Howto from C't

mircsicz

After a few month absence from my pfSense install's my favorite german computer magazine http://heise.de/ct brought me back on the route:

I'ld like to setup a SiteToSite VPN between our office and my dad's and my home-office, like this:

Vpn 172.22.22.0/24
Office 192.168.115.0/24
Sat0 192.168.0.0/24
Sat1 192.168.112.0/24

Sat0 (192.168.0.0/24)
      |
      |
Home (192.168.115.0/24) –-- Sat1 (192.168.112.0/24)

But I've some prob's with the routing, and yes I know about this thread: http://forum.pfsense.org/index.php/topic,12888.0.html… Sat0 is configured and establish's the connection, Sat1 is going to follow after I've Sat0 up and running! Both router's are running on pfSense Version 1.2.3...

I can ping from the office-router to Sat0 but not from the office-LAN, and I can't ping from Sat0 neither router or LAN

Here's the server.conf

writepid /var/run/openvpn_server.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher AES-128-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 172.22.22.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
lport 1195
ca /var/etc/openvpn_server.ca
cert /var/etc/openvpn_server.cert
key /var/etc/openvpn_server.key
dh /var/etc/openvpn_server.dh
crl-verify /var/etc/openvpn_server.crl
comp-lzo
persist-remote-ip
float
route 192.168.0.0 255.255.0.0
push "route 192.168.115.0 255.255.255.0"
push "route 192.168.0.0 255.255.0.0"

and here the client.conf

writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher AES-128-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote my.remote.host 1195
client
lport 1194
ca /var/etc/openvpn_client0.ca
cert /var/etc/openvpn_client0.cert
key /var/etc/openvpn_client0.key
comp-lzo
float
lport 1195

Here's a log from the client:

Oct 14 17:02:56 openvpn[49866]: [router] Inactivity timeout (–ping-restart), restarting
Oct 14 17:02:56 openvpn[49866]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 14 17:02:58 openvpn[49866]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 14 17:02:58 openvpn[49866]: Re-using SSL/TLS context
Oct 14 17:02:58 openvpn[49866]: LZO compression initialized
Oct 14 17:02:58 openvpn[49866]: UDPv4 link local (bound): [undef]:1195
Oct 14 17:02:58 openvpn[49866]: UDPv4 link remote: 217.91.96.41:1195
Oct 14 17:03:06 openvpn[49866]: [router] Peer Connection Initiated with 217.91.96.41:1195
Oct 14 17:03:07 openvpn[49866]: Preserving previous TUN/TAP instance: tun0
Oct 14 17:03:07 openvpn[49866]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Oct 14 17:03:07 openvpn[49866]: /etc/rc.filter_configure tun0 1500 1558 172.22.22.6 172.22.22.5 init
Oct 14 17:03:18 openvpn[49866]: gw 217.0.118.64
Oct 14 17:03:18 openvpn[49866]: TUN/TAP device /dev/tun0 opened
Oct 14 17:03:18 openvpn[49866]: /sbin/ifconfig tun0 172.22.22.6 172.22.22.5 mtu 1500 netmask 255.255.255.255 up
Oct 14 17:03:18 openvpn[49866]: /etc/rc.filter_configure tun0 1500 1558 172.22.22.6 172.22.22.5 init
Oct 14 17:03:36 openvpn[49866]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Oct 14 17:03:36 openvpn[49866]: Initialization Sequence Completed

So if someone could give me a hand I would be very grateful!!!

Greetz
Mircsicz

P.S.: for all the german's in here I'add the article which seems to be a rewrite of the above mentioned howto!
http://img143.imageshack.us/img143/913/skopierer10101409230.jpg
http://img580.imageshack.us/img580/927/skopierer10101409240.jpg

mircsicz

I'm afraid the caveeat is that I've to set two route's and and one is 192.168.0.0 255.255.0.0 and my home-net has 192.168.0.0/24! Can this be the reason for my prob?

could someone pls tell me if I've to reconfigure my networks?

Greetz
Mircsicz

Patience…

GruensFroeschli

why dont you post the actual server config?

Yes If you really push the same subnet you have locally, you're making a routing loop.
Why don't you just add the /24 routes you actually need?

mircsicz

@GruensFroeschli:

why dont you post the actual server config?

I posted the server1.conf in first posting…

Yes If you really push the same subnet you have locally, you're making a routing loop.
Why don't you just add the /24 routes you actually need?

It's not the same subnet:

At home I've 192.168.0.0/24 and I've 192.168.115.0/24 in the office. The route's I push are 192.168.0.0/16 to reach the office and the other VPN-Site and 192.168.115.0 to reach the office… But there's the clitch where I'm stuck!! I don't know which I need to add!

I tried some different route settings, but none of them changed the descriped behavior...

Hope you can help!

GruensFroeschli

Did you add client specific options?
This server config alone wouldn't work because all routes and pushes are missing.

Well 192.168.0.0/16 contains 192.168.0.0/24 so from the pfsense at the homenetwork seen it's the same subnet.
To connect to the office just only push the 192.168.115.0/24 route.
what iprange does your other vpnsite have?

mircsicz

Yes I did add a client specific option:

iroute 192.168.115.0 255.255.255.0;

This Server.config has routes and pushes, but you have to scroll to see them:

route 192.168.0.0 255.255.0.0
push "route 192.168.115.0 255.255.255.0"
push "route 192.168.0.0 255.255.0.0"

I tried to remove the 192.168.0.0/16 route but it didn't change the behavior…

The other vpnsite has 192.168.112.0/24

And just to asure here's the firewall entry on the office-router:

TCP/UDP  LAN net  *  VPN  *  *      Default LAN -> OpenVPN 
TCP/UDP VPN * LAN net * *   OpenVPN -> Default LAN

The Alias VPN contains:
10.0.115.0/24, 172.22.22.0/24, 192.168.0.0/24, 192.168.112.0/24

The VPN-Site both have all outgoing traffic allowed...

mircsicz

I changed the iroute to "iroute 192.168.0.0 255.255.255.0;" and did some testing with a linux based vmware host as client. With this client I connected successfully and could also ping in both directions!!

So the problem seems to be my home-router, which is an embedded version of 1.2.3… So I installed tcpdump and did some capturings. All I could see is that no packages are arriving at the tun interface's. So the problem seems to be the routing!

so if someone with more routing experience on pfsense could give me a hand?

Greetz
Mircsicz

P.S.: here's an output from tcpdump:

\ [mirco@macbook-pro-wlan.mirco.home ~]
 4$ ping 192.168.115.2
PING 192.168.115.2 (192.168.115.2): 56 data bytes
36 bytes from wall.mirco.home (192.168.0.1): Redirect Host(New addr: 192.168.0.1)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 6d9c   0 0000  40  01 1878 192.168.0.66  192.168.115.2 

Request timeout for icmp_seq 0
36 bytes from wall.mirco.home (192.168.0.1): Redirect Host(New addr: 192.168.0.1)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 4fd4   0 0000  40  01 3640 192.168.0.66  192.168.115.2 

Request timeout for icmp_seq 1

^C
--- 192.168.115.2 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

[root@wall.mirco.home]/root(8): tcpdump -i sis0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes

19:51:40.556932 IP macbook-pro-wlan.mirco.home > 192.168.115.2: ICMP echo request, id 30693, seq 0, length 64
19:51:40.557817 IP wall.mirco.home > macbook-pro-wlan.mirco.home: ICMP redirect 192.168.115.2 to host wall.mirco.home, length 36
19:51:41.555681 IP macbook-pro-wlan.mirco.home > 192.168.115.2: ICMP echo request, id 30693, seq 1, length 64
19:51:41.556078 IP wall.mirco.home > macbook-pro-wlan.mirco.home: ICMP redirect 192.168.115.2 to host wall.mirco.home, length 36

4 packets captured
50 packets received by filter
0 packets dropped by kernel