Access Opt1 network from different subnets

reynolwi · May 20, 2009, 2:17 AM

ok I can setup a static route on each of the other boxes, but what am I telling it as the interface. Im a totally newbie at pfsense so Im learning as i go. Since all the networks are connected via VPN IPSec tunnels am i telling the static route to use interface LAN and then the remote subnet is 10.25.22.0/24 and its gateway is 10.25.19.254 since that is pfsense2?

Im trying to get this all figured out because next I have to figure out how to get the voip phones to connect to the voip pbx which sits on the 10.25.18.0 subnet and the phones at the pfsense2 site will be on the 10.25.22.0 subnet on the optional interface.

Ive always used like netgear vpn routers and such so getting this all set back up is a definate learning experience.

wallabybob · May 20, 2009, 8:26 AM

You haven't provided topology so its difficult to say exactly what you should specify.

From the Web GUI System -> Static routes select the approriate interface from the pull down list, then specify the remote subnet and mask (10.25.22.0/24) and then the pfSense IP address of the interface on the same subnetwork as the pfSense boxes and netgear router. (I'm guessing you have your pfsense systems all have interfaces on the same subnetwork so they can communicate with each other.)

reynolwi · May 20, 2009, 7:42 PM

Ok our topology is as shown below.

pfsense 1 (cable modem – pfsense1 -- switch)

suddenlink isp (dyn ip)
|
|
   pfsense1 (lan interface 10.25.18.254)
10.25.18.0/24
255.255.255.0
   /
/
   /    ___ Access point 10.25.18.253
|
   switch
   |
   |____ exchange server, asterisk voip pbx, domain controller
5 voip phones, 6 workstations

pfsense 2 (cable modem -- pfsense2 -- switch)

suddenlink isp (dyn ip)
|
|
   pfsense2 (lan 10.25.19.254 / phone 10.25.22.254)
/
   /
/ 10.25.22.0/24 (dhcp enabled on pfsense for this interface only)
   /    255.255.255.0
|
|
10.25.19.0/24    7 voip phones (dhcp from pfsense box)
255.255.255.0
   /
/
   /    ___ Access point 10.25.19.253
|
switch
|
|____ domain controller, 8 workstations

pfsense3 (cable modem -- pfsense1 -- switch)

suddenlink isp (dyn ip)
|
|
   pfsense3 (lan interface 10.25.21.254)
10.25.21.0/24
255.255.255.0
   /
/
   /    ___ Access point 10.25.21.253
|
   switch
   |
   |____ domain controller, 3 workstations, 2 voip phones

netgear firewall/vpn (dsl modem -- netgear -- switch)

at&t isp (dhcp ip)
|
|
   netgear vpn/firewall (lan ip 10.25.20.254)
10.25.20.0/24
255.255.255.0
   |
   |____ domain controller, 3 workstations

I think i laid it out enough where you can follow it. I really only have to be able to access the phone subnet on pfsense2 on the pfsense boxes because i will be replacing that netgear router here shortly. I attached a screenshot of the static route config for pfsense1 hopeing I have it setup right.

reynolwi · May 22, 2009, 4:37 PM

I still have yet to be able to get this to work right for some reason.

Eugene · May 22, 2009, 9:49 PM

Let's narrow down your problem - you wan to reach 10.25.22.0/24 from 10.25.18.0/24.
You said that you have site-to-site vpn tunnels. So question number one: does your ipsec between pfSense1 and pfSense2 consider this traffic as 'interesting'? If not then I think you have to set up separate tunnel to handle this traffic.
Can you give us your ipsec configs?
PS: your static route picture is senseless, it's not going to work

reynolwi · May 22, 2009, 10:17 PM

On pfsense1 (10.25.18.0/24) the IPSec tunnel is as follows

Interface: WAN
NAT-T: Disabled
DPD interval: BLANK
Local Subnet: LAN Subnet
Remote Subnet: 10.25.19.0/24
Remote Gateway: xxx.xxx.com
–------
Negotiation mode: main
My Identifier: My IP Address
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2 (1024 bit)
Lifetime: BLANK
Authentication Method: Preshared Key
Pre-Shared Key: xxxxxxxxxx
Certificate: BLANK
Key: BLANK
Peer Certificate: BLANK

Protocol: ESP
Encryption Algorithms: 3DES, Blowfish, CAST128, Rijndael (AES), Rijndael 256
Hash Algorithms: SHA1, MD5
PFS Key Group: OFF
Lifetime: BLANK
Keep Alive: 10.25.19.254

pfsense2 is setup the same way just just with the correct subnet and gateway information changed. I did try and create a VPN tunnel just a few minutes ago from pfsense1 to pfsense2 using the opt interface information on pfsense2. It connected but did not allow any traffic thru because I could not ping 10.25.22.254 or the switch 10.25.22.253

Eugene · May 22, 2009, 10:22 PM

Good. You do need this second tunnel.
Did you allow ICMP to 192.10.25.22.0/24 in rules at LAN on pfSense1 and at IPSEC interface on pfSense2?
If yes then you should be able to ping at least 192.10.25.22.x pfSense2 interface.

reynolwi · May 22, 2009, 10:45 PM

I have the rules on the IPSec tunnels to allow anything to come in and out from the tunnels. I attached my IPSEC firewall page so you can look at it. Ive already tried to create a IPSec tunnel to the second network on pfsense2 but it wasnt allowing any traffic.

The IPSec Rules are identical on every pfsense box I setup. I also attached the WAN Firewalls rules for the pfsense1 box and the LAN rules are set basically like the IPSec rules with the source as LAN Subnet and allow all.

Eugene · May 23, 2009, 5:53 PM

As you are trying to reach 10.25.22.0/24 from 10.25.18.0/24 it would be interesting to look at rules you have at the interface connected to 10.25.18.0/24 network (LAN I suspect). pfSense apply rules whe a packet enters pfSense not when it leaves.

reynolwi · May 23, 2009, 6:16 PM

Here is the LAN Rules for pfsense1 - 10.25.18.0

reynolwi · May 23, 2009, 6:17 PM

Here are the LAN Rules for both pfsense2 subnets - 10.25.19.0 & 10.25.22.0

reynolwi · May 23, 2009, 6:17 PM

and here are the WAN and IPSec rules for pfsense2.

Eugene · May 23, 2009, 6:29 PM

Ok. Please from both pfSenses

setkey -D
setkey -DP

And at pfSense1 run continuous ping to 10.25.22.x (ip address of the pfSense2 interface).
At the same time at pfSense2 run

tcpdump -i <wan int="">-n esp</wan>

where <wan int="">is WAN interface name.</wan>

reynolwi · May 23, 2009, 6:31 PM

so in the console I need to this on both pfsenses?

Eugene · May 23, 2009, 6:32 PM

console or ssh session. (it's kind of hard to copy-paste) from console…

reynolwi · May 23, 2009, 6:34 PM

OK i ssh into each box what option do I use to do all this. I will post back in a second

Eugene · May 23, 2009, 6:39 PM

Install Putty software http://www.putty.org/
then Enable Secure Shell on both pfSenses System->Advanced
Connect to the box with root and your password and choose 8) shell.
CAREFUL! you can destroy the system, you have full power now.
Now you can execute commands I gave you earlier.
I've never used php console, so I can't not tell you how to use it, but I suspect it gives you the same result as the method described above.

reynolwi · May 23, 2009, 6:40 PM

this is what came from pfsense2.

13:38:53.031131 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e31), length 76
13:38:53.034763 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c2), length 340
13:38:53.039349 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e32), length 428
13:38:53.053124 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c3), length 156
13:38:53.053743 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e33), length 132
13:38:53.066648 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c4), length 180
13:38:53.068800 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e34), length 212
13:38:53.086310 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c5), length 1480
13:38:53.087144 IP 74.192.197.63 > 74.197.181.236: esp
13:38:53.088697 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c6), length 404
13:38:53.090259 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e35), length 76
13:38:53.091378 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e36), length 124
13:38:53.108205 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c7), length 140
13:38:53.108915 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e37), length 380
13:38:53.122254 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c8), length 316
13:38:53.125367 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e38), length 124
13:38:53.138263 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c9), length 140
13:38:53.138804 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e39), length 212
13:38:53.154298 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ca), length 300
13:38:53.156573 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3a), length 244
13:38:53.170306 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cb), length 268
13:38:53.171327 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3b), length 228
13:38:53.184349 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cc), length 396
13:38:53.186403 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3c), length 244
13:38:53.200359 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cd), length 268
13:38:53.201251 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3d), length 228
13:38:53.214387 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ce), length 316
13:38:53.216420 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3e), length 244
13:38:53.230397 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cf), length 348
13:38:53.231298 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3f), length 260
13:38:53.244431 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d0), length 348
13:38:53.246330 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e40), length 276
13:38:53.272971 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d1), length 348
13:38:53.274156 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e41), length 260
13:38:53.287994 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d2), length 268
13:38:53.289870 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e42), length 244
13:38:53.304015 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d3), length 316
13:38:53.304953 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e43), length 228
13:38:53.332548 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d4), length 268
13:38:53.334488 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e44), length 244
13:38:53.346070 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d5), length 268
13:38:53.346821 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e45), length 228
13:38:53.360599 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d6), length 380
13:38:53.362673 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e46), length 244
13:38:53.382102 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d7), length 268
13:38:53.383175 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e47), length 244
13:38:53.398635 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d8), length 116
13:38:53.400207 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e48), length 116
13:38:53.506570 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e49), length 1468
13:38:53.506886 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4a), length 852
13:38:53.507666 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4b), length 1468
13:38:53.521700 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4c), length 804
13:38:53.611921 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d9), length 84
13:38:53.612580 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4d), length 1468
13:38:53.612861 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4e), length 892
13:38:53.615945 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7da), length 84
13:38:53.619934 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7db), length 140
13:38:53.627684 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4f), length 84
13:38:53.629963 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dc), length 76
13:38:53.645967 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dd), length 84
13:38:54.018527 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7de), length 92
13:38:54.019432 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e50), length 92
13:38:54.032020 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7df), length 84
13:38:54.032126 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e0), length 84
13:38:54.033097 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e51), length 84
13:38:54.033208 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e52), length 84
13:38:54.046040 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e1), length 76
13:38:54.046143 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e2), length 76
13:38:54.050057 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e3), length 212
13:38:54.050818 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e53), length 260
13:38:54.067755 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e4), length 1480
13:38:54.068554 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.072097 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e5), length 460
13:38:54.072635 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e54), length 76
13:38:54.074125 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e55), length 356
13:38:54.091751 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e6), length 172
13:38:54.092336 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e56), length 132
13:38:54.107664 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e7), length 180
13:38:54.108376 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e57), length 212
13:38:54.123779 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e8), length 1480
13:38:54.124631 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.130687 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e9), length 412
13:38:54.131174 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e58), length 76
13:38:54.131278 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e59), length 124
13:38:54.150197 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ea), length 140
13:38:54.150682 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5a), length 260
13:38:54.166247 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7eb), length 284
13:38:54.166714 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5b), length 124
13:38:54.183257 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ec), length 140
13:38:54.183813 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5c), length 436
13:38:54.196803 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ed), length 420
13:38:54.197303 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5d), length 124
13:38:54.211797 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ee), length 140
13:38:54.212322 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5e), length 212
13:38:54.227822 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ef), length 276
13:38:54.228656 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5f), length 212
13:38:54.242354 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f0), length 244
13:38:54.242917 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e60), length 196
13:38:54.258384 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f1), length 372
13:38:54.259049 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e61), length 212
13:38:54.273882 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f2), length 244
13:38:54.274423 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e62), length 196
13:38:54.290429 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f3), length 292
13:38:54.291073 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e63), length 212
13:38:54.305925 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f4), length 244
13:38:54.306454 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e64), length 212
13:38:54.320471 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f5), length 244
13:38:54.321181 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e65), length 212
13:38:54.335979 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f6), length 116
13:38:54.336360 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e66), length 116
13:38:54.501690 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f7), length 76
^C
1382 packets captured
3834 packets received by filter
0 packets dropped by kernel

Eugene · May 23, 2009, 6:43 PM

Ohhh.. I forgot that you have two tunnels… it's impossible to say whether esp packet belongs to the first tunnel or to the second.
What about setkey commands output?

reynolwi · May 23, 2009, 6:52 PM

pfsense1 - 10.25.18.0

setkey -D

74.192.197.63 74.197.181.236
esp mode=any spi=60471947(0x039aba8b) reqid=16391(0x00004007)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=27536 refcnt=1
74.192.197.63 74.197.181.236
esp mode=any spi=233187485(0x0de6289d) reqid=16391(0x00004007)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 112(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=8 pid=27536 refcnt=2
74.192.197.63 74.197.181.236
esp mode=any spi=221953858(0x0d3abf42) reqid=16393(0x00004009)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000001d3 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 129416(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 467 hard: 0 soft: 0
sadb_seq=7 pid=27536 refcnt=2
74.197.181.236 74.192.197.63
esp mode=tunnel spi=201338668(0x0c002f2c) reqid=16394(0x0000400a)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x00000191 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 94969(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 401 hard: 0 soft: 0
sadb_seq=6 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=41187146(0x0274774a) reqid=16392(0x00004008)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=30718151(0x01d4b8c7) reqid=16392(0x00004008)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=27536 refcnt=1
74.192.197.63 75.9.221.112
esp mode=any spi=3234821474(0xc0cf7562) reqid=16387(0x00004003)
E: 3des-cbc a2293efa 07a9fef0 8719a944 25688c60 284a672b 67645902
A: hmac-sha1 813dab38 2e3fa9bb 451d4ebc 2d4a5883 1a34789b
seq=0x0000a643 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 13826576(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 42563 hard: 0 soft: 0
sadb_seq=3 pid=27536 refcnt=2
75.9.221.112 74.192.197.63
esp mode=tunnel spi=115498621(0x06e25e7d) reqid=16388(0x00004004)
E: 3des-cbc 572de107 9721aa59 b4d5c757 669538cf 64e20d38 8442723a
A: hmac-sha1 c737669f a260ba62 f8643bca 20ef0e24 d5740cf1
seq=0x00009377 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 6794020(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 37751 hard: 0 soft: 0
sadb_seq=2 pid=27536 refcnt=1
74.192.197.63 74.192.216.72
esp mode=any spi=89425175(0x05548517) reqid=16389(0x00004005)
E: 3des-cbc 352c7456 1735fd46 849d4307 b35dc1e5 ebc47391 ca397dba
A: hmac-sha1 ee096c0a 5ffa6af0 f1e23349 4584ab9a bfc03cea
seq=0x0000a205 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 13297208(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 41477 hard: 0 soft: 0
sadb_seq=1 pid=27536 refcnt=2
74.192.216.72 74.192.197.63
esp mode=tunnel spi=62317237(0x03b6e2b5) reqid=16390(0x00004006)
E: 3des-cbc 1df63d33 a1acdccb 8d717591 8af05130 b8d7065e fa9aee41
A: hmac-sha1 862c82d7 6b06e932 f3eadd64 ca5592a7 580e6275
seq=0x00008db4 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 6393009(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 36276 hard: 0 soft: 0
sadb_seq=0 pid=27536 refcnt=1

setkey -DP

10.25.18.0/24[any] 10.25.18.254[any] any
in none
spid=1 seq=9 pid=27643
refcnt=1
10.25.20.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.192.197.63/unique#16388
spid=6 seq=8 pid=27643
refcnt=1
10.25.21.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.192.197.63/unique#16390
spid=8 seq=7 pid=27643
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16392
spid=10 seq=6 pid=27643
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16394
spid=12 seq=5 pid=27643
refcnt=1
10.25.18.254[any] 10.25.18.0/24[any] any
out none
spid=2 seq=4 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-75.9.221.112/unique#16387
spid=5 seq=3 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.192.216.72/unique#16389
spid=7 seq=2 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16391
spid=9 seq=1 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16393
spid=11 seq=0 pid=27643
refcnt=1
– -- -- -- --
pfsense2 - 10.25.19.0 & 10.25.22.0

setkey -D

74.197.181.236 74.192.197.63
esp mode=any spi=41187146(0x0274774a) reqid=16401(0x00004011)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=60471947(0x039aba8b) reqid=16402(0x00004012)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=30718151(0x01d4b8c7) reqid=16399(0x0000400f)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=233187485(0x0de6289d) reqid=16400(0x00004010)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 80(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=6 pid=26490 refcnt=1
74.197.181.236 75.9.221.112
esp mode=any spi=3379262788(0xc96b7544) reqid=16397(0x0000400d)
E: 3des-cbc 04e34d8b 33d1dfaf 144ebfbe fe894aec 2a9176d8 dca69d10
A: hmac-sha1 c2cb6e07 c69f0e0d 38384cac 9bbc80a5 e45689ef
seq=0x00000e90 replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 848464(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3728 hard: 0 soft: 0
sadb_seq=5 pid=26490 refcnt=2
75.9.221.112 74.197.181.236
esp mode=tunnel spi=127481662(0x0799373e) reqid=16398(0x0000400e)
E: 3des-cbc 44ac5d5b 858c76b0 5d9ac25e b3b0256c 1a2b6551 7283f422
A: hmac-sha1 d14f3d7e f9616234 1ecd270e 067a89dd 514aa3a8
seq=0x0000113c replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 1065056(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4412 hard: 0 soft: 0
sadb_seq=4 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=201338668(0x0c002f2c) reqid=16391(0x00004007)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x000004e6 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 276064(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1254 hard: 0 soft: 0
sadb_seq=3 pid=26490 refcnt=2
74.192.197.63 74.197.181.236
esp mode=tunnel spi=221953858(0x0d3abf42) reqid=16392(0x00004008)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000005b4 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 369919(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1460 hard: 0 soft: 0
sadb_seq=2 pid=26490 refcnt=1
74.197.181.236 74.192.216.72
esp mode=any spi=134029274(0x07fd1fda) reqid=16395(0x0000400b)
E: 3des-cbc c082eca1 8e191556 7bb56e70 7ef2672b 47ee316d 94086086
A: hmac-sha1 4346247e 220ffd8c d193751f 6315b637 7a8d5672
seq=0x00001025 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1000728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4133 hard: 0 soft: 0
sadb_seq=1 pid=26490 refcnt=2
74.192.216.72 74.197.181.236
esp mode=tunnel spi=118067582(0x0709917e) reqid=16396(0x0000400c)
E: 3des-cbc 6975ebe4 202a4a7b 6afe7045 273f20d3 ff0af353 7498bd43
A: hmac-sha1 34bcc40e 0727fe3d c567b6e1 67f3e3fa 4c7210c8
seq=0x000011e1 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1118602(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4577 hard: 0 soft: 0
sadb_seq=0 pid=26490 refcnt=1

setkey -DP

10.25.19.0/24[any] 10.25.19.254[any] any
in none
spid=7 seq=11 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16392
spid=10 seq=10 pid=26869
refcnt=1
10.25.21.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.197.181.236/unique#16396
spid=14 seq=9 pid=26869
refcnt=1
10.25.20.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.197.181.236/unique#16398
spid=16 seq=8 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16400
spid=18 seq=7 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16402
spid=20 seq=6 pid=26869
refcnt=1
10.25.19.254[any] 10.25.19.0/24[any] any
out none
spid=8 seq=5 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16391
spid=9 seq=4 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.216.72/unique#16395
spid=13 seq=3 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-75.9.221.112/unique#16397
spid=15 seq=2 pid=26869
refcnt=1
10.25.22.0[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16399
spid=17 seq=1 pid=26869
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16401
spid=19 seq=0 pid=26869
refcnt=1

I think that is everything. It shows the tunnels are all connected but I can not ping 10.25.22.254 from the 10.25.18.0 subnet. I can ping every other subnet but that one