PfSense to FreeBSD VPN/IPsec
-
Are there any log messages in Diagnostics -> System Logs -> IPSEC concerning Client 2?
-
Not that I saw. I will be in the studio in half an hour. BTW if you will need any photos for your project I will do what I can. I like pfSense.
-
Yes, I will take you up on that offer. ;)
-
Yes, I will take you up on that offer. ;)
Deal.
"Diagnostics: System logs: IPSEC VPN" , my version of pfSense is 1.0.1. After an attempt to ping a host at Client 2 (it answers from my home nanoBSD box) from the pfSense box at studio (from shell) - all packets lost, and no mentioning of anything but ISAKMP-SA/ESP between external IP of studio and external IP of Client 1. The only warning is "setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument"
traceroute from pfSense box to the gateway at Client 1 output is attempts to reach the host through internet cloud. Tracert from notebook connected to pfSense box shows normal output, 3 hops.
IMHO if it would be possible to ping Client1 host from the box itself all the rest would be easier.
Edit:
Highlighted lines look slightly confusing to me. They are not shown in SAD/SPD web interface
setkey -DP
192.168.200.0/24[any] 192.168.200.1[any] any
in none
spid=1 seq=3 pid=3087
refcnt=1
192.168.0.1/24[any] 192.168.200.1/24[any] any
in ipsec
esp/tunnel/$Client1_ip-$Studio-ip/unique#16386
spid=4 seq=2 pid=3087
refcnt=1
192.168.200.1[any] 192.168.200.0/24[any] any
out none
spid=2 seq=1 pid=3087
refcnt=1
192.168.200.1/24[any] 192.168.0.1/24[any] any
out ipsec
esp/tunnel/$Studio-ip-$Client1_ip/unique#16385
spid=3 seq=0 pid=3087
refcnt=1Edit 2:
And here is spdadd on FreeBSD Client 1:
spdadd 192.168.0.1/24 192.168.200.1/24 any -P out ipsec esp/tunnel/$Client1_ip-$Studio-ip/require;
spdadd 192.168.200.1/24 192.168.0.1/24 any -P in ipsec esp/tunnel/$Studio-ip-$Client1_ip/require;In FreeBSD <-> nanoBSD setup it is:
spdadd $Client1_ip/24 $Home-ip/24 any -P out ipsec esp/tunnel/$Client1_ip-$Home-ip/require;
spdadd $Home-ip/24 $Client1_ip/24 any -P in ipsec esp/tunnel/$Home-ip-$Client1_ip/require;In FreeBSD Handbook suggested setup is also using external IPs only:
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;This type of thing was not working on pfSense, so looking into FreeBSD racoon log I saw the requested policy from pfSense box was using phantom IPs; so I adjusted spdaddd on FreeBSD to generate same policy.
BTW a wizard that would generate recommended settings for the host connected to pfSense box would be a great addition for us photographers :)
-
So where are we now, does it work? :)
-
So where are we now, does it work? :)
My problem seems to be that I can't reach 192.168.0.1 directly from pfSense box. Pings from the box to that address drop. Because of that I can't create proper route 192.168.1/24 via 192.168.0.1
Maybe I should try to create another VPN that will connect 192.169.200.1 host to 192.168.0.1 host to force traffic?
-
You can't route through IPSEC. You need to wither sum up all networks by creating a bigger subnetmask or you need parallel tunnels.
-
You can't route through IPSEC. You need to wither sum up all networks by creating a bigger subnetmask or you need parallel tunnels.
Can you please explain why it works from nanoBSD but not with pfSense? To create one more GRE tunnel to Client 2 will be very difficult as their sysadmin is not a nice person to deal with.
Currently my pfSense tunnel is 192.168.0.1/24 <-> 192.168.200.1/24 Where should I use a larger mask, on the 192.168.0.1 end?
And why I can't ping 192.168.0.1 from 192.168.200.1, but can ping it from 192.168.200.199 ?
Sorry I know I ask too much :)
-
Guess because it's a gif/ipsec tunnel?
You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.
-
Guess because it's a gif/ipsec tunnel?
You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.
Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed…
-
Awesome. That's great to hear.
Now where can we some of your work? :)
-
Awesome. That's great to hear.
Now where can we some of your work? :)
Photography you mean? Well I work for private clients, not something to show. If you have anything photography in mind let's take it to e-mails?
-
Photography you mean? Well I work for private clients, not something to show. If you have anything photography in mind let's take it to e-mails?
Sure. sullrich@gmail.com
-
Guess because it's a gif/ipsec tunnel?
You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.
Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed…
dear all
I want to make connection between pfSense and FreeBSD 6.2RC vis IPSec
But no works. could any one establish successfully?