the packets
> >> are not routed in the tunnel vpn.
> >>
> >> If i do :
> >>
> >> tcpdump  -i em1 (lan of pfsense)
> >>
> >> I see the packets.
> >>
> >> If i do:
> >>
> >> tcpdump -i ovpnc2
> >>
> >> I don't see nothing.
> >>
> >> Thanks for your help.
> >>
> >> 2012/12/20 WolfSec-Support :
> >> > again:
> >> > make 100% sure gateway information  is correct on clients
> >> >
> >> > and:
> >> > check arp cache if client is seen after your try/ping
> >> >
> >> > so we can make sure the problem is only in your box(es)
> >> >
> >> > rgds
> >> > stephan
> >> >
> >> >
> >> >
> >> > 2012/12/20 Cristian Del Carlo 
> >> >>
> >> >> Another information.
> >> >>
> >> >> If from a client in lan i do:
> >> >> # ping 192.168.8.10 ( a client in the other network)
> >> >>
> >> >> And in pfsense (client openvpn):
> >> >> tcpdump -i ovpnc2
> >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> >> >> decode
> >> >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96
> >> >> bytes
> >> >> 0 packets captured
> >> >> 0 packets received by filter
> >> >> 0 packets dropped by kernel
> >> >>
> >> >> I can't see any packet. It Is like the packets is not routed under
> the
> >> >> tunnel.
> >> >> But i don't know why and how fix the problem.
> >> >>
> >> >> If i use the command:
> >> >> tcpdump -i pflog0 icmp
> >> >> tcpdump: WARNING: pflog0: no IPv4 address assigned
> >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> >> >> decode
> >> >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size
> >> >> 96
> >> >> bytes
> >> >> 0 packets captured
> >> >>
> >> >> I can't see any packets blocked by the firewall.
> >> >>
> >> >> Thanks for your help.
> >> >>
> >> >> 2012/12/20 Cristian Del Carlo :
> >> >> > Hi try this configuration but i hace the same problem i am very
> >> >> > confused.
> >> >> >
> >> >> > This is my network:
> >> >> >
> >> >> > lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
> >> >> > (server openvpn) <--> lan 2 192.168.8.0
> >> >> >
> >> >> > This are now with certificates my configuration files:
> >> >> >
> >> >> > Pfsense server:
> >> >> >
> >> >> > /var/etc/openvpn/server1.conf
> >> >> >
> >> >> > dev ovpns1
> >> >> > dev-type tun
> >> >> > dev-node /dev/tun1
> >> >> > writepid /var/run/openvpn_server1.pid
> >> >> > #user nobody
> >> >> > #group nobody
> >> >> > script-security 3
> >> >> > daemon
> >> >> > keepalive 10 60
> >> >> > ping-timer-rem
> >> >> > persist-tun
> >> >> > persist-key
> >> >> > proto udp
> >> >> > cipher AES-128-CBC
> >> >> > up /usr/local/sbin/ovpn-linkup
> >> >> > down /usr/local/sbin/ovpn-linkdown
> >> >> > local X.X.X.X
> >> >> > tls-server
> >> >> > ifconfig 10.0.8.1 10.0.8.2
> >> >> > tls-verify /var/etc/openvpn/server1.tls-verify.php
> >> >> > lport 1195
> >> >> > management /var/etc/openvpn/server1.sock unix
> >> >> > ca /var/etc/openvpn/server1.ca
> >> >> > cert /var/etc/openvpn/server1.cert
> >> >> > key /var/etc/openvpn/server1.key
> >> >> > dh /etc/dh-parameters.1024
> >> >> > comp-lzo
> >> >> > route 192.168.9.0 255.255.255.0
> >> >> > push "route 192.168.8.0 255.255.255.0"
> >> >> >
> >> >> > /var/etc/openvpn-csc/fw-target
> >> >> >
> >> >> > iroute 192.168.9.0 255.255.255.0
> >> >> >
> >> >> > Pfsense client:
> >> >> >
> >> >> > /var/etc/openvpn/client2.conf
> >> >> >
> >> >> > dev ovpnc2
> >> >> > dev-type tun
> >> >> > dev-node /dev/tun2
> >> >> > writepid /var/run/openvpn_client2.pid
> >> >> > #user nobody
> >> >> > #group nobody
> >> >> > script-security 3
> >> >> > daemon
> >> >> > keepalive 10 60
> >> >> > ping-timer-rem
> >> >> > persist-tun
> >> >> > persist-key
> >> >> > proto udp
> >> >> > cipher AES-128-CBC
> >> >> > up /usr/local/sbin/ovpn-linkup
> >> >> > down /usr/local/sbin/ovpn-linkdown
> >> >> > local X.X:X.X
> >> >> > tls-client
> >> >> > client
> >> >> > lport 0
> >> >> > management /var/etc/openvpn/client2.sock u

Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread Matthias May


On 21.12.2012 05:27, Nishant Sharma wrote:

On Thu, Dec 20, 2012 at 6:58 PM, Cristian Del Carlo
  wrote:

In lan e openvpn i have only one rule that pass everything.

This problem make me crazy

Have you configured the server for pushing the routes to client and
added iroute parameters?

-Nishant
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
From his description he's running a PSK. There are no pushes/iroutes. 
Simply static "route" entries on both sides.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Joseph L. Casale

> lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
> (server openvpn) <--> lan 2 192.168.8.0

> /var/etc/openvpn/server1.conf

> route 192.168.9.0 255.255.255.0
> push "route 192.168.8.0 255.255.255.0"

This looks right.


> /var/etc/openvpn-csc/fw-target
>
> iroute 192.168.9.0 255.255.255.0

You're not pushing the route for the clients on the other side?
Also, you're not setting up a known tunnel interface, can't filter now...


> /var/etc/openvpn/client2.conf

> ifconfig 10.0.8.2 10.0.8.1
> route 192.168.8.0 255.255.255.0

No need for this, server can be authoritive for all configuration using ccd.

If you plan to filter eventually, do not use client-to-client, see:
http://lists.pfsense.org/pipermail/list/2012-July/002587.html

In a server config, a route statement adds a route to the local system routing 
table.
A push route pushes one to a clients. These directives route packets from the 
kernel
to the OpenVPN process The iroute directive routes to the specific client after.

I often see with client-to-client issues that tcpdump bring to light instantly. 
If you
set the interface to listen on the pfsense box to the tun dev and start pinging 
a remote
host, you can see if the traffic gets that far, then for example on the remote 
host as
well. if you see it there, there is no return route likely etc. It usually 
doesn't take long
to sort this out.

jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Nishant Sharma

On Thu, Dec 20, 2012 at 6:58 PM, Cristian Del Carlo
 wrote:
> In lan e openvpn i have only one rule that pass everything.
>
> This problem make me crazy

Have you configured the server for pushing the routes to client and
added iroute parameters?

-Nishant
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo

In lan e openvpn i have only one rule that pass everything.

This problem make me crazy

2012/12/20 WolfSec-Support :
> can you open also all trafic lan > internet / remove other blocking rules,
> and try again
>
> routing table was fine on your post.
>
> brgds
>
> stephan
>
>
> 2012/12/20 Cristian Del Carlo 
>>
>> 100% sure, the 2 boxes are the gateway of the two lans.
>>
>> If from a client in lan i do:
>>  # ping 192.168.8.10 ( a client in the other network)
>>
>> I see the packets in the interface LAN of the pfsense but the packets
>> are not routed in the tunnel vpn.
>>
>> If i do :
>>
>> tcpdump  -i em1 (lan of pfsense)
>>
>> I see the packets.
>>
>> If i do:
>>
>> tcpdump -i ovpnc2
>>
>> I don't see nothing.
>>
>> Thanks for your help.
>>
>> 2012/12/20 WolfSec-Support :
>> > again:
>> > make 100% sure gateway information  is correct on clients
>> >
>> > and:
>> > check arp cache if client is seen after your try/ping
>> >
>> > so we can make sure the problem is only in your box(es)
>> >
>> > rgds
>> > stephan
>> >
>> >
>> >
>> > 2012/12/20 Cristian Del Carlo 
>> >>
>> >> Another information.
>> >>
>> >> If from a client in lan i do:
>> >> # ping 192.168.8.10 ( a client in the other network)
>> >>
>> >> And in pfsense (client openvpn):
>> >> tcpdump -i ovpnc2
>> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> >> decode
>> >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96
>> >> bytes
>> >> 0 packets captured
>> >> 0 packets received by filter
>> >> 0 packets dropped by kernel
>> >>
>> >> I can't see any packet. It Is like the packets is not routed under the
>> >> tunnel.
>> >> But i don't know why and how fix the problem.
>> >>
>> >> If i use the command:
>> >> tcpdump -i pflog0 icmp
>> >> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> >> decode
>> >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
>> >> 96
>> >> bytes
>> >> 0 packets captured
>> >>
>> >> I can't see any packets blocked by the firewall.
>> >>
>> >> Thanks for your help.
>> >>
>> >> 2012/12/20 Cristian Del Carlo :
>> >> > Hi try this configuration but i hace the same problem i am very
>> >> > confused.
>> >> >
>> >> > This is my network:
>> >> >
>> >> > lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
>> >> > (server openvpn) <--> lan 2 192.168.8.0
>> >> >
>> >> > This are now with certificates my configuration files:
>> >> >
>> >> > Pfsense server:
>> >> >
>> >> > /var/etc/openvpn/server1.conf
>> >> >
>> >> > dev ovpns1
>> >> > dev-type tun
>> >> > dev-node /dev/tun1
>> >> > writepid /var/run/openvpn_server1.pid
>> >> > #user nobody
>> >> > #group nobody
>> >> > script-security 3
>> >> > daemon
>> >> > keepalive 10 60
>> >> > ping-timer-rem
>> >> > persist-tun
>> >> > persist-key
>> >> > proto udp
>> >> > cipher AES-128-CBC
>> >> > up /usr/local/sbin/ovpn-linkup
>> >> > down /usr/local/sbin/ovpn-linkdown
>> >> > local X.X.X.X
>> >> > tls-server
>> >> > ifconfig 10.0.8.1 10.0.8.2
>> >> > tls-verify /var/etc/openvpn/server1.tls-verify.php
>> >> > lport 1195
>> >> > management /var/etc/openvpn/server1.sock unix
>> >> > ca /var/etc/openvpn/server1.ca
>> >> > cert /var/etc/openvpn/server1.cert
>> >> > key /var/etc/openvpn/server1.key
>> >> > dh /etc/dh-parameters.1024
>> >> > comp-lzo
>> >> > route 192.168.9.0 255.255.255.0
>> >> > push "route 192.168.8.0 255.255.255.0"
>> >> >
>> >> > /var/etc/openvpn-csc/fw-target
>> >> >
>> >> > iroute 192.168.9.0 255.255.255.0
>> >> >
>> >> > Pfsense client:
>> >> >
>> >> > /var/etc/openvpn/client2.conf
>> >> >
>> >> > dev ovpnc2
>> >> > dev-type tun
>> >> > dev-node /dev/tun2
>> >> > writepid /var/run/openvpn_client2.pid
>> >> > #user nobody
>> >> > #group nobody
>> >> > script-security 3
>> >> > daemon
>> >> > keepalive 10 60
>> >> > ping-timer-rem
>> >> > persist-tun
>> >> > persist-key
>> >> > proto udp
>> >> > cipher AES-128-CBC
>> >> > up /usr/local/sbin/ovpn-linkup
>> >> > down /usr/local/sbin/ovpn-linkdown
>> >> > local X.X:X.X
>> >> > tls-client
>> >> > client
>> >> > lport 0
>> >> > management /var/etc/openvpn/client2.sock unix
>> >> > remote X.X.X.X 1195
>> >> > ifconfig 10.0.8.2 10.0.8.1
>> >> > route 192.168.8.0 255.255.255.0
>> >> > ca /var/etc/openvpn/client2.ca
>> >> > cert /var/etc/openvpn/client2.cert
>> >> > key /var/etc/openvpn/client2.key
>> >> > comp-lzo
>> >> >
>> >> > Thanks for your help.
>> >> >
>> >> >
>> >> > 2012/12/19 bruno.deb...@cyberoso.com :
>> >> >> Ok, then no firewall rules forcing gateway, so let's try something
>> >> >> else.
>> >> >>
>> >> >> Did you configure iroute ?
>> >> >>
>> >> >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
>> >> >> Read : Including multiple machines on the client side when using a
>> >> >> routed VPN
>> >> >>
>> >> >> It might work :-p
>> >> >>
>> >> >>
>> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100,
>> >> >> Cristian Del Carlo  a écrit :
>> >> >>

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread WolfSec-Support

can you open also all trafic lan > internet / remove other blocking rules,
and try again

routing table was fine on your post.

brgds
stephan


2012/12/20 Cristian Del Carlo 

> 100% sure, the 2 boxes are the gateway of the two lans.
>
> If from a client in lan i do:
>  # ping 192.168.8.10 ( a client in the other network)
>
> I see the packets in the interface LAN of the pfsense but the packets
> are not routed in the tunnel vpn.
>
> If i do :
>
> tcpdump  -i em1 (lan of pfsense)
>
> I see the packets.
>
> If i do:
>
> tcpdump -i ovpnc2
>
> I don't see nothing.
>
> Thanks for your help.
>
> 2012/12/20 WolfSec-Support :
> > again:
> > make 100% sure gateway information  is correct on clients
> >
> > and:
> > check arp cache if client is seen after your try/ping
> >
> > so we can make sure the problem is only in your box(es)
> >
> > rgds
> > stephan
> >
> >
> >
> > 2012/12/20 Cristian Del Carlo 
> >>
> >> Another information.
> >>
> >> If from a client in lan i do:
> >> # ping 192.168.8.10 ( a client in the other network)
> >>
> >> And in pfsense (client openvpn):
> >> tcpdump -i ovpnc2
> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> >> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96
> bytes
> >> 0 packets captured
> >> 0 packets received by filter
> >> 0 packets dropped by kernel
> >>
> >> I can't see any packet. It Is like the packets is not routed under the
> >> tunnel.
> >> But i don't know why and how fix the problem.
> >>
> >> If i use the command:
> >> tcpdump -i pflog0 icmp
> >> tcpdump: WARNING: pflog0: no IPv4 address assigned
> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 96
> >> bytes
> >> 0 packets captured
> >>
> >> I can't see any packets blocked by the firewall.
> >>
> >> Thanks for your help.
> >>
> >> 2012/12/20 Cristian Del Carlo :
> >> > Hi try this configuration but i hace the same problem i am very
> >> > confused.
> >> >
> >> > This is my network:
> >> >
> >> > lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
> >> > (server openvpn) <--> lan 2 192.168.8.0
> >> >
> >> > This are now with certificates my configuration files:
> >> >
> >> > Pfsense server:
> >> >
> >> > /var/etc/openvpn/server1.conf
> >> >
> >> > dev ovpns1
> >> > dev-type tun
> >> > dev-node /dev/tun1
> >> > writepid /var/run/openvpn_server1.pid
> >> > #user nobody
> >> > #group nobody
> >> > script-security 3
> >> > daemon
> >> > keepalive 10 60
> >> > ping-timer-rem
> >> > persist-tun
> >> > persist-key
> >> > proto udp
> >> > cipher AES-128-CBC
> >> > up /usr/local/sbin/ovpn-linkup
> >> > down /usr/local/sbin/ovpn-linkdown
> >> > local X.X.X.X
> >> > tls-server
> >> > ifconfig 10.0.8.1 10.0.8.2
> >> > tls-verify /var/etc/openvpn/server1.tls-verify.php
> >> > lport 1195
> >> > management /var/etc/openvpn/server1.sock unix
> >> > ca /var/etc/openvpn/server1.ca
> >> > cert /var/etc/openvpn/server1.cert
> >> > key /var/etc/openvpn/server1.key
> >> > dh /etc/dh-parameters.1024
> >> > comp-lzo
> >> > route 192.168.9.0 255.255.255.0
> >> > push "route 192.168.8.0 255.255.255.0"
> >> >
> >> > /var/etc/openvpn-csc/fw-target
> >> >
> >> > iroute 192.168.9.0 255.255.255.0
> >> >
> >> > Pfsense client:
> >> >
> >> > /var/etc/openvpn/client2.conf
> >> >
> >> > dev ovpnc2
> >> > dev-type tun
> >> > dev-node /dev/tun2
> >> > writepid /var/run/openvpn_client2.pid
> >> > #user nobody
> >> > #group nobody
> >> > script-security 3
> >> > daemon
> >> > keepalive 10 60
> >> > ping-timer-rem
> >> > persist-tun
> >> > persist-key
> >> > proto udp
> >> > cipher AES-128-CBC
> >> > up /usr/local/sbin/ovpn-linkup
> >> > down /usr/local/sbin/ovpn-linkdown
> >> > local X.X:X.X
> >> > tls-client
> >> > client
> >> > lport 0
> >> > management /var/etc/openvpn/client2.sock unix
> >> > remote X.X.X.X 1195
> >> > ifconfig 10.0.8.2 10.0.8.1
> >> > route 192.168.8.0 255.255.255.0
> >> > ca /var/etc/openvpn/client2.ca
> >> > cert /var/etc/openvpn/client2.cert
> >> > key /var/etc/openvpn/client2.key
> >> > comp-lzo
> >> >
> >> > Thanks for your help.
> >> >
> >> >
> >> > 2012/12/19 bruno.deb...@cyberoso.com :
> >> >> Ok, then no firewall rules forcing gateway, so let's try something
> >> >> else.
> >> >>
> >> >> Did you configure iroute ?
> >> >>
> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
> >> >> Read : Including multiple machines on the client side when using a
> >> >> routed VPN
> >> >>
> >> >> It might work :-p
> >> >>
> >> >>
> >> >> Le Wed, 19 Dec 2012 15:19:25 +0100,
> >> >> Cristian Del Carlo  a écrit :
> >> >>
> >> >>> Hi,
> >> >>>
> >> >>> Thanks for your help.
> >> >>>
> >> >>> Even in LAN i have :
> >> >>> My firewall rules  are  in both pfsense:
> >> >>> Action: Pass
> >> >>> Interface : LAN
> >> >>> Protocol: Any
> >> >>> Source: Any
> >> >>> Destionation: Any
> >> >>>
> >> >>> If i ping the tunnel from a client seem ok:
> >> >>>
>

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo

100% sure, the 2 boxes are the gateway of the two lans.

If from a client in lan i do:
 # ping 192.168.8.10 ( a client in the other network)

I see the packets in the interface LAN of the pfsense but the packets
are not routed in the tunnel vpn.

If i do :

tcpdump  -i em1 (lan of pfsense)

I see the packets.

If i do:

tcpdump -i ovpnc2

I don't see nothing.

Thanks for your help.

2012/12/20 WolfSec-Support :
> again:
> make 100% sure gateway information  is correct on clients
>
> and:
> check arp cache if client is seen after your try/ping
>
> so we can make sure the problem is only in your box(es)
>
> rgds
> stephan
>
>
>
> 2012/12/20 Cristian Del Carlo 
>>
>> Another information.
>>
>> If from a client in lan i do:
>> # ping 192.168.8.10 ( a client in the other network)
>>
>> And in pfsense (client openvpn):
>> tcpdump -i ovpnc2
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
>> 0 packets captured
>> 0 packets received by filter
>> 0 packets dropped by kernel
>>
>> I can't see any packet. It Is like the packets is not routed under the
>> tunnel.
>> But i don't know why and how fix the problem.
>>
>> If i use the command:
>> tcpdump -i pflog0 icmp
>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
>> bytes
>> 0 packets captured
>>
>> I can't see any packets blocked by the firewall.
>>
>> Thanks for your help.
>>
>> 2012/12/20 Cristian Del Carlo :
>> > Hi try this configuration but i hace the same problem i am very
>> > confused.
>> >
>> > This is my network:
>> >
>> > lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
>> > (server openvpn) <--> lan 2 192.168.8.0
>> >
>> > This are now with certificates my configuration files:
>> >
>> > Pfsense server:
>> >
>> > /var/etc/openvpn/server1.conf
>> >
>> > dev ovpns1
>> > dev-type tun
>> > dev-node /dev/tun1
>> > writepid /var/run/openvpn_server1.pid
>> > #user nobody
>> > #group nobody
>> > script-security 3
>> > daemon
>> > keepalive 10 60
>> > ping-timer-rem
>> > persist-tun
>> > persist-key
>> > proto udp
>> > cipher AES-128-CBC
>> > up /usr/local/sbin/ovpn-linkup
>> > down /usr/local/sbin/ovpn-linkdown
>> > local X.X.X.X
>> > tls-server
>> > ifconfig 10.0.8.1 10.0.8.2
>> > tls-verify /var/etc/openvpn/server1.tls-verify.php
>> > lport 1195
>> > management /var/etc/openvpn/server1.sock unix
>> > ca /var/etc/openvpn/server1.ca
>> > cert /var/etc/openvpn/server1.cert
>> > key /var/etc/openvpn/server1.key
>> > dh /etc/dh-parameters.1024
>> > comp-lzo
>> > route 192.168.9.0 255.255.255.0
>> > push "route 192.168.8.0 255.255.255.0"
>> >
>> > /var/etc/openvpn-csc/fw-target
>> >
>> > iroute 192.168.9.0 255.255.255.0
>> >
>> > Pfsense client:
>> >
>> > /var/etc/openvpn/client2.conf
>> >
>> > dev ovpnc2
>> > dev-type tun
>> > dev-node /dev/tun2
>> > writepid /var/run/openvpn_client2.pid
>> > #user nobody
>> > #group nobody
>> > script-security 3
>> > daemon
>> > keepalive 10 60
>> > ping-timer-rem
>> > persist-tun
>> > persist-key
>> > proto udp
>> > cipher AES-128-CBC
>> > up /usr/local/sbin/ovpn-linkup
>> > down /usr/local/sbin/ovpn-linkdown
>> > local X.X:X.X
>> > tls-client
>> > client
>> > lport 0
>> > management /var/etc/openvpn/client2.sock unix
>> > remote X.X.X.X 1195
>> > ifconfig 10.0.8.2 10.0.8.1
>> > route 192.168.8.0 255.255.255.0
>> > ca /var/etc/openvpn/client2.ca
>> > cert /var/etc/openvpn/client2.cert
>> > key /var/etc/openvpn/client2.key
>> > comp-lzo
>> >
>> > Thanks for your help.
>> >
>> >
>> > 2012/12/19 bruno.deb...@cyberoso.com :
>> >> Ok, then no firewall rules forcing gateway, so let's try something
>> >> else.
>> >>
>> >> Did you configure iroute ?
>> >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
>> >> Read : Including multiple machines on the client side when using a
>> >> routed VPN
>> >>
>> >> It might work :-p
>> >>
>> >>
>> >> Le Wed, 19 Dec 2012 15:19:25 +0100,
>> >> Cristian Del Carlo  a écrit :
>> >>
>> >>> Hi,
>> >>>
>> >>> Thanks for your help.
>> >>>
>> >>> Even in LAN i have :
>> >>> My firewall rules  are  in both pfsense:
>> >>> Action: Pass
>> >>> Interface : LAN
>> >>> Protocol: Any
>> >>> Source: Any
>> >>> Destionation: Any
>> >>>
>> >>> If i ping the tunnel from a client seem ok:
>> >>>
>> >>> ping 10.0.8.1 --> Ok
>> >>> ping 10.8.8.2 --> OK
>> >>> ping 192.168.8.X --> 100% packet loss
>> >>>
>> >>> Thanks.
>> >>>
>> >>> 2012/12/19 WolfSec-Support :
>> >>> > may there are any fw rules there in LAN interface with similar
>> >>> > IP's/networks ?
>> >>> > some used this under 1.2.x and after upgrading to 2.x this caused
>> >>> > issues.
>> >>> >
>> >>> > onto routing:
>> >>> >
>> >>> > looks good
>> >>> >
>> >>> > here a similar setup of mine / 1 side:
>> >>> >
>> >>> > 192.168.253.13 link#13 UH 0 0

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread WolfSec-Support

again:
make 100% sure gateway information  is correct on clients

and:
check arp cache if client is seen after your try/ping

so we can make sure the problem is only in your box(es)

rgds
stephan


2012/12/20 Cristian Del Carlo 

> Another information.
>
> If from a client in lan i do:
> # ping 192.168.8.10 ( a client in the other network)
>
> And in pfsense (client openvpn):
> tcpdump -i ovpnc2
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
> 0 packets captured
> 0 packets received by filter
> 0 packets dropped by kernel
>
> I can't see any packet. It Is like the packets is not routed under the
> tunnel.
> But i don't know why and how fix the problem.
>
> If i use the command:
> tcpdump -i pflog0 icmp
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
> bytes
> 0 packets captured
>
> I can't see any packets blocked by the firewall.
>
> Thanks for your help.
>
> 2012/12/20 Cristian Del Carlo :
> > Hi try this configuration but i hace the same problem i am very confused.
> >
> > This is my network:
> >
> > lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
> > (server openvpn) <--> lan 2 192.168.8.0
> >
> > This are now with certificates my configuration files:
> >
> > Pfsense server:
> >
> > /var/etc/openvpn/server1.conf
> >
> > dev ovpns1
> > dev-type tun
> > dev-node /dev/tun1
> > writepid /var/run/openvpn_server1.pid
> > #user nobody
> > #group nobody
> > script-security 3
> > daemon
> > keepalive 10 60
> > ping-timer-rem
> > persist-tun
> > persist-key
> > proto udp
> > cipher AES-128-CBC
> > up /usr/local/sbin/ovpn-linkup
> > down /usr/local/sbin/ovpn-linkdown
> > local X.X.X.X
> > tls-server
> > ifconfig 10.0.8.1 10.0.8.2
> > tls-verify /var/etc/openvpn/server1.tls-verify.php
> > lport 1195
> > management /var/etc/openvpn/server1.sock unix
> > ca /var/etc/openvpn/server1.ca
> > cert /var/etc/openvpn/server1.cert
> > key /var/etc/openvpn/server1.key
> > dh /etc/dh-parameters.1024
> > comp-lzo
> > route 192.168.9.0 255.255.255.0
> > push "route 192.168.8.0 255.255.255.0"
> >
> > /var/etc/openvpn-csc/fw-target
> >
> > iroute 192.168.9.0 255.255.255.0
> >
> > Pfsense client:
> >
> > /var/etc/openvpn/client2.conf
> >
> > dev ovpnc2
> > dev-type tun
> > dev-node /dev/tun2
> > writepid /var/run/openvpn_client2.pid
> > #user nobody
> > #group nobody
> > script-security 3
> > daemon
> > keepalive 10 60
> > ping-timer-rem
> > persist-tun
> > persist-key
> > proto udp
> > cipher AES-128-CBC
> > up /usr/local/sbin/ovpn-linkup
> > down /usr/local/sbin/ovpn-linkdown
> > local X.X:X.X
> > tls-client
> > client
> > lport 0
> > management /var/etc/openvpn/client2.sock unix
> > remote X.X.X.X 1195
> > ifconfig 10.0.8.2 10.0.8.1
> > route 192.168.8.0 255.255.255.0
> > ca /var/etc/openvpn/client2.ca
> > cert /var/etc/openvpn/client2.cert
> > key /var/etc/openvpn/client2.key
> > comp-lzo
> >
> > Thanks for your help.
> >
> >
> > 2012/12/19 bruno.deb...@cyberoso.com :
> >> Ok, then no firewall rules forcing gateway, so let's try something else.
> >>
> >> Did you configure iroute ?
> >> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
> >> Read : Including multiple machines on the client side when using a
> >> routed VPN
> >>
> >> It might work :-p
> >>
> >>
> >> Le Wed, 19 Dec 2012 15:19:25 +0100,
> >> Cristian Del Carlo  a écrit :
> >>
> >>> Hi,
> >>>
> >>> Thanks for your help.
> >>>
> >>> Even in LAN i have :
> >>> My firewall rules  are  in both pfsense:
> >>> Action: Pass
> >>> Interface : LAN
> >>> Protocol: Any
> >>> Source: Any
> >>> Destionation: Any
> >>>
> >>> If i ping the tunnel from a client seem ok:
> >>>
> >>> ping 10.0.8.1 --> Ok
> >>> ping 10.8.8.2 --> OK
> >>> ping 192.168.8.X --> 100% packet loss
> >>>
> >>> Thanks.
> >>>
> >>> 2012/12/19 WolfSec-Support :
> >>> > may there are any fw rules there in LAN interface with similar
> >>> > IP's/networks ?
> >>> > some used this under 1.2.x and after upgrading to 2.x this caused
> >>> > issues.
> >>> >
> >>> > onto routing:
> >>> >
> >>> > looks good
> >>> >
> >>> > here a similar setup of mine / 1 side:
> >>> >
> >>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
> >>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0
> >>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
> >>> > ovpnc1
> >>> > 192.168.242.0/24 link#1 U 0 1191195015 1500
> >>> > vr0
> >>> >
> >>> > rgds
> >>> > stephan
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > 2012/12/19 Cristian Del Carlo 
> >>> >>
> >>> >> Hi,
> >>> >>
> >>> >> thanks for your help.
> >>> >>
> >>> >> My firewall rules  are  in both pfsense:
> >>> >> Action: Pass
> >>> >> Interface : Openvpn
> >>> >> Protocol: Any
> >>> >> Source: Any
> >>> >> Destionatio

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo

Another information.

If from a client in lan i do:
# ping 192.168.8.10 ( a client in the other network)

And in pfsense (client openvpn):
tcpdump -i ovpnc2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

I can't see any packet. It Is like the packets is not routed under the tunnel.
But i don't know why and how fix the problem.

If i use the command:
tcpdump -i pflog0 icmp
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
0 packets captured

I can't see any packets blocked by the firewall.

Thanks for your help.

2012/12/20 Cristian Del Carlo :
> Hi try this configuration but i hace the same problem i am very confused.
>
> This is my network:
>
> lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
> (server openvpn) <--> lan 2 192.168.8.0
>
> This are now with certificates my configuration files:
>
> Pfsense server:
>
> /var/etc/openvpn/server1.conf
>
> dev ovpns1
> dev-type tun
> dev-node /dev/tun1
> writepid /var/run/openvpn_server1.pid
> #user nobody
> #group nobody
> script-security 3
> daemon
> keepalive 10 60
> ping-timer-rem
> persist-tun
> persist-key
> proto udp
> cipher AES-128-CBC
> up /usr/local/sbin/ovpn-linkup
> down /usr/local/sbin/ovpn-linkdown
> local X.X.X.X
> tls-server
> ifconfig 10.0.8.1 10.0.8.2
> tls-verify /var/etc/openvpn/server1.tls-verify.php
> lport 1195
> management /var/etc/openvpn/server1.sock unix
> ca /var/etc/openvpn/server1.ca
> cert /var/etc/openvpn/server1.cert
> key /var/etc/openvpn/server1.key
> dh /etc/dh-parameters.1024
> comp-lzo
> route 192.168.9.0 255.255.255.0
> push "route 192.168.8.0 255.255.255.0"
>
> /var/etc/openvpn-csc/fw-target
>
> iroute 192.168.9.0 255.255.255.0
>
> Pfsense client:
>
> /var/etc/openvpn/client2.conf
>
> dev ovpnc2
> dev-type tun
> dev-node /dev/tun2
> writepid /var/run/openvpn_client2.pid
> #user nobody
> #group nobody
> script-security 3
> daemon
> keepalive 10 60
> ping-timer-rem
> persist-tun
> persist-key
> proto udp
> cipher AES-128-CBC
> up /usr/local/sbin/ovpn-linkup
> down /usr/local/sbin/ovpn-linkdown
> local X.X:X.X
> tls-client
> client
> lport 0
> management /var/etc/openvpn/client2.sock unix
> remote X.X.X.X 1195
> ifconfig 10.0.8.2 10.0.8.1
> route 192.168.8.0 255.255.255.0
> ca /var/etc/openvpn/client2.ca
> cert /var/etc/openvpn/client2.cert
> key /var/etc/openvpn/client2.key
> comp-lzo
>
> Thanks for your help.
>
>
> 2012/12/19 bruno.deb...@cyberoso.com :
>> Ok, then no firewall rules forcing gateway, so let's try something else.
>>
>> Did you configure iroute ?
>> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
>> Read : Including multiple machines on the client side when using a
>> routed VPN
>>
>> It might work :-p
>>
>>
>> Le Wed, 19 Dec 2012 15:19:25 +0100,
>> Cristian Del Carlo  a écrit :
>>
>>> Hi,
>>>
>>> Thanks for your help.
>>>
>>> Even in LAN i have :
>>> My firewall rules  are  in both pfsense:
>>> Action: Pass
>>> Interface : LAN
>>> Protocol: Any
>>> Source: Any
>>> Destionation: Any
>>>
>>> If i ping the tunnel from a client seem ok:
>>>
>>> ping 10.0.8.1 --> Ok
>>> ping 10.8.8.2 --> OK
>>> ping 192.168.8.X --> 100% packet loss
>>>
>>> Thanks.
>>>
>>> 2012/12/19 WolfSec-Support :
>>> > may there are any fw rules there in LAN interface with similar
>>> > IP's/networks ?
>>> > some used this under 1.2.x and after upgrading to 2.x this caused
>>> > issues.
>>> >
>>> > onto routing:
>>> >
>>> > looks good
>>> >
>>> > here a similar setup of mine / 1 side:
>>> >
>>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
>>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0
>>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
>>> > ovpnc1
>>> > 192.168.242.0/24 link#1 U 0 1191195015 1500
>>> > vr0
>>> >
>>> > rgds
>>> > stephan
>>> >
>>> >
>>> >
>>> >
>>> > 2012/12/19 Cristian Del Carlo 
>>> >>
>>> >> Hi,
>>> >>
>>> >> thanks for your help.
>>> >>
>>> >> My firewall rules  are  in both pfsense:
>>> >> Action: Pass
>>> >> Interface : Openvpn
>>> >> Protocol: Any
>>> >> Source: Any
>>> >> Destionation: Any
>>> >>
>>> >> This are my routing from firewall ( without public ip ):
>>> >>
>>> >> pfsense 1 - client:
>>> >> 10.0.8.1   link#10UH  0   15 ovpnc2
>>> >> 10.0.8.2   link#10UHS 00lo0
>>> >> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>>> >> 192.168.9.0/24 link#2 U   0 37598040em1
>>> >>
>>> >> pfsense 2 - server:
>>> >> 10.0.8.1   link#9 UHS 00lo0
>>> >> 10.0.8.2   link#9 UH  0   72 ov

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo

Hi try this configuration but i hace the same problem i am very confused.

This is my network:

lan1 192.168.9.0  <---> pfsense1 (client openvpn) <--> pfsense2
(server openvpn) <--> lan 2 192.168.8.0

This are now with certificates my configuration files:

Pfsense server:

/var/etc/openvpn/server1.conf

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X.X.X
tls-server
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1195
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
route 192.168.9.0 255.255.255.0
push "route 192.168.8.0 255.255.255.0"

/var/etc/openvpn-csc/fw-target

iroute 192.168.9.0 255.255.255.0

Pfsense client:

/var/etc/openvpn/client2.conf

dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X:X.X
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote X.X.X.X 1195
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.0 255.255.255.0
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzo

Thanks for your help.


2012/12/19 bruno.deb...@cyberoso.com :
> Ok, then no firewall rules forcing gateway, so let's try something else.
>
> Did you configure iroute ?
> http://openvpn.net/index.php/open-source/documentation/howto.html#scope
> Read : Including multiple machines on the client side when using a
> routed VPN
>
> It might work :-p
>
>
> Le Wed, 19 Dec 2012 15:19:25 +0100,
> Cristian Del Carlo  a écrit :
>
>> Hi,
>>
>> Thanks for your help.
>>
>> Even in LAN i have :
>> My firewall rules  are  in both pfsense:
>> Action: Pass
>> Interface : LAN
>> Protocol: Any
>> Source: Any
>> Destionation: Any
>>
>> If i ping the tunnel from a client seem ok:
>>
>> ping 10.0.8.1 --> Ok
>> ping 10.8.8.2 --> OK
>> ping 192.168.8.X --> 100% packet loss
>>
>> Thanks.
>>
>> 2012/12/19 WolfSec-Support :
>> > may there are any fw rules there in LAN interface with similar
>> > IP's/networks ?
>> > some used this under 1.2.x and after upgrading to 2.x this caused
>> > issues.
>> >
>> > onto routing:
>> >
>> > looks good
>> >
>> > here a similar setup of mine / 1 side:
>> >
>> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
>> > 192.168.253.14 link#13 UHS 0 0 16384 lo0
>> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
>> > ovpnc1
>> > 192.168.242.0/24 link#1 U 0 1191195015 1500
>> > vr0
>> >
>> > rgds
>> > stephan
>> >
>> >
>> >
>> >
>> > 2012/12/19 Cristian Del Carlo 
>> >>
>> >> Hi,
>> >>
>> >> thanks for your help.
>> >>
>> >> My firewall rules  are  in both pfsense:
>> >> Action: Pass
>> >> Interface : Openvpn
>> >> Protocol: Any
>> >> Source: Any
>> >> Destionation: Any
>> >>
>> >> This are my routing from firewall ( without public ip ):
>> >>
>> >> pfsense 1 - client:
>> >> 10.0.8.1   link#10UH  0   15 ovpnc2
>> >> 10.0.8.2   link#10UHS 00lo0
>> >> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>> >> 192.168.9.0/24 link#2 U   0 37598040em1
>> >>
>> >> pfsense 2 - server:
>> >> 10.0.8.1   link#9 UHS 00lo0
>> >> 10.0.8.2   link#9 UH  0   72 ovpns1
>> >> 192.168.8.0/24 link#2 U   0   229122em1
>> >> 192.168.8.1link#2 UHS 00lo0
>> >> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>> >>
>> >> Could be a routing problem?
>> >>
>> >>
>> >> 2012/12/19 WolfSec-Support :
>> >> > Hi,
>> >> >
>> >> > do you have special rules in VPN tunnel ?
>> >> > make sure to open OpenVPN ruleset as necessary
>> >> >
>> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>> >> >
>> >> > but per default normally tunnel is open any<>any
>> >> >
>> >> > br
>> >> > stephan
>> >> >
>> >> >
>> >> > ___
>> >> > List mailing list
>> >> > List@lists.pfsense.org
>> >> > http://lists.pfsense.org/mailman/listinfo/list
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> 
>> >>
>> >> Cristian Del Carlo
>> >>
>> >> Il testo e gli eventuali documenti trasmessi contengono
>> >> informazioni riservate al destinatario indicato. La seguente
>> >> e-mail è confidenziale e la sua riservatezza è tutel

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com

Ok, then no firewall rules forcing gateway, so let's try something else.

Did you configure iroute ?
http://openvpn.net/index.php/open-source/documentation/howto.html#scope
Read : Including multiple machines on the client side when using a
routed VPN

It might work :-p


Le Wed, 19 Dec 2012 15:19:25 +0100,
Cristian Del Carlo  a écrit :

> Hi,
> 
> Thanks for your help.
> 
> Even in LAN i have :
> My firewall rules  are  in both pfsense:
> Action: Pass
> Interface : LAN
> Protocol: Any
> Source: Any
> Destionation: Any
> 
> If i ping the tunnel from a client seem ok:
> 
> ping 10.0.8.1 --> Ok
> ping 10.8.8.2 --> OK
> ping 192.168.8.X --> 100% packet loss
> 
> Thanks.
> 
> 2012/12/19 WolfSec-Support :
> > may there are any fw rules there in LAN interface with similar
> > IP's/networks ?
> > some used this under 1.2.x and after upgrading to 2.x this caused
> > issues.
> >
> > onto routing:
> >
> > looks good
> >
> > here a similar setup of mine / 1 side:
> >
> > 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
> > 192.168.253.14 link#13 UHS 0 0 16384 lo0
> > 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
> > ovpnc1
> > 192.168.242.0/24 link#1 U 0 1191195015 1500
> > vr0
> >
> > rgds
> > stephan
> >
> >
> >
> >
> > 2012/12/19 Cristian Del Carlo 
> >>
> >> Hi,
> >>
> >> thanks for your help.
> >>
> >> My firewall rules  are  in both pfsense:
> >> Action: Pass
> >> Interface : Openvpn
> >> Protocol: Any
> >> Source: Any
> >> Destionation: Any
> >>
> >> This are my routing from firewall ( without public ip ):
> >>
> >> pfsense 1 - client:
> >> 10.0.8.1   link#10UH  0   15 ovpnc2
> >> 10.0.8.2   link#10UHS 00lo0
> >> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
> >> 192.168.9.0/24 link#2 U   0 37598040em1
> >>
> >> pfsense 2 - server:
> >> 10.0.8.1   link#9 UHS 00lo0
> >> 10.0.8.2   link#9 UH  0   72 ovpns1
> >> 192.168.8.0/24 link#2 U   0   229122em1
> >> 192.168.8.1link#2 UHS 00lo0
> >> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
> >>
> >> Could be a routing problem?
> >>
> >>
> >> 2012/12/19 WolfSec-Support :
> >> > Hi,
> >> >
> >> > do you have special rules in VPN tunnel ?
> >> > make sure to open OpenVPN ruleset as necessary
> >> >
> >> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
> >> >
> >> > but per default normally tunnel is open any<>any
> >> >
> >> > br
> >> > stephan
> >> >
> >> >
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > http://lists.pfsense.org/mailman/listinfo/list
> >> >
> >>
> >>
> >>
> >> --
> >> 
> >>
> >> Cristian Del Carlo
> >>
> >> Il testo e gli eventuali documenti trasmessi contengono
> >> informazioni riservate al destinatario indicato. La seguente
> >> e-mail è confidenziale e la sua riservatezza è tutelata legalmente
> >> dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
> >> privacy). La lettura, copia o altro uso non autorizzato o
> >> qualsiasi altra azione derivante dalla conoscenza di queste
> >> informazioni sono rigorosamente vietate. Qualora abbiate ricevuto
> >> questo documento per errore siete cortesemente pregati di darne
> >> immediata comunicazione al mittente e di provvedere,
> >> immediatamente, alla sua distruzione.
> >>
> >> 
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> http://lists.pfsense.org/mailman/listinfo/list
> >
> >
> >
> >
> > --
> >
> > Stephan Wolf
> >
> > WolfSec
> > Rairing 65
> > CH-8108 Dällikon
> >
> > +41 43 536 1191
> > +41 76 566 8222
> > http://www.wolfsec.ch
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
> >
> 
> 
> 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support

and the clients on each side can reach internet trough their local pfsense ?

so GW info etc is ok ?

sometimes it's simply a typo etc in mask/gw etc

generally your setup seems to be fine

rgds
stephan


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

My tunnel is up.

>From a client i can ping the tunnel interfaces of my vpn but i can't'
reach the other network.

# ping 10.0.8.1 -> ok
# ping 10.0.8.2 -> ok
# ping 192.168.8.10 -> 100% packet lost

>From both firewall i can ping all the networks:
# ping 192.168.8.10 -> Ok
# ping 10.0.8.1 -> ok
# ping 10.0.8.2 -> ok
# ping 192.168.9.10 -> Ok

The problem seems to be only from the network to reach the other one.

Thanks for your help!

2012/12/19 WolfSec-Support :
> to make sure:
> - is tunnel up ?
> - can you ping from one pfsense the lan ip of the other one ?
>
> brgds
>
> stephan
>
>
> 2012/12/19 Cristian Del Carlo 
>>
>> Sorry i don't understand,
>>
>> in my case i have only a WAN so wich type of rule i need?
>>
>> I need to force the packets to my tunnel network over the vpn even if
>> my routing tables seem ok?
>>
>> My routing tables:
>>
>> 10.0.8.1   link#10UH  08 ovpnc2
>> 10.0.8.2   link#10UHS 00lo0
>> 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
>> 192.168.9.0/24 link#2 U   0 38437351em1
>>
>> Thanks,
>>
>> 2012/12/19 bruno.deb...@cyberoso.com :
>> > Hello,
>> >
>> > You might need a firewall rule for the remote network in your lan rules
>> > to force traffic to follow normal routing.
>> >
>> > In my case (2 WANs), I have a rule defining the defaut gateway for lan
>> > traffic. To permit the traffic to remote vpn site, I have to add a rule
>> > earlier for the remote network with no gateway so it will follow
>> > normal routing.
>> >
>> > My 2 cents...
>> >
>> >
>> > Le Wed, 19 Dec 2012 14:39:36 +0100,
>> > WolfSec-Support  a écrit :
>> >
>> >> may there are any fw rules there in LAN interface with similar
>> >> IP's/networks ?
>> >> some used this under 1.2.x and after upgrading to 2.x this caused
>> >> issues.
>> >>
>> >> onto routing:
>> >>
>> >> looks good
>> >>
>> >> here a similar setup of mine / 1 side:
>> >>
>> >> 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
>> >> 192.168.253.14 link#13 UHS 0 0 16384 lo0
>> >> 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
>> >> ovpnc1
>> >> 192.168.242.0/24 link#1 U 0 1191195015 1500
>> >> vr0
>> >>
>> >>
>> >> rgds
>> >> stephan
>> >>
>> >>
>> >>
>> >> 2012/12/19 Cristian Del Carlo 
>> >>
>> >> > Hi,
>> >> >
>> >> > thanks for your help.
>> >> >
>> >> > My firewall rules  are  in both pfsense:
>> >> > Action: Pass
>> >> > Interface : Openvpn
>> >> > Protocol: Any
>> >> > Source: Any
>> >> > Destionation: Any
>> >> >
>> >> > This are my routing from firewall ( without public ip ):
>> >> >
>> >> > pfsense 1 - client:
>> >> > 10.0.8.1   link#10UH  0   15 ovpnc2
>> >> > 10.0.8.2   link#10UHS 00lo0
>> >> > 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>> >> > 192.168.9.0/24 link#2 U   0 37598040em1
>> >> >
>> >> > pfsense 2 - server:
>> >> > 10.0.8.1   link#9 UHS 00lo0
>> >> > 10.0.8.2   link#9 UH  0   72 ovpns1
>> >> > 192.168.8.0/24 link#2 U   0   229122em1
>> >> > 192.168.8.1link#2 UHS 00lo0
>> >> > 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>> >> >
>> >> > Could be a routing problem?
>> >> >
>> >> >
>> >> > 2012/12/19 WolfSec-Support :
>> >> > > Hi,
>> >> > >
>> >> > > do you have special rules in VPN tunnel ?
>> >> > > make sure to open OpenVPN ruleset as necessary
>> >> > >
>> >> > > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>> >> > >
>> >> > > but per default normally tunnel is open any<>any
>> >> > >
>> >> > > br
>> >> > > stephan
>> >> > >
>> >> > >
>> >> > > ___
>> >> > > List mailing list
>> >> > > List@lists.pfsense.org
>> >> > > http://lists.pfsense.org/mailman/listinfo/list
>> >> > >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > 
>> >> >
>> >> > Cristian Del Carlo
>> >> >
>> >> > Il testo e gli eventuali documenti trasmessi contengono informazioni
>> >> > riservate al destinatario indicato. La seguente e-mail è
>> >> > confidenziale e la sua riservatezza è tutelata legalmente dal
>> >> > Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
>> >> > privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
>> >> > altra azione derivante dalla conoscenza di queste informazioni sono
>> >> > rigorosamente vietate. Qualora abbiate ricevuto questo documento
>> >> > per errore siete cortesemente pregati di darne immediata
>> >> > comunicazione al mittente e di provvedere, immediatamente, alla sua
>> >> > distruzione.
>> >> >
>> >> > 
>> >> > __

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support

to make sure:
- is tunnel up ?
- can you ping from one pfsense the lan ip of the other one ?

brgds
stephan


2012/12/19 Cristian Del Carlo 

> Sorry i don't understand,
>
> in my case i have only a WAN so wich type of rule i need?
>
> I need to force the packets to my tunnel network over the vpn even if
> my routing tables seem ok?
>
> My routing tables:
>
> 10.0.8.1   link#10UH  08 ovpnc2
> 10.0.8.2   link#10UHS 00lo0
> 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
> 192.168.9.0/24 link#2 U   0 38437351em1
>
> Thanks,
>
> 2012/12/19 bruno.deb...@cyberoso.com :
> > Hello,
> >
> > You might need a firewall rule for the remote network in your lan rules
> > to force traffic to follow normal routing.
> >
> > In my case (2 WANs), I have a rule defining the defaut gateway for lan
> > traffic. To permit the traffic to remote vpn site, I have to add a rule
> > earlier for the remote network with no gateway so it will follow
> > normal routing.
> >
> > My 2 cents...
> >
> >
> > Le Wed, 19 Dec 2012 14:39:36 +0100,
> > WolfSec-Support  a écrit :
> >
> >> may there are any fw rules there in LAN interface with similar
> >> IP's/networks ?
> >> some used this under 1.2.x and after upgrading to 2.x this caused
> >> issues.
> >>
> >> onto routing:
> >>
> >> looks good
> >>
> >> here a similar setup of mine / 1 side:
> >>
> >> 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
> >> 192.168.253.14 link#13 UHS 0 0 16384 lo0
> >> 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
> >> ovpnc1
> >> 192.168.242.0/24 link#1 U 0 1191195015 1500
> >> vr0
> >>
> >>
> >> rgds
> >> stephan
> >>
> >>
> >>
> >> 2012/12/19 Cristian Del Carlo 
> >>
> >> > Hi,
> >> >
> >> > thanks for your help.
> >> >
> >> > My firewall rules  are  in both pfsense:
> >> > Action: Pass
> >> > Interface : Openvpn
> >> > Protocol: Any
> >> > Source: Any
> >> > Destionation: Any
> >> >
> >> > This are my routing from firewall ( without public ip ):
> >> >
> >> > pfsense 1 - client:
> >> > 10.0.8.1   link#10UH  0   15 ovpnc2
> >> > 10.0.8.2   link#10UHS 00lo0
> >> > 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
> >> > 192.168.9.0/24 link#2 U   0 37598040em1
> >> >
> >> > pfsense 2 - server:
> >> > 10.0.8.1   link#9 UHS 00lo0
> >> > 10.0.8.2   link#9 UH  0   72 ovpns1
> >> > 192.168.8.0/24 link#2 U   0   229122em1
> >> > 192.168.8.1link#2 UHS 00lo0
> >> > 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
> >> >
> >> > Could be a routing problem?
> >> >
> >> >
> >> > 2012/12/19 WolfSec-Support :
> >> > > Hi,
> >> > >
> >> > > do you have special rules in VPN tunnel ?
> >> > > make sure to open OpenVPN ruleset as necessary
> >> > >
> >> > > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
> >> > >
> >> > > but per default normally tunnel is open any<>any
> >> > >
> >> > > br
> >> > > stephan
> >> > >
> >> > >
> >> > > ___
> >> > > List mailing list
> >> > > List@lists.pfsense.org
> >> > > http://lists.pfsense.org/mailman/listinfo/list
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > 
> >> >
> >> > Cristian Del Carlo
> >> >
> >> > Il testo e gli eventuali documenti trasmessi contengono informazioni
> >> > riservate al destinatario indicato. La seguente e-mail è
> >> > confidenziale e la sua riservatezza è tutelata legalmente dal
> >> > Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
> >> > privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
> >> > altra azione derivante dalla conoscenza di queste informazioni sono
> >> > rigorosamente vietate. Qualora abbiate ricevuto questo documento
> >> > per errore siete cortesemente pregati di darne immediata
> >> > comunicazione al mittente e di provvedere, immediatamente, alla sua
> >> > distruzione.
> >> >
> >> > 
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org
> >> > http://lists.pfsense.org/mailman/listinfo/list
> >> >
> >>
> >>
> >>
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
>
>
>
> --
> 
>
> Cristian Del Carlo
>
> Il testo e gli eventuali documenti trasmessi contengono informazioni
> riservate al destinatario indicato. La seguente e-mail è confidenziale e
> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
>

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

Sorry i don't understand,

in my case i have only a WAN so wich type of rule i need?

I need to force the packets to my tunnel network over the vpn even if
my routing tables seem ok?

My routing tables:

10.0.8.1   link#10UH  08 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
192.168.9.0/24 link#2 U   0 38437351em1

Thanks,

2012/12/19 bruno.deb...@cyberoso.com :
> Hello,
>
> You might need a firewall rule for the remote network in your lan rules
> to force traffic to follow normal routing.
>
> In my case (2 WANs), I have a rule defining the defaut gateway for lan
> traffic. To permit the traffic to remote vpn site, I have to add a rule
> earlier for the remote network with no gateway so it will follow
> normal routing.
>
> My 2 cents...
>
>
> Le Wed, 19 Dec 2012 14:39:36 +0100,
> WolfSec-Support  a écrit :
>
>> may there are any fw rules there in LAN interface with similar
>> IP's/networks ?
>> some used this under 1.2.x and after upgrading to 2.x this caused
>> issues.
>>
>> onto routing:
>>
>> looks good
>>
>> here a similar setup of mine / 1 side:
>>
>> 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
>> 192.168.253.14 link#13 UHS 0 0 16384 lo0
>> 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
>> ovpnc1
>> 192.168.242.0/24 link#1 U 0 1191195015 1500
>> vr0
>>
>>
>> rgds
>> stephan
>>
>>
>>
>> 2012/12/19 Cristian Del Carlo 
>>
>> > Hi,
>> >
>> > thanks for your help.
>> >
>> > My firewall rules  are  in both pfsense:
>> > Action: Pass
>> > Interface : Openvpn
>> > Protocol: Any
>> > Source: Any
>> > Destionation: Any
>> >
>> > This are my routing from firewall ( without public ip ):
>> >
>> > pfsense 1 - client:
>> > 10.0.8.1   link#10UH  0   15 ovpnc2
>> > 10.0.8.2   link#10UHS 00lo0
>> > 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>> > 192.168.9.0/24 link#2 U   0 37598040em1
>> >
>> > pfsense 2 - server:
>> > 10.0.8.1   link#9 UHS 00lo0
>> > 10.0.8.2   link#9 UH  0   72 ovpns1
>> > 192.168.8.0/24 link#2 U   0   229122em1
>> > 192.168.8.1link#2 UHS 00lo0
>> > 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>> >
>> > Could be a routing problem?
>> >
>> >
>> > 2012/12/19 WolfSec-Support :
>> > > Hi,
>> > >
>> > > do you have special rules in VPN tunnel ?
>> > > make sure to open OpenVPN ruleset as necessary
>> > >
>> > > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>> > >
>> > > but per default normally tunnel is open any<>any
>> > >
>> > > br
>> > > stephan
>> > >
>> > >
>> > > ___
>> > > List mailing list
>> > > List@lists.pfsense.org
>> > > http://lists.pfsense.org/mailman/listinfo/list
>> > >
>> >
>> >
>> >
>> > --
>> > 
>> >
>> > Cristian Del Carlo
>> >
>> > Il testo e gli eventuali documenti trasmessi contengono informazioni
>> > riservate al destinatario indicato. La seguente e-mail è
>> > confidenziale e la sua riservatezza è tutelata legalmente dal
>> > Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
>> > privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
>> > altra azione derivante dalla conoscenza di queste informazioni sono
>> > rigorosamente vietate. Qualora abbiate ricevuto questo documento
>> > per errore siete cortesemente pregati di darne immediata
>> > comunicazione al mittente e di provvedere, immediatamente, alla sua
>> > distruzione.
>> >
>> > 
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > http://lists.pfsense.org/mailman/listinfo/list
>> >
>>
>>
>>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.

-

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

Hi,

even with 10.0.8.0/30 i have the same problem.

Any other suggest?


2012/12/19 Vassilis V. :
> Hi!
>
> Try this:
>
> pfsense2 - server:
> Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)
>
> pfsense1 - client:
> Tunnel network: 10.0.8.0/30 (You can even keep it empty)
>
> Keeping or removing the remote network on the client side shouldn't be
> important, the difference being that if you keep it, you should see an
> error message that the route that has already been pushed by the server
> is re-issued by the client.
>
>
> hope it helps!
>
> Vassilis
>
>
> Cristian Del Carlo wrote on 19.12.2012 14:09:
>> Hi,
>>
>> thanks for your help.
>>
>> My firewall rules  are  in both pfsense:
>> Action: Pass
>> Interface : Openvpn
>> Protocol: Any
>> Source: Any
>> Destionation: Any
>>
>> This are my routing from firewall ( without public ip ):
>>
>> pfsense 1 - client:
>> 10.0.8.1   link#10UH  0   15 ovpnc2
>> 10.0.8.2   link#10UHS 00lo0
>> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>> 192.168.9.0/24 link#2 U   0 37598040em1
>>
>> pfsense 2 - server:
>> 10.0.8.1   link#9 UHS 00lo0
>> 10.0.8.2   link#9 UH  0   72 ovpns1
>> 192.168.8.0/24 link#2 U   0   229122em1
>> 192.168.8.1link#2 UHS 00lo0
>> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>>
>> Could be a routing problem?
>>
>>
>> 2012/12/19 WolfSec-Support :
>>> Hi,
>>>
>>> do you have special rules in VPN tunnel ?
>>> make sure to open OpenVPN ruleset as necessary
>>>
>>> this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>>>
>>> but per default normally tunnel is open any<>any
>>>
>>> br
>>> stephan
>>>
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> http://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>>



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com

Hello,

You might need a firewall rule for the remote network in your lan rules
to force traffic to follow normal routing.

In my case (2 WANs), I have a rule defining the defaut gateway for lan
traffic. To permit the traffic to remote vpn site, I have to add a rule
earlier for the remote network with no gateway so it will follow
normal routing. 

My 2 cents...


Le Wed, 19 Dec 2012 14:39:36 +0100,
WolfSec-Support  a écrit :

> may there are any fw rules there in LAN interface with similar
> IP's/networks ?
> some used this under 1.2.x and after upgrading to 2.x this caused
> issues.
> 
> onto routing:
> 
> looks good
> 
> here a similar setup of mine / 1 side:
> 
> 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
> 192.168.253.14 link#13 UHS 0 0 16384 lo0
> 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
> ovpnc1
> 192.168.242.0/24 link#1 U 0 1191195015 1500
> vr0
> 
> 
> rgds
> stephan
> 
> 
> 
> 2012/12/19 Cristian Del Carlo 
> 
> > Hi,
> >
> > thanks for your help.
> >
> > My firewall rules  are  in both pfsense:
> > Action: Pass
> > Interface : Openvpn
> > Protocol: Any
> > Source: Any
> > Destionation: Any
> >
> > This are my routing from firewall ( without public ip ):
> >
> > pfsense 1 - client:
> > 10.0.8.1   link#10UH  0   15 ovpnc2
> > 10.0.8.2   link#10UHS 00lo0
> > 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
> > 192.168.9.0/24 link#2 U   0 37598040em1
> >
> > pfsense 2 - server:
> > 10.0.8.1   link#9 UHS 00lo0
> > 10.0.8.2   link#9 UH  0   72 ovpns1
> > 192.168.8.0/24 link#2 U   0   229122em1
> > 192.168.8.1link#2 UHS 00lo0
> > 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
> >
> > Could be a routing problem?
> >
> >
> > 2012/12/19 WolfSec-Support :
> > > Hi,
> > >
> > > do you have special rules in VPN tunnel ?
> > > make sure to open OpenVPN ruleset as necessary
> > >
> > > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
> > >
> > > but per default normally tunnel is open any<>any
> > >
> > > br
> > > stephan
> > >
> > >
> > > ___
> > > List mailing list
> > > List@lists.pfsense.org
> > > http://lists.pfsense.org/mailman/listinfo/list
> > >
> >
> >
> >
> > --
> > 
> >
> > Cristian Del Carlo
> >
> > Il testo e gli eventuali documenti trasmessi contengono informazioni
> > riservate al destinatario indicato. La seguente e-mail è
> > confidenziale e la sua riservatezza è tutelata legalmente dal
> > Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
> > privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
> > altra azione derivante dalla conoscenza di queste informazioni sono
> > rigorosamente vietate. Qualora abbiate ricevuto questo documento
> > per errore siete cortesemente pregati di darne immediata
> > comunicazione al mittente e di provvedere, immediatamente, alla sua
> > distruzione.
> >
> > 
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
> >
> 
> 
> 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

Hi,

Thanks for your help.

Even in LAN i have :
My firewall rules  are  in both pfsense:
Action: Pass
Interface : LAN
Protocol: Any
Source: Any
Destionation: Any

If i ping the tunnel from a client seem ok:

ping 10.0.8.1 --> Ok
ping 10.8.8.2 --> OK
ping 192.168.8.X --> 100% packet loss

Thanks.

2012/12/19 WolfSec-Support :
> may there are any fw rules there in LAN interface with similar IP's/networks
> ?
> some used this under 1.2.x and after upgrading to 2.x this caused issues.
>
> onto routing:
>
> looks good
>
> here a similar setup of mine / 1 side:
>
> 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
> 192.168.253.14 link#13 UHS 0 0 16384 lo0
> 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
> ovpnc1
> 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0
>
> rgds
> stephan
>
>
>
>
> 2012/12/19 Cristian Del Carlo 
>>
>> Hi,
>>
>> thanks for your help.
>>
>> My firewall rules  are  in both pfsense:
>> Action: Pass
>> Interface : Openvpn
>> Protocol: Any
>> Source: Any
>> Destionation: Any
>>
>> This are my routing from firewall ( without public ip ):
>>
>> pfsense 1 - client:
>> 10.0.8.1   link#10UH  0   15 ovpnc2
>> 10.0.8.2   link#10UHS 00lo0
>> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
>> 192.168.9.0/24 link#2 U   0 37598040em1
>>
>> pfsense 2 - server:
>> 10.0.8.1   link#9 UHS 00lo0
>> 10.0.8.2   link#9 UH  0   72 ovpns1
>> 192.168.8.0/24 link#2 U   0   229122em1
>> 192.168.8.1link#2 UHS 00lo0
>> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>>
>> Could be a routing problem?
>>
>>
>> 2012/12/19 WolfSec-Support :
>> > Hi,
>> >
>> > do you have special rules in VPN tunnel ?
>> > make sure to open OpenVPN ruleset as necessary
>> >
>> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>> >
>> > but per default normally tunnel is open any<>any
>> >
>> > br
>> > stephan
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > http://lists.pfsense.org/mailman/listinfo/list
>> >
>>
>>
>>
>> --
>> 
>>
>> Cristian Del Carlo
>>
>> Il testo e gli eventuali documenti trasmessi contengono informazioni
>> riservate al destinatario indicato. La seguente e-mail è confidenziale e
>> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
>> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
>> altro uso non autorizzato o qualsiasi altra azione derivante dalla
>> conoscenza di queste informazioni sono rigorosamente vietate. Qualora
>> abbiate ricevuto questo documento per errore siete cortesemente pregati
>> di darne immediata comunicazione al mittente e di provvedere,
>> immediatamente, alla sua distruzione.
>>
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>
>
>
>
> --
>
> Stephan Wolf
>
> WolfSec
> Rairing 65
> CH-8108 Dällikon
>
> +41 43 536 1191
> +41 76 566 8222
> http://www.wolfsec.ch
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Vassilis V.

Hi!

Try this:

pfsense2 - server:
Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)

pfsense1 - client:
Tunnel network: 10.0.8.0/30 (You can even keep it empty)

Keeping or removing the remote network on the client side shouldn't be
important, the difference being that if you keep it, you should see an
error message that the route that has already been pushed by the server
is re-issued by the client.


hope it helps!

Vassilis


Cristian Del Carlo wrote on 19.12.2012 14:09:
> Hi,
> 
> thanks for your help.
> 
> My firewall rules  are  in both pfsense:
> Action: Pass
> Interface : Openvpn
> Protocol: Any
> Source: Any
> Destionation: Any
> 
> This are my routing from firewall ( without public ip ):
> 
> pfsense 1 - client:
> 10.0.8.1   link#10UH  0   15 ovpnc2
> 10.0.8.2   link#10UHS 00lo0
> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
> 192.168.9.0/24 link#2 U   0 37598040em1
> 
> pfsense 2 - server:
> 10.0.8.1   link#9 UHS 00lo0
> 10.0.8.2   link#9 UH  0   72 ovpns1
> 192.168.8.0/24 link#2 U   0   229122em1
> 192.168.8.1link#2 UHS 00lo0
> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
> 
> Could be a routing problem?
> 
> 
> 2012/12/19 WolfSec-Support :
>> Hi,
>>
>> do you have special rules in VPN tunnel ?
>> make sure to open OpenVPN ruleset as necessary
>>
>> this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>>
>> but per default normally tunnel is open any<>any
>>
>> br
>> stephan
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>>
> 
> 
> 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support

may there are any fw rules there in LAN interface with similar
IP's/networks ?
some used this under 1.2.x and after upgrading to 2.x this caused issues.

onto routing:

looks good

here a similar setup of mine / 1 side:

192.168.253.13 link#13 UH 0 0 1500 ovpnc1
192.168.253.14 link#13 UHS 0 0 16384 lo0
192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
ovpnc1
192.168.242.0/24 link#1 U 0 1191195015 1500 vr0


rgds
stephan



2012/12/19 Cristian Del Carlo 

> Hi,
>
> thanks for your help.
>
> My firewall rules  are  in both pfsense:
> Action: Pass
> Interface : Openvpn
> Protocol: Any
> Source: Any
> Destionation: Any
>
> This are my routing from firewall ( without public ip ):
>
> pfsense 1 - client:
> 10.0.8.1   link#10UH  0   15 ovpnc2
> 10.0.8.2   link#10UHS 00lo0
> 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
> 192.168.9.0/24 link#2 U   0 37598040em1
>
> pfsense 2 - server:
> 10.0.8.1   link#9 UHS 00lo0
> 10.0.8.2   link#9 UH  0   72 ovpns1
> 192.168.8.0/24 link#2 U   0   229122em1
> 192.168.8.1link#2 UHS 00lo0
> 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
>
> Could be a routing problem?
>
>
> 2012/12/19 WolfSec-Support :
> > Hi,
> >
> > do you have special rules in VPN tunnel ?
> > make sure to open OpenVPN ruleset as necessary
> >
> > this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
> >
> > but per default normally tunnel is open any<>any
> >
> > br
> > stephan
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
> >
>
>
>
> --
> 
>
> Cristian Del Carlo
>
> Il testo e gli eventuali documenti trasmessi contengono informazioni
> riservate al destinatario indicato. La seguente e-mail è confidenziale e
> la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
> del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
> altro uso non autorizzato o qualsiasi altra azione derivante dalla
> conoscenza di queste informazioni sono rigorosamente vietate. Qualora
> abbiate ricevuto questo documento per errore siete cortesemente pregati
> di darne immediata comunicazione al mittente e di provvedere,
> immediatamente, alla sua distruzione.
>
> 
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 

Stephan Wolf

WolfSec
Rairing 65
CH-8108 Dällikon

+41 43 536 1191
+41 76 566 8222
http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

Hi,

thanks for your help.

My firewall rules  are  in both pfsense:
Action: Pass
Interface : Openvpn
Protocol: Any
Source: Any
Destionation: Any

This are my routing from firewall ( without public ip ):

pfsense 1 - client:
10.0.8.1   link#10UH  0   15 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
192.168.9.0/24 link#2 U   0 37598040em1

pfsense 2 - server:
10.0.8.1   link#9 UHS 00lo0
10.0.8.2   link#9 UH  0   72 ovpns1
192.168.8.0/24 link#2 U   0   229122em1
192.168.8.1link#2 UHS 00lo0
192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

Could be a routing problem?


2012/12/19 WolfSec-Support :
> Hi,
>
> do you have special rules in VPN tunnel ?
> make sure to open OpenVPN ruleset as necessary
>
> this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels
>
> but per default normally tunnel is open any<>any
>
> br
> stephan
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support

Hi,

do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary

this is "new" in 2.x; 1.2.x. had no rules in OpenVPN tunnels

but per default normally tunnel is open any<>any

br
stephan


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo

Hi list,

i have  a problem with a vpn site to site psk with 2 pfsense 2.0.1.

My problem is that from the firewall everything looks correct, i can
ping or ssh the remote client ( i use linux client with no personal
firewall).
But from the clients i can't reach the remote lan.
I don't know where is my problem, i try to rewrite the configuration a
lot of times.

This is my configuration ( without public ip and psk ) :

lan1 192.168.9.0  <---> pfsense1 <--> pfsense2 <--> lan 2 192.168.8.0

pfsense2 - server:
server mode: peer to peer ( shared key )
Protocol : udp
Device : tun
Tunnel network: 10.0.8.0/24
Local Network : 192.168.8.0/24
Remote network: 192.168.9.0/24
Compression : LZO

pfsense1 - client:
server mode: peer to peer ( shared key )
Protocol: udp
Device: tun
Tunnel network: 10.0.8.0/24
Remote Network : 192.168.8.0/24
Compression : LZO

My firewall in both side is set to pass any protocol for openvpn device.

Could you help me?

Thanks in advance.



Cristian Del Carlo
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

Re: [pfSense] Openvpn site to site problem

[pfSense] Openvpn site to site problem

24 matches

Site Navigation

Mail list logo

Footer information