OpenVPN Site2Site VPN ipfire to pfsense
-
Hello,
I have a problem with the OpenVPN connection.
The pfsense firewall is the OpenVPN-Server and the ipfire firewall is the OpenVPN-Client.OpenVPN-Server pfsense config:
<openvpn><openvpn-server><vpnid>1</vpnid> <mode>p2p_tls</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr></ipaddr> <interface>wan</interface> <local_port>1194</local_port> <description><custom_options><caref>577263a900043</caref> <certref>5772b54968d59</certref> <dh_length>2048</dh_length> <cert_depth>1</cert_depth> <crypto>AES-256-CBC</crypto> <digest>RSA-SHA256</digest> <engine>none</engine> <tunnel_network>192.168.111.0/24</tunnel_network> <tunnel_networkv6><remote_network>10.0.20.0/24</remote_network> <remote_networkv6><local_network>172.30.0.0/24</local_network> <local_networkv6><maxclients><compression>no</compression> <passtos></passtos> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <topology>subnet</topology> <serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable></netbios_enable> <netbios_ntype>0</netbios_ntype> <netbios_scope><verbosity_level>11</verbosity_level></netbios_scope></serverbridge_dhcp_end></serverbridge_dhcp_start></maxclients></local_networkv6></remote_networkv6></tunnel_networkv6></custom_options></description></openvpn-server></openvpn>
OpenVPN-Client ipfire config:
# IPFire n2n Open VPN Client Config by ummeegge und m.a.d # # User Security user nobody group nobody persist-tun persist-key script-security 2 # IP/DNS for remote Server Gateway remote 195.154.x.x float # IP adresses of the VPN Subnet ifconfig 192.168.111.2 192.168.111.1 # Server Gateway Network route 10.0.10.0 255.255.255.0 # tun Device dev tun #Logfile for statistics status-version 1 status /var/run/openvpn/-n2n 10 # Port and Protokoll port 1194 proto udp # Paketsize tun-mtu 1500 fragment 1300 mssfix ns-cert-type server # Auth. Client tls-client # Cipher cipher AES-256-CBC pkcs12 /var/ipfire/ovpn/certs/pf.p12 # HMAC algorithm auth SHA256 # Debug Level verb 3 # Tunnel check keepalive 10 60 # Start as daemon daemon pfn2n writepid /var/run/pfn2n.pid # Activate Management Interface and Port management localhost 1194 # remsub 172.30.0.0/255.255.255.0
OpenVPN-Server log:
Jun 28 21:52:37 openvpn 58809 PO_CTL rwflags=0x0001 ev=7 arg=0x00692584 Jun 28 21:52:37 openvpn 58809 PO_CTL rwflags=0x0001 ev=5 arg=0x00692588 Jun 28 21:52:37 openvpn 58809 I/O WAIT TR|Tw|SR|Sw [10/0] Jun 28 21:52:37 openvpn 58809 PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x00693720 Jun 28 21:52:37 openvpn 58809 event_wait returned 1 Jun 28 21:52:37 openvpn 58809 I/O WAIT status=0x0001 Jun 28 21:52:37 openvpn 58809 UDPv4 read returned 114 Jun 28 21:52:37 openvpn 58809 TLS State Error: No TLS state for client [AF_INET]87.132.x.x:1194, opcode=4 Jun 28 21:52:37 openvpn 58809 GET INST BY REAL: 87.132.x.x:1194 [failed] Jun 28 21:52:37 openvpn 58809 SCHEDULE: schedule_find_least NULL Jun 28 21:52:37 openvpn 58809 PO_CTL rwflags=0x0001 ev=6 arg=0x00693720 Jun 28 21:52:37 openvpn 58809 PO_CTL rwflags=0x0001 ev=7 arg=0x00692584 Jun 28 21:52:37 openvpn 58809 PO_CTL rwflags=0x0001 ev=5 arg=0x00692588
OpenVPN-Client log:
IPFire diagnostics Section: openvpn Date: June 28, 2016 21:51:03 pfn2n[17087]: VERIFY OK: depth=0, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=test.xxxx 21:51:03 pfn2n[17087]: VERIFY OK: nsCertType=SERVER 21:51:03 pfn2n[17087]: VERIFY OK: depth=1, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=internal-ca 21:51:03 pfn2n[17087]: TLS: Initial packet from [AF_INET]195.154.x.x:1194, sid=478bfbc1 106c30b7 21:51:03 pfn2n[17087]: UDPv4 link remote: [AF_INET]195.154.x.x:1194 21:51:03 pfn2n[17087]: UDPv4 link local (bound): [AF_INET]192.168.2.254:1194 21:51:03 pfn2n[17087]: Preserving previous TUN/TAP instance: tun1 21:51:03 pfn2n[17087]: Socket Buffers: R=[212992->131072] S=[212992->131072] 21:51:03 pfn2n[17087]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 21:51:01 pfn2n[17087]: Restart pause, 2 second(s) 21:51:01 pfn2n[17087]: SIGUSR1[soft,ping-restart] received, process restarting 21:51:01 pfn2n[17087]: [test.xxxx] Inactivity timeout (--ping-restart), restarting 21:50:03 pfn2n[17087]: MANAGEMENT: Client disconnected 21:50:03 pfn2n[17087]: MANAGEMENT: CMD 'state' 21:50:03 pfn2n[17087]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1194 21:50:00 pfn2n[17087]: VERIFY OK: depth=0, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=test.xxxx 21:50:00 pfn2n[17087]: VERIFY OK: nsCertType=SERVER 21:50:00 pfn2n[17087]: VERIFY OK: depth=1, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=internal-ca 21:50:00 pfn2n[17087]: TLS: Initial packet from [AF_INET]195.154.x.x:1194, sid=bc4d0405 6a7a28f4 21:50:00 pfn2n[17087]: UDPv4 link remote: [AF_INET]195.154.x.x:1194 21:50:00 pfn2n[17087]: UDPv4 link local (bound): [AF_INET]192.168.2.254:1194 21:50:00 pfn2n[17087]: UID set to nobody 21:50:00 pfn2n[17087]: GID set to nobody 21:50:00 pfn2n[17087]: /sbin/ip route add 172.30.0.0/24 via 192.168.111.1 21:50:00 pfn2n[17087]: /etc/init.d/static-routes start tun1 1500 1573 192.168.111.2 192.168.111.1 init 21:50:00 pfn2n[17087]: /sbin/ip addr add dev tun1 local 192.168.111.2 peer 192.168.111.1 21:50:00 pfn2n[17087]: /sbin/ip link set dev tun1 up mtu 1500 21:50:00 pfn2n[17087]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 21:50:00 pfn2n[17087]: TUN/TAP TX queue length set to 100 21:50:00 pfn2n[17087]: TUN/TAP device tun1 opened 21:50:00 pfn2n[17087]: ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:xx:xx:xx 21:50:00 pfn2n[17087]: Socket Buffers: R=[212992->131072] S=[212992->131072] 21:50:00 pfn2n[17087]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 21:50:00 pfn2n[17087]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1194 21:50:00 pfn2n[17086]: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 21:50:00 pfn2n[17086]: OpenVPN 2.3.7 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 1 2016