Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failing to get shared key site to site working

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jrdecastro
      last edited by

      Hi there

      Need some help debugging what should be a relatively simple point-to-point OpenVPN network between two PfSense boxes which has me completely flummoxed. I must be doing something silly but can't work our what. Help welcome!

      The layout is a s follows:

      Location 1
      Internet –> broadband modem --> fixed IP address 113.xx.xx.xx through ISP router (192.168.1.1) --> (192.168.1.101) PfSense WAN --> PfSense LAN (192.168.0.0/24 , PfSense box is 192.168.0.1)
      Location 1 has a fixed external IP address, the ISP's router (basically a linksys WRT54G) then turns this into an internal address in the 192.168.1.0/24 subnet, then the PfSense box takes this and turns it into an internal 192.168.0.0/24 subnet)

      Location 2
      Internet --> broadband modem (PPPoE, floating external IP) --> PfSense box --> PfSense LAN (192.168.68.0/24, where the address of the PfSense box is 192.168.68.1). Location 2 also has an external dynamic domain yyy.dyndns.org

      All PfSense boxes are running version 1.2.3

      PfSense OpenVPN Settings are :

      Location 1
      Server tab
      Protocol TCP
      Local port 1193
      Address Pool 192.168.5.0/24
      Local Network - left blank
      Remote Network 192.168.68.0/24
      Client to client VPN tick box - unchecked
      Crypto BF-CBC (128bit)  (BTW - is this strong enough or should I go to one of the 256 bit choices?)
      Authentication - Shared Key
      Key generated as per various web tuturials and pasted in the shared key box. CA cert, server cert, server key, DH parameters, and CRL left blank
      DHCP opt. DNS-server 192.168.68.1 (trying to get Location 1 to be able to find Location 2 machines, so giving here address of Location 2 PfSense box as a DNS server)
      next few boxes blank
      LZO compression - box ticked
      Custom options - tried both blank and route 192.168.68.0 255.255.255.0

      Also added firewall LAN rule permitting anything TCP/UDP on the LAN net to 192.168.68.0/24

      Location 2
      Client tab
      Protocol TCP
      Server address 113.xx.xx.xx
      Server port 113
      Interface IP 192.168.5.0/24
      Remote network 192.168.0.0/24
      Proxy host - left blank
      Proxy port - left the default 3128 in place
      Crypto BF-CBC 128 bit
      Authentication  Shared Key
      Key generated as per various web tuturials in the server machine at Location1 and pasted in the shared key box on this machine (clearly the same key used in both machines). CA cert, server cert, server key, DH parameters, and CRL left blank
      LZO compression - box ticked
      Limit outgoing bandwidth - left blank
      Dynamic Sourceport - left blank
      Custom options  - tried both blank and route 192.168.0.0 255.255.255.0

      Also added firewall LAN rule permitting anything TCP/UDP on the LAN net to 192.168.0.0/24

      After setting this up this is the output in the system logs:

      Location 1 (server)
      Oct 28 07:09:55 openvpn[4989]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.1 192.168.5.2 init
      Oct 28 07:09:56 openvpn[4989]: SIGTERM[hard,init_instance] received, process exiting
      Oct 28 07:10:15 openvpn[38884]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Sep 18 2009
      Oct 28 07:10:15 openvpn[38884]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
      Oct 28 07:10:15 openvpn[38884]: LZO compression initialized
      Oct 28 07:10:15 openvpn[38884]: gw 192.168.1.1
      Oct 28 07:10:15 openvpn[38884]: TUN/TAP device /dev/tun1 opened
      Oct 28 07:10:15 openvpn[38884]: /sbin/ifconfig tun1 192.168.5.1 192.168.5.2 mtu 1500 netmask 255.255.255.255 up
      Oct 28 07:10:15 openvpn[38884]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.1 192.168.5.2 init
      Oct 28 07:10:17 openvpn[38884]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
      Oct 28 07:10:17 openvpn[38897]: Listening for incoming TCP connection on [undef]:1193

      Location 2 (client)
      Oct 28 07:20:22 openvpn[43927]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.2 192.168.5.1 init
      Oct 28 07:20:23 openvpn[43927]: SIGTERM[hard,init_instance] received, process exiting
      Oct 28 07:20:34 openvpn[45380]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Sep 18 2009
      Oct 28 07:20:34 openvpn[45380]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
      Oct 28 07:20:34 openvpn[45380]: LZO compression initialized
      Oct 28 07:20:34 openvpn[45380]: gw 203.218.58.154
      Oct 28 07:20:34 openvpn[45380]: TUN/TAP device /dev/tun1 opened
      Oct 28 07:20:34 openvpn[45380]: /sbin/ifconfig tun1 192.168.5.2 192.168.5.1 mtu 1500 netmask 255.255.255.255 up
      Oct 28 07:20:34 openvpn[45380]: /etc/rc.filter_configure tun1 1500 1547 192.168.5.2 192.168.5.1 init
      Oct 28 07:20:36 openvpn[45380]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
      Oct 28 07:20:36 openvpn[45393]: Attempting to establish TCP connection with 113.xx.xx.xx:1193
      Oct 28 07:21:51 openvpn[45393]: TCP: connect to 116.48.145.133:1193 failed, will try again in 5 seconds: Operation timed out (errno=60)

      The pfSense machines clearly don't connect to each other.
      I have however been able to connect to either of them from OpenVPN running on a standalone PC using PKI if I set the PfSense machines as servers using PKI. However, if I try to set one up as PKI client and the other as server, they don't connect either.

      Help!

      Update - I have added a WAN rule on both ends to pass TCP to port 1193 and
      the tunnel now connects (both logs say "Initialization Sequence completed as the last entry), but I can't ping 192.168.68.1 from 192.168.0.0/24 machines, and I can't  ping 192.168.0.1 from 192.168.68.0/24 machines. So something is still getting in the way – the tunnel connects but I can't even ping the gateway at the other end.

      1 Reply Last reply Reply Quote 0
      • A Offline
        afvadmin
        last edited by

        try entering the ip range in the local and remote network on the server and the remote network on the client that way your packets will be past over the vpn while you ping

        1 Reply Last reply Reply Quote 0
        • J Offline
          jrdecastro
          last edited by

          Thanks for the suggestion.
          I have tried but it seems that if you use "shared key" it doesn´t let you enter the local network field. If you change to PKI you can then enter something in the local network field, but if you then change back to "shared key" the box contents gray out. When you save it with "shared key" again and retrieve the configuration again, the contents of the local network field are gone, and it seems to have no effect.

          I have tried adding static routes to the tunnel address pool network interfaces (192.168.5.1 and 192.168.5.2) on server and client, and that allows machines on the client side to ping machines on the server side, but it does not allow server side machines to ping client side machines.

          1. Do I need to add anything along the lines of route a.b.c.d 255.255.255.0 on the custom options of the client and server definitions, and if so, what do I put in on each side?
          2. Do I need to elect any of the NetBIOS options to let the machines in each subnet at either end of the tunnel see each other, and if so, which option? Both subnets are simple peer-to-peer networks of XP machines, though I have added one small Linux box at each end running Samba with WINS not enabled, but set to be the default Domain Master Browser.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • A Offline
            afvadmin
            last edited by

            yea give it a try set net bios to brodcast

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.