Pfsense 2 Site2Site PKI

periko

Hi guys.

I'm working on my vpn's on pfsense 2, I want to connect 2 pfsense machine running 2 RC3, I want to use the p2p PKI, in 1 machine I already create my ca, cert and setup my first server on port 1194 UDP.

Now, in the other server, what I have to do?

1; Send my ca/cert/shared key?
2; Create a client with this files not a server?

I have been reading about but I still don't get setup.

Thanks!!!

periko

Well I try this:

1; Create my CA/CERT.
2; Setup pfsense1 as server peer2peer tls/ssl using the ca/cert created step 1, let him create a shared key automatically, etc.
This are my settings:

dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-192-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local Public Address
tls-server
server 10.0.19.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.19.1 10.0.19.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 192.168.50.0 255.255.255.0"
route 192.168.2.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
verb 5
suppress-timestamps
client-config-dir /var/etc/openvpn/ccd

Then on the other machine pfsense2,
1; Copy the ca/cert/shared key from the server machine.
2; I setup a client peer2peer.

This is my setup:

dev ovpnc1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-192-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local public-address
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote pfsense1-public-address 1194
route 192.168.50.0 255.255.255.0
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo
verb 5
suppress-timestamps

After this, setup the rule to let both vpn connection cross without issues, the client side can reach any machine behind the server network, but the server network cannot access the network behind the client.

I add the option:

push "route 192.168.2.0 255.255.255.0"

In the client side and no effect.

Reading my setup,did I miss something?

Thanks!!!

periko

Now let see my routes:

This server cannot reach any client on the other end.

server side

Internet:
Destination Gateway Flags Refs Use Netif Expire
default pUBLIC-ip UGS 0 130063 fxp0
10.0.19.0 10.0.19.2 UGS 0 90 ovpns1
10.0.19.1 link#8 UHS 0 3 lo0
10.0.19.2 link#8 UH 0 3 ovpns1
localhost link#4 UH 0 267 lo0
172.16.0.0 link#3 U 0 0 xl1
172.16.4.1 link#3 UHS 0 0 lo0
192.168.2.0 10.0.19.2 UGS 0 4 ovpns1
192.168.50.0 link#2 U 0 44834 xl0
gw link#2 UHS 0 24 lo0
pUBLIC-ip link#1 U 0 87611 fxp0
pUBLIC-ip.X link#1 UHS 0 0 lo0
dns1X.X.c 00:03:47:06:cd:5a UHS 0 308 fxp0
dns2X.X.c 00:03:47:06:cd:5a UHS 0 242 fxp0

client routes

Internet:
Destination Gateway Flags Refs Use Netif Expire
default PublicIP.ded. UGS 0 136910 pppoe1
10.0.1.1 link#10 UHS 0 0 lo0 =>
10.0.1.1/32 link#10 U 0 0 ath0_w
10.0.19.1/32 10.0.19.5 UGS 0 0 ovpnc1
10.0.19.5 link#11 UH 0 2 ovpnc1
10.0.19.6 link#11 UHS 0 2 lo0
localhost link#6 UH 0 291 lo0
192.168.2.0 link#1 U 0 58886 vr0
gw link#1 UHS 0 0 lo0
192.168.50.0 10.0.19.5 UGS 0 56 ovpnc1
PublicIP.ded. link#9 UH 0 64902 pppoe1
PublicIPdsl link#9 UHS 0 0 lo0

This client can reach any client behind the server.

My goal that both sides network can see each other what is behind each pfsense networks, I will continue, thanks!!!

probie

Periko -

As far as the certificates, the only certificate you need to copy over from the PfSense server side is the CA certificate and TLS key over to the PFSense client side. You avoid confusion and minimize errors when creating the tunnel, I find it best to create the "Cerificates" from the node itself.

Since this is a 1 site to 1 site connection and your network on each side is one /24 network, make it simple by filling in the "Remote Network" each side instead of using " the "route x.x.x.x y.y.y.y" or "push "route x.x.x.x y.y.y.y"" commands. The only time you need to use the route and push command (in my opinion) if you have more than one subnet on each side that are not contiguous and then you would leave the "Remote Network" field blank.

Will assume that your firewall is set up to allow traffic between 192.168.50.0/24 and 192.168.2.0/24 to go through.

periko

I had check my firewall and there is no block in my connection.

Looks like I understand the ca/cert creation, now about "remote network" u can see that my settings have:

server side

push "route 192.168.50.0 255.255.255.0"

client side

route 192.168.50.0 255.255.255.0

I didn't add any setting by hand.

The funny thing is that, my clients behind my server network can ping the other end pfsense box by his virtual IP but not the client behind :o

Reading openvpn about this issues, it say to enable ipforward which is by default, then ccd dir, my client cert name is client1, I create a file with that name and add the command:

iroute 192.168.2.0 255.255.255.0

Which is my client network.

I had use tcpdump in my client side pfsense box:

tcpdump -i ovpnc1

Ping from a client behind the server but no output.

Now at the same time, I use the same command but with my ovpn if:

tcpdump -i ovpns1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type NULL (BSD loopback), capture size 96 bytes
19:19:11.472540 IP fam-winbox. – . --.org > 192.168.2.11: ICMP echo request, id 768, seq 19200, length 40
19:19:16.615626 IP fam-winbox.--. --.org > 192.168.2.11: ICMP echo request, id 768, seq 19456, length 40

My server side works but is not crossing the network packets, any tip will be appreciated, thanks!!!

probie

Periko, I was just looking at your previous post/configuration. How come you have the tunnel network ip on the client side? Your server side showed "ifconfig 10.0.19.1 10.0.19.2" but you don't have one on the client side. On your client side, you should an ip address of 10.0.19.2, but you don't from your route table on the client side. You should have a similar "ifconfig" statement on the client site with ip address in the reverse order.

periko

Network layout.

192.168.50.0/24 <–-> pfsense-server <-------------------------->pfsense-client<--->192.168.2.0/24

10.0.19.0/24
net-1= 192.168.50.0/24
net-2 = 192.168.2.0/24

I will give u my GUI settings, please see my attach files, the issue continue.

pfsense-server ovpns1:

ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::203:47ff:fe06:cd5a%ovpns1 prefixlen 64 scopeid 0x8
inet 10.0.19.1 –> 10.0.19.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 8278</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

pfsense-client ovpnc1

ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::20d:b9ff:fe1b:b4f0%ovpnc1 prefixlen 64 scopeid 0xb
inet 10.0.19.6 –> 10.0.19.5 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 58043</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

The third image show a error that always appear on my client side box went start a connection to my pfsense-server.

The routes looks good.

pfsense-server:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default public-ip UGS 0 8288 fxp0
10.0.19.0 10.0.19.2 UGS 0 13 ovpns1
10.0.19.1 link#8 UHS 0 1 lo0
10.0.19.2 link#8 UH 0 0 ovpns1
localhost link#4 UH 0 132 lo0
172.16.0.0 link#3 U 0 0 xl1
172.16.4.1 link#3 UHS 0 0 lo0
public-ip link#1 U 0 45591 fxp0
public-ip.cab link#1 UHS 0 0 lo0
192.168.2.0 10.0.19.2 UGS 0 18 ovpns1
192.168.50.0 link#2 U 0 10077 xl0
gw link#2 UHS 0 0 lo0
public-ip 00:03:47:06:cd:5a UHS 0 112 fxp0
public-ip.c 00:03:47:06:cd:5a UHS 0 159 fxp0

pfsense-client:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default public-ip. UGS 0 122541 pppoe1
10.0.19.1/32 10.0.19.5 UGS 0 4 ovpnc1
10.0.19.5 link#11 UH 0 0 ovpnc1
10.0.19.6 link#11 UHS 0 0 lo0
localhost link#6 UH 0 132 lo0
link#9 UHS 0 0 lo0
192.168.2.0 link#1 U 0 30537 vr0
gw link#1 UHS 0 0 lo0
192.168.50.0 10.0.19.5 UGS 0 0 ovpnc1
public-ip. link#9 UH 0 205731 pppoe1

My firewall are open.

Current things:

pfsense-client box can reach pfsense-server box and any machine in net-1. ping net-2 –> 192.168.50.x good.
pfsense-server/net-1 can only reach pfsense-client box using his virtual IP 10.0.19.6, ping net-1 --> 192.168.2.x don't work.

Went pfsense-client make the connection, my pfsense-server openvpn logs don't show any errors.

Them,I still here troubleshooting this, anything about I will appreciated!!!

NOTE: In pictures I remove the shared-key to save some size in my files.

pfsense-server: 2.0-RC3 (i386) built on Fri Aug 5 12:14:15 EDT 2011
pfsenser-client: 2.0-RC3 (i386) built on Tue Jun 21 18:21:10 EDT 2011

I will update my embedded a soon as I increase the size of the image.

client-side-log.JPG_thumb
client-side.JPG_thumb

server-side.JPG_thumb

periko

It works: http://blog.stefcho.eu/?p=611

probie

Good link. Glad to hear it's working for you now.

periko

During the day I will review the config, because I still don't know what he need to build a custom config for the client in the server side? I think is the tricky part, maybe someone with more experience in this field could clarify me.

thanks probie ;D.