OpenVPN Site2Site VPN ipfire to pfsense



  • Hello,
    I have a problem with the OpenVPN connection.
    The pfsense firewall is the OpenVPN-Server and the ipfire firewall is the OpenVPN-Client.

    OpenVPN-Server pfsense config:

    	 <openvpn><openvpn-server><vpnid>1</vpnid>
    			<mode>p2p_tls</mode>
    			<protocol>UDP</protocol>
    			<dev_mode>tun</dev_mode>
    			<ipaddr></ipaddr>
    			<interface>wan</interface>
    			<local_port>1194</local_port>
    			 <description><custom_options><caref>577263a900043</caref>
    
    			<certref>5772b54968d59</certref>
    			<dh_length>2048</dh_length>
    			<cert_depth>1</cert_depth>
    			<crypto>AES-256-CBC</crypto>
    			<digest>RSA-SHA256</digest>
    			<engine>none</engine>
    			<tunnel_network>192.168.111.0/24</tunnel_network>
    			 <tunnel_networkv6><remote_network>10.0.20.0/24</remote_network>
    			 <remote_networkv6><local_network>172.30.0.0/24</local_network>
    			 <local_networkv6><maxclients><compression>no</compression>
    			<passtos></passtos>
    
    			<dynamic_ip>yes</dynamic_ip>
    			<pool_enable>yes</pool_enable>
    			<topology>subnet</topology>
    
    			<serverbridge_interface>none</serverbridge_interface>
    			 <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable></netbios_enable>
    			<netbios_ntype>0</netbios_ntype>
    			 <netbios_scope><verbosity_level>11</verbosity_level></netbios_scope></serverbridge_dhcp_end></serverbridge_dhcp_start></maxclients></local_networkv6></remote_networkv6></tunnel_networkv6></custom_options></description></openvpn-server></openvpn> 
    

    OpenVPN-Client ipfire config:

    
    # IPFire n2n Open VPN Client Config by ummeegge und m.a.d
    # 
    # User Security
    user nobody
    group nobody
    persist-tun
    persist-key
    script-security 2
    # IP/DNS for remote Server Gateway
    remote 195.154.x.x
    float
    # IP adresses of the VPN Subnet
    ifconfig 192.168.111.2 192.168.111.1
    # Server Gateway Network
    route 10.0.10.0 255.255.255.0
    # tun Device
    dev tun
    #Logfile for statistics
    status-version 1
    status /var/run/openvpn/-n2n 10
    # Port and Protokoll
    port 1194
    proto udp
    # Paketsize
    tun-mtu 1500
    fragment 1300
    mssfix
    ns-cert-type server
    # Auth. Client
    tls-client
    # Cipher
    cipher AES-256-CBC
    pkcs12 /var/ipfire/ovpn/certs/pf.p12
    # HMAC algorithm
    auth SHA256
    # Debug Level
    verb 3
    # Tunnel check
    keepalive 10 60
    # Start as daemon
    daemon pfn2n
    writepid /var/run/pfn2n.pid
    # Activate Management Interface and Port
    management localhost 1194
    # remsub 172.30.0.0/255.255.255.0
    
    

    OpenVPN-Server log:

    
    Jun 28 21:52:37 	openvpn 	58809 	PO_CTL rwflags=0x0001 ev=7 arg=0x00692584
    Jun 28 21:52:37 	openvpn 	58809 	PO_CTL rwflags=0x0001 ev=5 arg=0x00692588
    Jun 28 21:52:37 	openvpn 	58809 	I/O WAIT TR|Tw|SR|Sw [10/0]
    Jun 28 21:52:37 	openvpn 	58809 	PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x00693720
    Jun 28 21:52:37 	openvpn 	58809 	event_wait returned 1
    Jun 28 21:52:37 	openvpn 	58809 	I/O WAIT status=0x0001
    Jun 28 21:52:37 	openvpn 	58809 	UDPv4 read returned 114
    Jun 28 21:52:37 	openvpn 	58809 	TLS State Error: No TLS state for client [AF_INET]87.132.x.x:1194, opcode=4
    Jun 28 21:52:37 	openvpn 	58809 	GET INST BY REAL: 87.132.x.x:1194 [failed]
    Jun 28 21:52:37 	openvpn 	58809 	SCHEDULE: schedule_find_least NULL
    Jun 28 21:52:37 	openvpn 	58809 	PO_CTL rwflags=0x0001 ev=6 arg=0x00693720
    Jun 28 21:52:37 	openvpn 	58809 	PO_CTL rwflags=0x0001 ev=7 arg=0x00692584
    Jun 28 21:52:37 	openvpn 	58809 	PO_CTL rwflags=0x0001 ev=5 arg=0x00692588 
    
    

    OpenVPN-Client log:

    
    IPFire diagnostics
    Section: openvpn
    Date: June 28, 2016
    
    21:51:03 pfn2n[17087]:  VERIFY OK: depth=0, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=test.xxxx
    21:51:03 pfn2n[17087]:  VERIFY OK: nsCertType=SERVER
    21:51:03 pfn2n[17087]:  VERIFY OK: depth=1, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=internal-ca
    21:51:03 pfn2n[17087]:  TLS: Initial packet from [AF_INET]195.154.x.x:1194, sid=478bfbc1 106c30b7
    21:51:03 pfn2n[17087]:  UDPv4 link remote: [AF_INET]195.154.x.x:1194
    21:51:03 pfn2n[17087]:  UDPv4 link local (bound): [AF_INET]192.168.2.254:1194
    21:51:03 pfn2n[17087]:  Preserving previous TUN/TAP instance: tun1
    21:51:03 pfn2n[17087]:  Socket Buffers: R=[212992->131072] S=[212992->131072]
    21:51:03 pfn2n[17087]:  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    21:51:01 pfn2n[17087]:  Restart pause, 2 second(s)
    21:51:01 pfn2n[17087]:  SIGUSR1[soft,ping-restart] received, process restarting
    21:51:01 pfn2n[17087]:  [test.xxxx] Inactivity timeout (--ping-restart), restarting
    21:50:03 pfn2n[17087]:  MANAGEMENT: Client disconnected
    21:50:03 pfn2n[17087]:  MANAGEMENT: CMD 'state'
    21:50:03 pfn2n[17087]:  MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1194
    21:50:00 pfn2n[17087]:  VERIFY OK: depth=0, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=test.xxxx
    21:50:00 pfn2n[17087]:  VERIFY OK: nsCertType=SERVER
    21:50:00 pfn2n[17087]:  VERIFY OK: depth=1, C=DE, ST=BaWu, L=xxx, O=xxxx, emailAddress=vpn@xxxx, CN=internal-ca
    21:50:00 pfn2n[17087]:  TLS: Initial packet from [AF_INET]195.154.x.x:1194, sid=bc4d0405 6a7a28f4
    21:50:00 pfn2n[17087]:  UDPv4 link remote: [AF_INET]195.154.x.x:1194
    21:50:00 pfn2n[17087]:  UDPv4 link local (bound): [AF_INET]192.168.2.254:1194
    21:50:00 pfn2n[17087]:  UID set to nobody
    21:50:00 pfn2n[17087]:  GID set to nobody
    21:50:00 pfn2n[17087]:  /sbin/ip route add 172.30.0.0/24 via 192.168.111.1
    21:50:00 pfn2n[17087]:  /etc/init.d/static-routes start tun1 1500 1573 192.168.111.2 192.168.111.1 init
    21:50:00 pfn2n[17087]:  /sbin/ip addr add dev tun1 local 192.168.111.2 peer 192.168.111.1
    21:50:00 pfn2n[17087]:  /sbin/ip link set dev tun1 up mtu 1500
    21:50:00 pfn2n[17087]:  do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    21:50:00 pfn2n[17087]:  TUN/TAP TX queue length set to 100
    21:50:00 pfn2n[17087]:  TUN/TAP device tun1 opened
    21:50:00 pfn2n[17087]:  ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=red0 HWADDR=00:0d:b9:xx:xx:xx
    21:50:00 pfn2n[17087]:  Socket Buffers: R=[212992->131072] S=[212992->131072]
    21:50:00 pfn2n[17087]:  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    21:50:00 pfn2n[17087]:  MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1194
    21:50:00 pfn2n[17086]:  library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
    21:50:00 pfn2n[17086]:  OpenVPN 2.3.7 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr  1 2016
    
    

Log in to reply