Failing to get shared key site to site working
-
Hi there
Need some help debugging what should be a relatively simple point-to-point OpenVPN network between two PfSense boxes which has me completely flummoxed. I must be doing something silly but can't work our what. Help welcome!
The layout is a s follows:
Location 1
Internet –> broadband modem --> fixed IP address 113.xx.xx.xx through ISP router (192.168.1.1) --> (192.168.1.101) PfSense WAN --> PfSense LAN (192.168.0.0/24 , PfSense box is 192.168.0.1)
Location 1 has a fixed external IP address, the ISP's router (basically a linksys WRT54G) then turns this into an internal address in the 192.168.1.0/24 subnet, then the PfSense box takes this and turns it into an internal 192.168.0.0/24 subnet)Location 2
Internet --> broadband modem (PPPoE, floating external IP) --> PfSense box --> PfSense LAN (192.168.68.0/24, where the address of the PfSense box is 192.168.68.1). Location 2 also has an external dynamic domain yyy.dyndns.orgAll PfSense boxes are running version 1.2.3
PfSense OpenVPN Settings are :
Location 1
Server tab
Protocol TCP
Local port 1193
Address Pool 192.168.5.0/24
Local Network - left blank
Remote Network 192.168.68.0/24
Client to client VPN tick box - unchecked
Crypto BF-CBC (128bit) (BTW - is this strong enough or should I go to one of the 256 bit choices?)
Authentication - Shared Key
Key generated as per various web tuturials and pasted in the shared key box. CA cert, server cert, server key, DH parameters, and CRL left blank
DHCP opt. DNS-server 192.168.68.1 (trying to get Location 1 to be able to find Location 2 machines, so giving here address of Location 2 PfSense box as a DNS server)
next few boxes blank
LZO compression - box ticked
Custom options - tried both blank and route 192.168.68.0 255.255.255.0Also added firewall LAN rule permitting anything TCP/UDP on the LAN net to 192.168.68.0/24
Location 2
Client tab
Protocol TCP
Server address 113.xx.xx.xx
Server port 113
Interface IP 192.168.5.0/24
Remote network 192.168.0.0/24
Proxy host - left blank
Proxy port - left the default 3128 in place
Crypto BF-CBC 128 bit
Authentication Shared Key
Key generated as per various web tuturials in the server machine at Location1 and pasted in the shared key box on this machine (clearly the same key used in both machines). CA cert, server cert, server key, DH parameters, and CRL left blank
LZO compression - box ticked
Limit outgoing bandwidth - left blank
Dynamic Sourceport - left blank
Custom options - tried both blank and route 192.168.0.0 255.255.255.0Also added firewall LAN rule permitting anything TCP/UDP on the LAN net to 192.168.0.0/24
After setting this up this is the output in the system logs:
Location 1 (server)
Oct 28 07:09:55 openvpn[4989]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.1 192.168.5.2 init
Oct 28 07:09:56 openvpn[4989]: SIGTERM[hard,init_instance] received, process exiting
Oct 28 07:10:15 openvpn[38884]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Sep 18 2009
Oct 28 07:10:15 openvpn[38884]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
Oct 28 07:10:15 openvpn[38884]: LZO compression initialized
Oct 28 07:10:15 openvpn[38884]: gw 192.168.1.1
Oct 28 07:10:15 openvpn[38884]: TUN/TAP device /dev/tun1 opened
Oct 28 07:10:15 openvpn[38884]: /sbin/ifconfig tun1 192.168.5.1 192.168.5.2 mtu 1500 netmask 255.255.255.255 up
Oct 28 07:10:15 openvpn[38884]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.1 192.168.5.2 init
Oct 28 07:10:17 openvpn[38884]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Oct 28 07:10:17 openvpn[38897]: Listening for incoming TCP connection on [undef]:1193Location 2 (client)
Oct 28 07:20:22 openvpn[43927]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.2 192.168.5.1 init
Oct 28 07:20:23 openvpn[43927]: SIGTERM[hard,init_instance] received, process exiting
Oct 28 07:20:34 openvpn[45380]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Sep 18 2009
Oct 28 07:20:34 openvpn[45380]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
Oct 28 07:20:34 openvpn[45380]: LZO compression initialized
Oct 28 07:20:34 openvpn[45380]: gw 203.218.58.154
Oct 28 07:20:34 openvpn[45380]: TUN/TAP device /dev/tun1 opened
Oct 28 07:20:34 openvpn[45380]: /sbin/ifconfig tun1 192.168.5.2 192.168.5.1 mtu 1500 netmask 255.255.255.255 up
Oct 28 07:20:34 openvpn[45380]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.2 192.168.5.1 init
Oct 28 07:20:36 openvpn[45380]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Oct 28 07:20:36 openvpn[45393]: Attempting to establish TCP connection with 113.xx.xx.xx:1193
Oct 28 07:21:51 openvpn[45393]: TCP: connect to 116.48.145.133:1193 failed, will try again in 5 seconds: Operation timed out (errno=60)The pfSense machines clearly don't connect to each other.
I have however been able to connect to either of them from OpenVPN running on a standalone PC using PKI if I set the PfSense machines as servers using PKI. However, if I try to set one up as PKI client and the other as server, they don't connect either.Help!
Update - I have added a WAN rule on both ends to pass TCP to port 1193 and
the tunnel now connects (both logs say "Initialization Sequence completed as the last entry), but I can't ping 192.168.68.1 from 192.168.0.0/24 machines, and I can't ping 192.168.0.1 from 192.168.68.0/24 machines. So something is still getting in the way – the tunnel connects but I can't even ping the gateway at the other end. -
try entering the ip range in the local and remote network on the server and the remote network on the client that way your packets will be past over the vpn while you ping
-
Thanks for the suggestion.
I have tried but it seems that if you use "shared key" it doesn´t let you enter the local network field. If you change to PKI you can then enter something in the local network field, but if you then change back to "shared key" the box contents gray out. When you save it with "shared key" again and retrieve the configuration again, the contents of the local network field are gone, and it seems to have no effect.I have tried adding static routes to the tunnel address pool network interfaces (192.168.5.1 and 192.168.5.2) on server and client, and that allows machines on the client side to ping machines on the server side, but it does not allow server side machines to ping client side machines.
- Do I need to add anything along the lines of route a.b.c.d 255.255.255.0 on the custom options of the client and server definitions, and if so, what do I put in on each side?
- Do I need to elect any of the NetBIOS options to let the machines in each subnet at either end of the tunnel see each other, and if so, which option? Both subnets are simple peer-to-peer networks of XP machines, though I have added one small Linux box at each end running Samba with WINS not enabled, but set to be the default Domain Master Browser.
Thanks!
-
yea give it a try set net bios to brodcast