Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread Matthias May

On 21.12.2012 05:27, Nishant Sharma wrote:

On Thu, Dec 20, 2012 at 6:58 PM, Cristian Del Carlo
cristian.delca...@gmail.com  wrote:

In lan e openvpn i have only one rule that pass everything.

This problem make me crazy

Have you configured the server for pushing the routes to client and
added iroute parameters?

-Nishant
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
From his description he's running a PSK. There are no pushes/iroutes. 
Simply static route entries on both sides.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread Adam Stasiak
I had a similar problem where pfSense wouldn't route packets to remote LAN
over tunnel (it was due to a gateway issue and it wasn't using the default
routes) I think someone mentioned a similar issue.
Maybe it would be worth trying adding an additional gateway (10.100.8.1 or
.2 depending on which side)
Then add a FW rule on the LAN interface specifying that is use that gateway
for the traffic.

On Thu, Dec 20, 2012 at 8:28 AM, Cristian Del Carlo 
cristian.delca...@gmail.com wrote:

 In lan e openvpn i have only one rule that pass everything.

 This problem make me crazy

 2012/12/20 WolfSec-Support supp...@wolfsec.ch:
  can you open also all trafic lan  internet / remove other blocking
 rules,
  and try again
 
  routing table was fine on your post.
 
  brgds
 
  stephan
 
 
  2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com
 
  100% sure, the 2 boxes are the gateway of the two lans.
 
  If from a client in lan i do:
   # ping 192.168.8.10 ( a client in the other network)
 
  I see the packets in the interface LAN of the pfsense but the packets
  are not routed in the tunnel vpn.
 
  If i do :
 
  tcpdump  -i em1 (lan of pfsense)
 
  I see the packets.
 
  If i do:
 
  tcpdump -i ovpnc2
 
  I don't see nothing.
 
  Thanks for your help.
 
  2012/12/20 WolfSec-Support supp...@wolfsec.ch:
   again:
   make 100% sure gateway information  is correct on clients
  
   and:
   check arp cache if client is seen after your try/ping
  
   so we can make sure the problem is only in your box(es)
  
   rgds
   stephan
  
  
  
   2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com
  
   Another information.
  
   If from a client in lan i do:
   # ping 192.168.8.10 ( a client in the other network)
  
   And in pfsense (client openvpn):
   tcpdump -i ovpnc2
   tcpdump: verbose output suppressed, use -v or -vv for full protocol
   decode
   listening on ovpnc2, link-type NULL (BSD loopback), capture size 96
   bytes
   0 packets captured
   0 packets received by filter
   0 packets dropped by kernel
  
   I can't see any packet. It Is like the packets is not routed under
 the
   tunnel.
   But i don't know why and how fix the problem.
  
   If i use the command:
   tcpdump -i pflog0 icmp
   tcpdump: WARNING: pflog0: no IPv4 address assigned
   tcpdump: verbose output suppressed, use -v or -vv for full protocol
   decode
   listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
 size
   96
   bytes
   0 packets captured
  
   I can't see any packets blocked by the firewall.
  
   Thanks for your help.
  
   2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com:
Hi try this configuration but i hace the same problem i am very
confused.
   
This is my network:
   
lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
(server openvpn) -- lan 2 192.168.8.0
   
This are now with certificates my configuration files:
   
Pfsense server:
   
/var/etc/openvpn/server1.conf
   
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X.X.X
tls-server
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1195
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
route 192.168.9.0 255.255.255.0
push route 192.168.8.0 255.255.255.0
   
/var/etc/openvpn-csc/fw-target
   
iroute 192.168.9.0 255.255.255.0
   
Pfsense client:
   
/var/etc/openvpn/client2.conf
   
dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X:X.X
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote X.X.X.X 1195
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.0 255.255.255.0
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzo
   
Thanks for your help.
   
   
2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
Ok, then no firewall rules forcing gateway, so let's try something
else.
   
Did you configure iroute ?
   
   
 http://openvpn.net/index.php/open-source/documentation/howto.html#scope
Read : Including multiple machines on the client side when using a
routed VPN
   
It might work :-p
   
   
Le Wed, 19 Dec 

Re: [pfSense] Openvpn site to site problem

2012-12-21 Thread WolfSec-Support
single /24 to single 24 site2site needs no push of routes

only if multiple subnets are on end of tunnel and not described in VPN
info/routing

I would simplyfy this issue to a simple site2site vpn

additional:
- is it a plain v2 install, or an upgraded v1.2.x to v2

I had some isues with upgrades pfsense boxes

same config workes well after new install

rgds
stephan
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo
Hi try this configuration but i hace the same problem i am very confused.

This is my network:

lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
(server openvpn) -- lan 2 192.168.8.0

This are now with certificates my configuration files:

Pfsense server:

/var/etc/openvpn/server1.conf

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X.X.X
tls-server
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1195
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
comp-lzo
route 192.168.9.0 255.255.255.0
push route 192.168.8.0 255.255.255.0

/var/etc/openvpn-csc/fw-target

iroute 192.168.9.0 255.255.255.0

Pfsense client:

/var/etc/openvpn/client2.conf

dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local X.X:X.X
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote X.X.X.X 1195
ifconfig 10.0.8.2 10.0.8.1
route 192.168.8.0 255.255.255.0
ca /var/etc/openvpn/client2.ca
cert /var/etc/openvpn/client2.cert
key /var/etc/openvpn/client2.key
comp-lzo

Thanks for your help.


2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
 Ok, then no firewall rules forcing gateway, so let's try something else.

 Did you configure iroute ?
 http://openvpn.net/index.php/open-source/documentation/howto.html#scope
 Read : Including multiple machines on the client side when using a
 routed VPN

 It might work :-p


 Le Wed, 19 Dec 2012 15:19:25 +0100,
 Cristian Del Carlo cristian.delca...@gmail.com a écrit :

 Hi,

 Thanks for your help.

 Even in LAN i have :
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : LAN
 Protocol: Any
 Source: Any
 Destionation: Any

 If i ping the tunnel from a client seem ok:

 ping 10.0.8.1 -- Ok
 ping 10.8.8.2 -- OK
 ping 192.168.8.X -- 100% packet loss

 Thanks.

 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
  rgds
  stephan
 
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono
  informazioni riservate al destinatario indicato. La seguente
  e-mail è confidenziale e la sua riservatezza è tutelata legalmente
  dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o
  qualsiasi altra azione derivante dalla conoscenza di queste
  informazioni sono rigorosamente vietate. Qualora abbiate ricevuto
  questo 

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo
Another information.

If from a client in lan i do:
# ping 192.168.8.10 ( a client in the other network)

And in pfsense (client openvpn):
tcpdump -i ovpnc2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel

I can't see any packet. It Is like the packets is not routed under the tunnel.
But i don't know why and how fix the problem.

If i use the command:
tcpdump -i pflog0 icmp
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
0 packets captured

I can't see any packets blocked by the firewall.

Thanks for your help.

2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com:
 Hi try this configuration but i hace the same problem i am very confused.

 This is my network:

 lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
 (server openvpn) -- lan 2 192.168.8.0

 This are now with certificates my configuration files:

 Pfsense server:

 /var/etc/openvpn/server1.conf

 dev ovpns1
 dev-type tun
 dev-node /dev/tun1
 writepid /var/run/openvpn_server1.pid
 #user nobody
 #group nobody
 script-security 3
 daemon
 keepalive 10 60
 ping-timer-rem
 persist-tun
 persist-key
 proto udp
 cipher AES-128-CBC
 up /usr/local/sbin/ovpn-linkup
 down /usr/local/sbin/ovpn-linkdown
 local X.X.X.X
 tls-server
 ifconfig 10.0.8.1 10.0.8.2
 tls-verify /var/etc/openvpn/server1.tls-verify.php
 lport 1195
 management /var/etc/openvpn/server1.sock unix
 ca /var/etc/openvpn/server1.ca
 cert /var/etc/openvpn/server1.cert
 key /var/etc/openvpn/server1.key
 dh /etc/dh-parameters.1024
 comp-lzo
 route 192.168.9.0 255.255.255.0
 push route 192.168.8.0 255.255.255.0

 /var/etc/openvpn-csc/fw-target

 iroute 192.168.9.0 255.255.255.0

 Pfsense client:

 /var/etc/openvpn/client2.conf

 dev ovpnc2
 dev-type tun
 dev-node /dev/tun2
 writepid /var/run/openvpn_client2.pid
 #user nobody
 #group nobody
 script-security 3
 daemon
 keepalive 10 60
 ping-timer-rem
 persist-tun
 persist-key
 proto udp
 cipher AES-128-CBC
 up /usr/local/sbin/ovpn-linkup
 down /usr/local/sbin/ovpn-linkdown
 local X.X:X.X
 tls-client
 client
 lport 0
 management /var/etc/openvpn/client2.sock unix
 remote X.X.X.X 1195
 ifconfig 10.0.8.2 10.0.8.1
 route 192.168.8.0 255.255.255.0
 ca /var/etc/openvpn/client2.ca
 cert /var/etc/openvpn/client2.cert
 key /var/etc/openvpn/client2.key
 comp-lzo

 Thanks for your help.


 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
 Ok, then no firewall rules forcing gateway, so let's try something else.

 Did you configure iroute ?
 http://openvpn.net/index.php/open-source/documentation/howto.html#scope
 Read : Including multiple machines on the client side when using a
 routed VPN

 It might work :-p


 Le Wed, 19 Dec 2012 15:19:25 +0100,
 Cristian Del Carlo cristian.delca...@gmail.com a écrit :

 Hi,

 Thanks for your help.

 Even in LAN i have :
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : LAN
 Protocol: Any
 Source: Any
 Destionation: Any

 If i ping the tunnel from a client seem ok:

 ping 10.0.8.1 -- Ok
 ping 10.8.8.2 -- OK
 ping 192.168.8.X -- 100% packet loss

 Thanks.

 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
  rgds
  stephan
 
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Cristian Del Carlo
100% sure, the 2 boxes are the gateway of the two lans.

If from a client in lan i do:
 # ping 192.168.8.10 ( a client in the other network)

I see the packets in the interface LAN of the pfsense but the packets
are not routed in the tunnel vpn.

If i do :

tcpdump  -i em1 (lan of pfsense)

I see the packets.

If i do:

tcpdump -i ovpnc2

I don't see nothing.

Thanks for your help.

2012/12/20 WolfSec-Support supp...@wolfsec.ch:
 again:
 make 100% sure gateway information  is correct on clients

 and:
 check arp cache if client is seen after your try/ping

 so we can make sure the problem is only in your box(es)

 rgds
 stephan



 2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com

 Another information.

 If from a client in lan i do:
 # ping 192.168.8.10 ( a client in the other network)

 And in pfsense (client openvpn):
 tcpdump -i ovpnc2
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on ovpnc2, link-type NULL (BSD loopback), capture size 96 bytes
 0 packets captured
 0 packets received by filter
 0 packets dropped by kernel

 I can't see any packet. It Is like the packets is not routed under the
 tunnel.
 But i don't know why and how fix the problem.

 If i use the command:
 tcpdump -i pflog0 icmp
 tcpdump: WARNING: pflog0: no IPv4 address assigned
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
 bytes
 0 packets captured

 I can't see any packets blocked by the firewall.

 Thanks for your help.

 2012/12/20 Cristian Del Carlo cristian.delca...@gmail.com:
  Hi try this configuration but i hace the same problem i am very
  confused.
 
  This is my network:
 
  lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
  (server openvpn) -- lan 2 192.168.8.0
 
  This are now with certificates my configuration files:
 
  Pfsense server:
 
  /var/etc/openvpn/server1.conf
 
  dev ovpns1
  dev-type tun
  dev-node /dev/tun1
  writepid /var/run/openvpn_server1.pid
  #user nobody
  #group nobody
  script-security 3
  daemon
  keepalive 10 60
  ping-timer-rem
  persist-tun
  persist-key
  proto udp
  cipher AES-128-CBC
  up /usr/local/sbin/ovpn-linkup
  down /usr/local/sbin/ovpn-linkdown
  local X.X.X.X
  tls-server
  ifconfig 10.0.8.1 10.0.8.2
  tls-verify /var/etc/openvpn/server1.tls-verify.php
  lport 1195
  management /var/etc/openvpn/server1.sock unix
  ca /var/etc/openvpn/server1.ca
  cert /var/etc/openvpn/server1.cert
  key /var/etc/openvpn/server1.key
  dh /etc/dh-parameters.1024
  comp-lzo
  route 192.168.9.0 255.255.255.0
  push route 192.168.8.0 255.255.255.0
 
  /var/etc/openvpn-csc/fw-target
 
  iroute 192.168.9.0 255.255.255.0
 
  Pfsense client:
 
  /var/etc/openvpn/client2.conf
 
  dev ovpnc2
  dev-type tun
  dev-node /dev/tun2
  writepid /var/run/openvpn_client2.pid
  #user nobody
  #group nobody
  script-security 3
  daemon
  keepalive 10 60
  ping-timer-rem
  persist-tun
  persist-key
  proto udp
  cipher AES-128-CBC
  up /usr/local/sbin/ovpn-linkup
  down /usr/local/sbin/ovpn-linkdown
  local X.X:X.X
  tls-client
  client
  lport 0
  management /var/etc/openvpn/client2.sock unix
  remote X.X.X.X 1195
  ifconfig 10.0.8.2 10.0.8.1
  route 192.168.8.0 255.255.255.0
  ca /var/etc/openvpn/client2.ca
  cert /var/etc/openvpn/client2.cert
  key /var/etc/openvpn/client2.key
  comp-lzo
 
  Thanks for your help.
 
 
  2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
  Ok, then no firewall rules forcing gateway, so let's try something
  else.
 
  Did you configure iroute ?
  http://openvpn.net/index.php/open-source/documentation/howto.html#scope
  Read : Including multiple machines on the client side when using a
  routed VPN
 
  It might work :-p
 
 
  Le Wed, 19 Dec 2012 15:19:25 +0100,
  Cristian Del Carlo cristian.delca...@gmail.com a écrit :
 
  Hi,
 
  Thanks for your help.
 
  Even in LAN i have :
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : LAN
  Protocol: Any
  Source: Any
  Destionation: Any
 
  If i ping the tunnel from a client seem ok:
 
  ping 10.0.8.1 -- Ok
  ping 10.8.8.2 -- OK
  ping 192.168.8.X -- 100% packet loss
 
  Thanks.
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   may there are any fw rules there in LAN interface with similar
   IP's/networks ?
   some used this under 1.2.x and after upgrading to 2.x this caused
   issues.
  
   onto routing:
  
   looks good
  
   here a similar setup of mine / 1 side:
  
   192.168.253.13 link#13 UH 0 0 1500 ovpnc1
   192.168.253.14 link#13 UHS 0 0 16384 lo0
   192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
   ovpnc1
   192.168.242.0/24 link#1 U 0 1191195015 1500
   vr0
  
   rgds
   stephan
  
  
  
  
   2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
  
   Hi,
  
   thanks for your help.
  
   My firewall rules  are  in both pfsense:
   Action: 

Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Nishant Sharma
On Thu, Dec 20, 2012 at 6:58 PM, Cristian Del Carlo
cristian.delca...@gmail.com wrote:
 In lan e openvpn i have only one rule that pass everything.

 This problem make me crazy

Have you configured the server for pushing the routes to client and
added iroute parameters?

-Nishant
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Joseph L. Casale
 lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
 (server openvpn) -- lan 2 192.168.8.0

 /var/etc/openvpn/server1.conf

 route 192.168.9.0 255.255.255.0
 push route 192.168.8.0 255.255.255.0

This looks right.


 /var/etc/openvpn-csc/fw-target

 iroute 192.168.9.0 255.255.255.0

You're not pushing the route for the clients on the other side?
Also, you're not setting up a known tunnel interface, can't filter now...


 /var/etc/openvpn/client2.conf

 ifconfig 10.0.8.2 10.0.8.1
 route 192.168.8.0 255.255.255.0

No need for this, server can be authoritive for all configuration using ccd.

If you plan to filter eventually, do not use client-to-client, see:
http://lists.pfsense.org/pipermail/list/2012-July/002587.html

In a server config, a route statement adds a route to the local system routing 
table.
A push route pushes one to a clients. These directives route packets from the 
kernel
to the OpenVPN process The iroute directive routes to the specific client after.

I often see with client-to-client issues that tcpdump bring to light instantly. 
If you
set the interface to listen on the pfsense box to the tun dev and start pinging 
a remote
host, you can see if the traffic gets that far, then for example on the remote 
host as
well. if you see it there, there is no return route likely etc. It usually 
doesn't take long
to sort this out.

jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi list,

i have  a problem with a vpn site to site psk with 2 pfsense 2.0.1.

My problem is that from the firewall everything looks correct, i can
ping or ssh the remote client ( i use linux client with no personal
firewall).
But from the clients i can't reach the remote lan.
I don't know where is my problem, i try to rewrite the configuration a
lot of times.

This is my configuration ( without public ip and psk ) :

lan1 192.168.9.0  --- pfsense1 -- pfsense2 -- lan 2 192.168.8.0

pfsense2 - server:
server mode: peer to peer ( shared key )
Protocol : udp
Device : tun
Tunnel network: 10.0.8.0/24
Local Network : 192.168.8.0/24
Remote network: 192.168.9.0/24
Compression : LZO

pfsense1 - client:
server mode: peer to peer ( shared key )
Protocol: udp
Device: tun
Tunnel network: 10.0.8.0/24
Remote Network : 192.168.8.0/24
Compression : LZO

My firewall in both side is set to pass any protocol for openvpn device.

Could you help me?

Thanks in advance.



Cristian Del Carlo
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
Hi,

do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary

this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

but per default normally tunnel is open anyany

br
stephan

http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

thanks for your help.

My firewall rules  are  in both pfsense:
Action: Pass
Interface : Openvpn
Protocol: Any
Source: Any
Destionation: Any

This are my routing from firewall ( without public ip ):

pfsense 1 - client:
10.0.8.1   link#10UH  0   15 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
192.168.9.0/24 link#2 U   0 37598040em1

pfsense 2 - server:
10.0.8.1   link#9 UHS 00lo0
10.0.8.2   link#9 UH  0   72 ovpns1
192.168.8.0/24 link#2 U   0   229122em1
192.168.8.1link#2 UHS 00lo0
192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

Could be a routing problem?


2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
may there are any fw rules there in LAN interface with similar
IP's/networks ?
some used this under 1.2.x and after upgrading to 2.x this caused issues.

onto routing:

looks good

here a similar setup of mine / 1 side:

192.168.253.13 link#13 UH 0 0 1500 ovpnc1
192.168.253.14 link#13 UHS 0 0 16384 lo0
192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
ovpnc1
192.168.242.0/24 link#1 U 0 1191195015 1500 vr0


rgds
stephan



2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  Hi,
 
  do you have special rules in VPN tunnel ?
  make sure to open OpenVPN ruleset as necessary
 
  this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
 
  but per default normally tunnel is open anyany
 
  br
  stephan
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 immediatamente, alla sua distruzione.

 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 

Stephan Wolf

WolfSec
Rairing 65
CH-8108 Dällikon

+41 43 536 1191
+41 76 566 8222
http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Vassilis V.
Hi!

Try this:

pfsense2 - server:
Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)

pfsense1 - client:
Tunnel network: 10.0.8.0/30 (You can even keep it empty)

Keeping or removing the remote network on the client side shouldn't be
important, the difference being that if you keep it, you should see an
error message that the route that has already been pushed by the server
is re-issued by the client.


hope it helps!

Vassilis


Cristian Del Carlo wrote on 19.12.2012 14:09:
 Hi,
 
 thanks for your help.
 
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any
 
 This are my routing from firewall ( without public ip ):
 
 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1
 
 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
 Could be a routing problem?
 
 
 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

Thanks for your help.

Even in LAN i have :
My firewall rules  are  in both pfsense:
Action: Pass
Interface : LAN
Protocol: Any
Source: Any
Destionation: Any

If i ping the tunnel from a client seem ok:

ping 10.0.8.1 -- Ok
ping 10.8.8.2 -- OK
ping 192.168.8.X -- 100% packet loss

Thanks.

2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 may there are any fw rules there in LAN interface with similar IP's/networks
 ?
 some used this under 1.2.x and after upgrading to 2.x this caused issues.

 onto routing:

 looks good

 here a similar setup of mine / 1 side:

 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500 vr0

 rgds
 stephan




 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  Hi,
 
  do you have special rules in VPN tunnel ?
  make sure to open OpenVPN ruleset as necessary
 
  this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
 
  but per default normally tunnel is open anyany
 
  br
  stephan
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 immediatamente, alla sua distruzione.

 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




 --

 Stephan Wolf

 WolfSec
 Rairing 65
 CH-8108 Dällikon

 +41 43 536 1191
 +41 76 566 8222
 http://www.wolfsec.ch
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list




-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com
Hello,

You might need a firewall rule for the remote network in your lan rules
to force traffic to follow normal routing.

In my case (2 WANs), I have a rule defining the defaut gateway for lan
traffic. To permit the traffic to remote vpn site, I have to add a rule
earlier for the remote network with no gateway so it will follow
normal routing. 

My 2 cents...


Le Wed, 19 Dec 2012 14:39:36 +0100,
WolfSec-Support supp...@wolfsec.ch a écrit :

 may there are any fw rules there in LAN interface with similar
 IP's/networks ?
 some used this under 1.2.x and after upgrading to 2.x this caused
 issues.
 
 onto routing:
 
 looks good
 
 here a similar setup of mine / 1 side:
 
 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500
 vr0
 
 
 rgds
 stephan
 
 
 
 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono informazioni
  riservate al destinatario indicato. La seguente e-mail è
  confidenziale e la sua riservatezza è tutelata legalmente dal
  Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
  altra azione derivante dalla conoscenza di queste informazioni sono
  rigorosamente vietate. Qualora abbiate ricevuto questo documento
  per errore siete cortesemente pregati di darne immediata
  comunicazione al mittente e di provvedere, immediatamente, alla sua
  distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Hi,

even with 10.0.8.0/30 i have the same problem.

Any other suggest?


2012/12/19 Vassilis V. bigracc...@gmx.net:
 Hi!

 Try this:

 pfsense2 - server:
 Tunnel network: 10.0.8.0/30 (no need for /24 on site2site)

 pfsense1 - client:
 Tunnel network: 10.0.8.0/30 (You can even keep it empty)

 Keeping or removing the remote network on the client side shouldn't be
 important, the difference being that if you keep it, you should see an
 error message that the route that has already been pushed by the server
 is re-issued by the client.


 hope it helps!

 Vassilis


 Cristian Del Carlo wrote on 19.12.2012 14:09:
 Hi,

 thanks for your help.

 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : Openvpn
 Protocol: Any
 Source: Any
 Destionation: Any

 This are my routing from firewall ( without public ip ):

 pfsense 1 - client:
 10.0.8.1   link#10UH  0   15 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
 192.168.9.0/24 link#2 U   0 37598040em1

 pfsense 2 - server:
 10.0.8.1   link#9 UHS 00lo0
 10.0.8.2   link#9 UH  0   72 ovpns1
 192.168.8.0/24 link#2 U   0   229122em1
 192.168.8.1link#2 UHS 00lo0
 192.168.9.0/24 10.0.8.2   UGS 01 ovpns1

 Could be a routing problem?


 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 Hi,

 do you have special rules in VPN tunnel ?
 make sure to open OpenVPN ruleset as necessary

 this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels

 but per default normally tunnel is open anyany

 br
 stephan


 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list







-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
Sorry i don't understand,

in my case i have only a WAN so wich type of rule i need?

I need to force the packets to my tunnel network over the vpn even if
my routing tables seem ok?

My routing tables:

10.0.8.1   link#10UH  08 ovpnc2
10.0.8.2   link#10UHS 00lo0
192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
192.168.9.0/24 link#2 U   0 38437351em1

Thanks,

2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
 Hello,

 You might need a firewall rule for the remote network in your lan rules
 to force traffic to follow normal routing.

 In my case (2 WANs), I have a rule defining the defaut gateway for lan
 traffic. To permit the traffic to remote vpn site, I have to add a rule
 earlier for the remote network with no gateway so it will follow
 normal routing.

 My 2 cents...


 Le Wed, 19 Dec 2012 14:39:36 +0100,
 WolfSec-Support supp...@wolfsec.ch a écrit :

 may there are any fw rules there in LAN interface with similar
 IP's/networks ?
 some used this under 1.2.x and after upgrading to 2.x this caused
 issues.

 onto routing:

 looks good

 here a similar setup of mine / 1 side:

 192.168.253.13 link#13 UH 0 0 1500 ovpnc1
 192.168.253.14 link#13 UHS 0 0 16384 lo0
 192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
 ovpnc1
 192.168.242.0/24 link#1 U 0 1191195015 1500
 vr0


 rgds
 stephan



 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono informazioni
  riservate al destinatario indicato. La seguente e-mail è
  confidenziale e la sua riservatezza è tutelata legalmente dal
  Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
  altra azione derivante dalla conoscenza di queste informazioni sono
  rigorosamente vietate. Qualora abbiate ricevuto questo documento
  per errore siete cortesemente pregati di darne immediata
  comunicazione al mittente e di provvedere, immediatamente, alla sua
  distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



-- 


Cristian Del Carlo

Il testo e gli eventuali documenti trasmessi contengono informazioni
riservate al destinatario indicato. La seguente e-mail è confidenziale e
la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
altro uso non autorizzato o qualsiasi altra azione derivante dalla
conoscenza di queste informazioni sono rigorosamente vietate. Qualora
abbiate ricevuto questo documento per errore siete cortesemente pregati
di darne immediata comunicazione al mittente e di provvedere,
immediatamente, alla sua distruzione.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
to make sure:
- is tunnel up ?
- can you ping from one pfsense the lan ip of the other one ?

brgds
stephan


2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Sorry i don't understand,

 in my case i have only a WAN so wich type of rule i need?

 I need to force the packets to my tunnel network over the vpn even if
 my routing tables seem ok?

 My routing tables:

 10.0.8.1   link#10UH  08 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
 192.168.9.0/24 link#2 U   0 38437351em1

 Thanks,

 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
  Hello,
 
  You might need a firewall rule for the remote network in your lan rules
  to force traffic to follow normal routing.
 
  In my case (2 WANs), I have a rule defining the defaut gateway for lan
  traffic. To permit the traffic to remote vpn site, I have to add a rule
  earlier for the remote network with no gateway so it will follow
  normal routing.
 
  My 2 cents...
 
 
  Le Wed, 19 Dec 2012 14:39:36 +0100,
  WolfSec-Support supp...@wolfsec.ch a écrit :
 
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
 
  rgds
  stephan
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
   Hi,
  
   thanks for your help.
  
   My firewall rules  are  in both pfsense:
   Action: Pass
   Interface : Openvpn
   Protocol: Any
   Source: Any
   Destionation: Any
  
   This are my routing from firewall ( without public ip ):
  
   pfsense 1 - client:
   10.0.8.1   link#10UH  0   15 ovpnc2
   10.0.8.2   link#10UHS 00lo0
   192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
   192.168.9.0/24 link#2 U   0 37598040em1
  
   pfsense 2 - server:
   10.0.8.1   link#9 UHS 00lo0
   10.0.8.2   link#9 UH  0   72 ovpns1
   192.168.8.0/24 link#2 U   0   229122em1
   192.168.8.1link#2 UHS 00lo0
   192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
  
   Could be a routing problem?
  
  
   2012/12/19 WolfSec-Support supp...@wolfsec.ch:
Hi,
   
do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary
   
this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
   
but per default normally tunnel is open anyany
   
br
stephan
   
   
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
   
  
  
  
   --
   
  
   Cristian Del Carlo
  
   Il testo e gli eventuali documenti trasmessi contengono informazioni
   riservate al destinatario indicato. La seguente e-mail è
   confidenziale e la sua riservatezza è tutelata legalmente dal
   Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
   privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
   altra azione derivante dalla conoscenza di queste informazioni sono
   rigorosamente vietate. Qualora abbiate ricevuto questo documento
   per errore siete cortesemente pregati di darne immediata
   comunicazione al mittente e di provvedere, immediatamente, alla sua
   distruzione.
  
   
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al destinatario indicato. La seguente e-mail è confidenziale e
 la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196
 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o
 altro uso non autorizzato o qualsiasi altra azione derivante dalla
 conoscenza di queste informazioni sono rigorosamente vietate. Qualora
 abbiate ricevuto questo documento per errore siete cortesemente pregati
 di darne immediata comunicazione al mittente e di provvedere,
 

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread Cristian Del Carlo
My tunnel is up.

From a client i can ping the tunnel interfaces of my vpn but i can't'
reach the other network.

# ping 10.0.8.1 - ok
# ping 10.0.8.2 - ok
# ping 192.168.8.10 - 100% packet lost

From both firewall i can ping all the networks:
# ping 192.168.8.10 - Ok
# ping 10.0.8.1 - ok
# ping 10.0.8.2 - ok
# ping 192.168.9.10 - Ok

The problem seems to be only from the network to reach the other one.

Thanks for your help!

2012/12/19 WolfSec-Support supp...@wolfsec.ch:
 to make sure:
 - is tunnel up ?
 - can you ping from one pfsense the lan ip of the other one ?

 brgds

 stephan


 2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com

 Sorry i don't understand,

 in my case i have only a WAN so wich type of rule i need?

 I need to force the packets to my tunnel network over the vpn even if
 my routing tables seem ok?

 My routing tables:

 10.0.8.1   link#10UH  08 ovpnc2
 10.0.8.2   link#10UHS 00lo0
 192.168.8.0/24 10.0.8.1   UGS 0   55 ovpnc2
 192.168.9.0/24 link#2 U   0 38437351em1

 Thanks,

 2012/12/19 bruno.deb...@cyberoso.com bruno.deb...@cyberoso.com:
  Hello,
 
  You might need a firewall rule for the remote network in your lan rules
  to force traffic to follow normal routing.
 
  In my case (2 WANs), I have a rule defining the defaut gateway for lan
  traffic. To permit the traffic to remote vpn site, I have to add a rule
  earlier for the remote network with no gateway so it will follow
  normal routing.
 
  My 2 cents...
 
 
  Le Wed, 19 Dec 2012 14:39:36 +0100,
  WolfSec-Support supp...@wolfsec.ch a écrit :
 
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
 
  rgds
  stephan
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
   Hi,
  
   thanks for your help.
  
   My firewall rules  are  in both pfsense:
   Action: Pass
   Interface : Openvpn
   Protocol: Any
   Source: Any
   Destionation: Any
  
   This are my routing from firewall ( without public ip ):
  
   pfsense 1 - client:
   10.0.8.1   link#10UH  0   15 ovpnc2
   10.0.8.2   link#10UHS 00lo0
   192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
   192.168.9.0/24 link#2 U   0 37598040em1
  
   pfsense 2 - server:
   10.0.8.1   link#9 UHS 00lo0
   10.0.8.2   link#9 UH  0   72 ovpns1
   192.168.8.0/24 link#2 U   0   229122em1
   192.168.8.1link#2 UHS 00lo0
   192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
  
   Could be a routing problem?
  
  
   2012/12/19 WolfSec-Support supp...@wolfsec.ch:
Hi,
   
do you have special rules in VPN tunnel ?
make sure to open OpenVPN ruleset as necessary
   
this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
   
but per default normally tunnel is open anyany
   
br
stephan
   
   
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
   
  
  
  
   --
   
  
   Cristian Del Carlo
  
   Il testo e gli eventuali documenti trasmessi contengono informazioni
   riservate al destinatario indicato. La seguente e-mail è
   confidenziale e la sua riservatezza è tutelata legalmente dal
   Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
   privacy). La lettura, copia o altro uso non autorizzato o qualsiasi
   altra azione derivante dalla conoscenza di queste informazioni sono
   rigorosamente vietate. Qualora abbiate ricevuto questo documento
   per errore siete cortesemente pregati di darne immediata
   comunicazione al mittente e di provvedere, immediatamente, alla sua
   distruzione.
  
   
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list



 --
 

 Cristian Del Carlo

 Il testo e gli eventuali documenti trasmessi contengono informazioni
 riservate al 

Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread WolfSec-Support
and the clients on each side can reach internet trough their local pfsense ?

so GW info etc is ok ?

sometimes it's simply a typo etc in mask/gw etc

generally your setup seems to be fine

rgds
stephan

http://www.wolfsec.ch
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-19 Thread bruno.deb...@cyberoso.com
Ok, then no firewall rules forcing gateway, so let's try something else.

Did you configure iroute ?
http://openvpn.net/index.php/open-source/documentation/howto.html#scope
Read : Including multiple machines on the client side when using a
routed VPN

It might work :-p


Le Wed, 19 Dec 2012 15:19:25 +0100,
Cristian Del Carlo cristian.delca...@gmail.com a écrit :

 Hi,
 
 Thanks for your help.
 
 Even in LAN i have :
 My firewall rules  are  in both pfsense:
 Action: Pass
 Interface : LAN
 Protocol: Any
 Source: Any
 Destionation: Any
 
 If i ping the tunnel from a client seem ok:
 
 ping 10.0.8.1 -- Ok
 ping 10.8.8.2 -- OK
 ping 192.168.8.X -- 100% packet loss
 
 Thanks.
 
 2012/12/19 WolfSec-Support supp...@wolfsec.ch:
  may there are any fw rules there in LAN interface with similar
  IP's/networks ?
  some used this under 1.2.x and after upgrading to 2.x this caused
  issues.
 
  onto routing:
 
  looks good
 
  here a similar setup of mine / 1 side:
 
  192.168.253.13 link#13 UH 0 0 1500 ovpnc1
  192.168.253.14 link#13 UHS 0 0 16384 lo0
  192.168.0.0/16 192.168.253.13 UGS 0 4151616 1500
  ovpnc1
  192.168.242.0/24 link#1 U 0 1191195015 1500
  vr0
 
  rgds
  stephan
 
 
 
 
  2012/12/19 Cristian Del Carlo cristian.delca...@gmail.com
 
  Hi,
 
  thanks for your help.
 
  My firewall rules  are  in both pfsense:
  Action: Pass
  Interface : Openvpn
  Protocol: Any
  Source: Any
  Destionation: Any
 
  This are my routing from firewall ( without public ip ):
 
  pfsense 1 - client:
  10.0.8.1   link#10UH  0   15 ovpnc2
  10.0.8.2   link#10UHS 00lo0
  192.168.8.0/24 10.0.8.1   UGS 0   45 ovpnc2
  192.168.9.0/24 link#2 U   0 37598040em1
 
  pfsense 2 - server:
  10.0.8.1   link#9 UHS 00lo0
  10.0.8.2   link#9 UH  0   72 ovpns1
  192.168.8.0/24 link#2 U   0   229122em1
  192.168.8.1link#2 UHS 00lo0
  192.168.9.0/24 10.0.8.2   UGS 01 ovpns1
 
  Could be a routing problem?
 
 
  2012/12/19 WolfSec-Support supp...@wolfsec.ch:
   Hi,
  
   do you have special rules in VPN tunnel ?
   make sure to open OpenVPN ruleset as necessary
  
   this is new in 2.x; 1.2.x. had no rules in OpenVPN tunnels
  
   but per default normally tunnel is open anyany
  
   br
   stephan
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   http://lists.pfsense.org/mailman/listinfo/list
  
 
 
 
  --
  
 
  Cristian Del Carlo
 
  Il testo e gli eventuali documenti trasmessi contengono
  informazioni riservate al destinatario indicato. La seguente
  e-mail è confidenziale e la sua riservatezza è tutelata legalmente
  dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della
  privacy). La lettura, copia o altro uso non autorizzato o
  qualsiasi altra azione derivante dalla conoscenza di queste
  informazioni sono rigorosamente vietate. Qualora abbiate ricevuto
  questo documento per errore siete cortesemente pregati di darne
  immediata comunicazione al mittente e di provvedere,
  immediatamente, alla sua distruzione.
 
  
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
  --
 
  Stephan Wolf
 
  WolfSec
  Rairing 65
  CH-8108 Dällikon
 
  +41 43 536 1191
  +41 76 566 8222
  http://www.wolfsec.ch
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list