VPN site to site between ZeroShell and PFSense
-
Hi @ all.
I have a problem between ZeroShell (ZS foo) and PFSense.
Since I have two sites and they are currently connected to the ZS a Lan to Lan VPN, I need to try in advance if PFSense is temporarily connected to the ZS managing a VPN.
I want to replace it with PFSense in two steps.The connection seems to be established. But I don't get traffic to the other side. Maybe I overlooked something, because PFSense is not so familiar to me yet. But this firewall is just the "hammer" ;)
Now, to my PFSense, it is up2date: 2.4.4-RELEASE
In the vpn configuration page from PFSense I set:
Server Mode: peer 2 peer
Device Mode: tap Layer 2
IPv4 Tunnel Network = 10.2.28.0/30
IPv4 Local Network/s = 192.168.221.0/24
IPv4 Remote Network/s = 192.168.3.0/24Gateway:
Name Default Interface Gateway Monitor IP Description TestPFS2ZS PFS2ZS 10.2.28.1 10.2.28.1 TestPFS2ZS
Static Routes:
Network Gateway Interface Description Actions 192.168.3.0/24 PFS2ZS - 10.2.28.1 PFS2ZS TestPFS2ZS
In my Firewall / NAT / Outbound i see this information:
10.10.10.1/32 127.0.0.0/8 ::1/128 192.168.3.0/24 192.168.221.0/24 10.2.28.0/30
Routes on PFSense:
192.168.3.0/24 10.2.28.1 UGS 15 1500 ovpns1
my ping test from the pfsense:
PING 192.168.3.252 (192.168.3.252) from 10.2.28.1: 56 data bytes 36 bytes from 10.2.28.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 a8fb 0 0000 01 01 2607 10.2.28.1 192.168.3.252 36 bytes from 10.2.28.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 4e2f 0 0000 01 01 80d3 10.2.28.1 192.168.3.252 36 bytes from 10.2.28.1: Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 1a7d 0 0000 01 01 b485 10.2.28.1 192.168.3.252 --- 192.168.3.252 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
but the p2p Networkinterface can ping google:
PING 8.8.8.8 (8.8.8.8) from 10.2.28.1: 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=6.457 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=5.711 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=124 time=5.686 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 5.686/5.951/6.457/0.358 ms
how can find the error, any ideas about it?
BR, p54
EDIT: The verboslog tell me this:
Oct 23 14:06:45 openvpn 52141 MANAGEMENT: Client disconnected Oct 23 14:06:45 openvpn 52141 MANAGEMENT: CMD 'quit' Oct 23 14:06:45 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:45 openvpn 52141 MANAGEMENT: CMD 'status 2' Oct 23 14:06:45 openvpn 52141 MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock Oct 23 14:06:44 openvpn 14650 MANAGEMENT: Client disconnected Oct 23 14:06:44 openvpn 14650 MANAGEMENT: CMD 'quit' Oct 23 14:06:44 openvpn 14650 MANAGEMENT: CMD 'status 2' Oct 23 14:06:44 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:44 openvpn 14650 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Oct 23 14:06:43 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:42 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:41 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:40 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:39 openvpn 14650 UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:39 openvpn 14650 UDPv4 READ [68] from [AF_INETPUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:38 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:06:37 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 ... ... Oct 23 14:01:49 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:01:48 openvpn 14650 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.2.28.0 255.255.255.252' Oct 23 14:01:48 openvpn 14650 UDPv4 READ [180] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=180 Oct 23 14:01:48 openvpn 14650 UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:01:48 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68 Oct 23 14:01:46 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68 Oct 23 14:01:45 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68 Oct 23 14:01:44 openvpn 14650 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:01:44 openvpn 14650 UDPv4 WRITE [100] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=100 Oct 23 14:01:44 openvpn 14650 TUN READ [42]
And now, i have found one Problem :
Oct 23 14:09:35 openvpn 89691 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0 Oct 23 14:09:35 openvpn 89691 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Oct 23 14:09:37 openvpn 89691 RECEIVED PING PACKET Oct 23 14:09:37 openvpn 89691 PID_TEST [0] [STATIC-0] [1_______________________________________________________________] 1540296359:203 1540296359:204 t=1540296577[0] r=[-1,64,15,0,1] sl=[0,64,64,528] Oct 23 14:09:37 openvpn 89691 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:09:37 openvpn 89691 UDPv4 WRITE [148] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=148 Oct 23 14:09:37 openvpn 89691 Initialization Sequence Completed Oct 23 14:09:37 openvpn 89691 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Oct 23 14:09:37 openvpn 89691 TUN READ [90] Oct 23 14:09:36 openvpn 89691 RECEIVED PING PACKET Oct 23 14:09:36 openvpn 89691 Peer Connection Initiated with [AF_INET]PUBLIC.IP.UUU.OOO:1198 Oct 23 14:09:36 openvpn 89691 PID_TEST [0] [STATIC-0] [] 0:0 1540296359:203 t=1540296576[0] r=[0,64,15,0,1] sl=[0,0,64,528] Oct 23 14:09:36 openvpn 89691 UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 Oct 23 14:09:36 openvpn 89691 TUN READ [86] Oct 23 14:09:36 openvpn 89691 TUN READ [110] Oct 23 14:09:35 openvpn 89691 TUN READ [90] Oct 23 14:09:35 openvpn 89691 TUN READ [42] Oct 23 14:09:35 openvpn 89691 SENT PING Oct 23 14:09:35 openvpn 89691 UDPv4 link remote: [AF_UNSPEC] Oct 23 14:09:35 openvpn 89691 UDPv4 link local (bound): [AF_INET]MY-FIREWALL-IP:1198 Oct 23 14:09:35 openvpn 89691 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 23 14:09:35 openvpn 89691 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret' Oct 23 14:09:35 openvpn 89691 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret' Oct 23 14:09:35 openvpn 89691 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:401 ET:32 EL:3 ] Oct 23 14:09:35 openvpn 89691 /usr/local/sbin/ovpn-linkup ovpns1 1500 1592 10.2.28.1 255.255.255.252 init Oct 23 14:09:35 openvpn 89691 /sbin/ifconfig ovpns1 10.2.28.1 netmask 255.255.255.252 mtu 1500 up Oct 23 14:09:35 openvpn 89691 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Oct 23 14:09:35 openvpn 89691 TUN/TAP device /dev/tap1 opened Oct 23 14:09:35 openvpn 89691 TUN/TAP device ovpns1 exists previously, keep at program end Oct 23 14:09:35 openvpn 89691 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0 Oct 23 14:09:35 openvpn 89691 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Oct 23 14:09:35 openvpn 89691 ROUTE_GATEWAY MY-GATEWAY-IP/255.255.255.0 IFACE=em0 HWADDR=00:22:4d:84:a5:5e Oct 23 14:09:35 openvpn 89691 MTU DYNAMIC mtu=1450, flags=2, 1592 -> 1450 Oct 23 14:09:35 openvpn 89691 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 60 bytes Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: HMAC size=20 block_size=20 Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: CIPHER block_size=16 iv_size=16 Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c Oct 23 14:09:35 openvpn 89691 Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: HMAC size=20 block_size=20 Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: CIPHER block_size=16 iv_size=16 Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c Oct 23 14:09:35 openvpn 89691 Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
I have a feeling the tunnels are standing, but not right.
Okay, one Problem is solved, i can ping the virtual ip on my zeroshell (foo):
PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes 64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms 64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms 64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms --- 10.2.28.2 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
This problem was missconfiguration in the vpn settings (PFSense) - i delete the valus and left blank!
IPv4 Remote Network/s = 192.168.3.0/24
But now, i must ping the Network behind ZeroShell an the virtual IP 10.2.28.1
-
Hey.
I don't understand the problem, why he won't go out with the ping over the vpn tunnel.
My settings for OvpnServer:
My Firewallrules:
My Interfaces:
My Interface setting OPT6:
My Gateway OPT6:
My static route:
I take a traceroute to destination 192.168.3.32 over my local LAN Interface:
I've only see this:
1 10.2.28.1 0.240 ms 3.165 ms 0.200 ms 2 10.2.28.1 3.687 ms 3.664 ms 0.228 ms 3 10.2.28.1 3.593 ms 3.703 ms 0.244 ms 4 10.2.28.1 3.639 ms 3.698 ms 0.241 ms 5 10.2.28.1 3.650 ms 3.765 ms 0.254 ms 6 10.2.28.1 0.260 ms 0.238 ms 3.648 ms 7 10.2.28.1 3.676 ms 0.257 ms 3.640 ms 8 10.2.28.1 3.711 ms 0.270 ms 0.270 ms 9 10.2.28.1 0.286 ms 0.277 ms 0.286 ms 10 10.2.28.1 0.288 ms 0.248 ms 3.631 ms 11 10.2.28.1 3.826 ms 0.283 ms 3.729 ms 12 10.2.28.1 3.736 ms 0.289 ms 3.544 ms 13 10.2.28.1 3.830 ms 0.314 ms 0.297 ms 14 10.2.28.1 0.309 ms 0.365 ms 0.311 ms 15 10.2.28.1 0.318 ms 0.315 ms 0.316 ms 16 10.2.28.1 0.328 ms 0.323 ms 0.321 ms 17 10.2.28.1 0.319 ms 0.325 ms 0.339 ms 18 10.2.28.1 0.326 ms 0.331 ms 0.333 ms
But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good:
PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes 64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms 64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms 64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms --- 10.2.28.2 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
Does anyone have any idea what I missed?
BR