Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN site to site between ZeroShell and PFSense

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 834 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p54
      last edited by p54

      Hi @ all.

      I have a problem between ZeroShell (ZS foo) and PFSense.
      Since I have two sites and they are currently connected to the ZS a Lan to Lan VPN, I need to try in advance if PFSense is temporarily connected to the ZS managing a VPN.
      I want to replace it with PFSense in two steps.

      The connection seems to be established. But I don't get traffic to the other side. Maybe I overlooked something, because PFSense is not so familiar to me yet. But this firewall is just the "hammer" ;)

      Now, to my PFSense, it is up2date: 2.4.4-RELEASE

      In the vpn configuration page from PFSense I set:
      Server Mode: peer 2 peer
      Device Mode: tap Layer 2
      IPv4 Tunnel Network = 10.2.28.0/30
      IPv4 Local Network/s = 192.168.221.0/24
      IPv4 Remote Network/s = 192.168.3.0/24

      Gateway:

      Name               Default Interface  Gateway    Monitor IP Description
      TestPFS2ZS                 PFS2ZS     10.2.28.1  10.2.28.1  TestPFS2ZS
      

      Static Routes:

      Network        Gateway 	           Interface Description 	Actions
      192.168.3.0/24 PFS2ZS  - 10.2.28.1 PFS2ZS    TestPFS2ZS
      

      In my Firewall / NAT / Outbound i see this information:

      10.10.10.1/32 127.0.0.0/8 ::1/128 192.168.3.0/24 192.168.221.0/24 10.2.28.0/30 
      

      Routes on PFSense:

      192.168.3.0/24	10.2.28.1	UGS	15	1500	ovpns1
      

      my ping test from the pfsense:

      PING 192.168.3.252 (192.168.3.252) from 10.2.28.1: 56 data bytes
      36 bytes from 10.2.28.1: Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 a8fb   0 0000  01  01 2607 10.2.28.1  192.168.3.252 
      
      36 bytes from 10.2.28.1: Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 4e2f   0 0000  01  01 80d3 10.2.28.1  192.168.3.252 
      
      36 bytes from 10.2.28.1: Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 1a7d   0 0000  01  01 b485 10.2.28.1  192.168.3.252 
      
      
      --- 192.168.3.252 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss
      

      but the p2p Networkinterface can ping google:

      PING 8.8.8.8 (8.8.8.8) from 10.2.28.1: 56 data bytes
      64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=6.457 ms
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=5.711 ms
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=124 time=5.686 ms
      
      --- 8.8.8.8 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 5.686/5.951/6.457/0.358 ms
      

      how can find the error, any ideas about it?

      BR, p54

      EDIT: The verboslog tell me this:

      Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client disconnected
      Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'quit'
      Oct 23 14:06:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'status 2'
      Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
      Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client disconnected
      Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'quit'
      Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'status 2'
      Oct 23 14:06:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
      Oct 23 14:06:43 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:42 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:41 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:40 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:39 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:39 	openvpn 	14650 	UDPv4 READ [68] from [AF_INETPUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:38 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:06:37 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 
      ...
      ...
      Oct 23 14:01:49 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:01:48 	openvpn 	14650 	WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.2.28.0 255.255.255.252'
      Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [180] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=180
      Oct 23 14:01:48 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
      Oct 23 14:01:46 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
      Oct 23 14:01:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
      Oct 23 14:01:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:01:44 	openvpn 	14650 	UDPv4 WRITE [100] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=100
      Oct 23 14:01:44 	openvpn 	14650 	TUN READ [42]  
      

      And now, i have found one Problem :

      Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
      Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
      
      Oct 23 14:09:37 	openvpn 	89691 	RECEIVED PING PACKET
      Oct 23 14:09:37 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [1_______________________________________________________________] 1540296359:203 1540296359:204 t=1540296577[0] r=[-1,64,15,0,1] sl=[0,64,64,528]
      Oct 23 14:09:37 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:09:37 	openvpn 	89691 	UDPv4 WRITE [148] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=148
      Oct 23 14:09:37 	openvpn 	89691 	Initialization Sequence Completed
      Oct 23 14:09:37 	openvpn 	89691 	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Oct 23 14:09:37 	openvpn 	89691 	TUN READ [90]
      Oct 23 14:09:36 	openvpn 	89691 	RECEIVED PING PACKET
      Oct 23 14:09:36 	openvpn 	89691 	Peer Connection Initiated with [AF_INET]PUBLIC.IP.UUU.OOO:1198
      Oct 23 14:09:36 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [] 0:0 1540296359:203 t=1540296576[0] r=[0,64,15,0,1] sl=[0,0,64,528]
      Oct 23 14:09:36 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
      Oct 23 14:09:36 	openvpn 	89691 	TUN READ [86]
      Oct 23 14:09:36 	openvpn 	89691 	TUN READ [110]
      Oct 23 14:09:35 	openvpn 	89691 	TUN READ [90]
      Oct 23 14:09:35 	openvpn 	89691 	TUN READ [42]
      Oct 23 14:09:35 	openvpn 	89691 	SENT PING
      Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link remote: [AF_UNSPEC]
      Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link local (bound): [AF_INET]MY-FIREWALL-IP:1198
      Oct 23 14:09:35 	openvpn 	89691 	Socket Buffers: R=[42080->42080] S=[57344->57344]
      Oct 23 14:09:35 	openvpn 	89691 	Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
      Oct 23 14:09:35 	openvpn 	89691 	Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
      Oct 23 14:09:35 	openvpn 	89691 	Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:401 ET:32 EL:3 ]
      Oct 23 14:09:35 	openvpn 	89691 	/usr/local/sbin/ovpn-linkup ovpns1 1500 1592 10.2.28.1 255.255.255.252 init
      Oct 23 14:09:35 	openvpn 	89691 	/sbin/ifconfig ovpns1 10.2.28.1 netmask 255.255.255.252 mtu 1500 up
      Oct 23 14:09:35 	openvpn 	89691 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
      Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device /dev/tap1 opened
      Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device ovpns1 exists previously, keep at program end
      Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
      Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
      Oct 23 14:09:35 	openvpn 	89691 	ROUTE_GATEWAY MY-GATEWAY-IP/255.255.255.0 IFACE=em0 HWADDR=00:22:4d:84:a5:5e
      Oct 23 14:09:35 	openvpn 	89691 	MTU DYNAMIC mtu=1450, flags=2, 1592 -> 1450
      Oct 23 14:09:35 	openvpn 	89691 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 60 bytes
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC size=20 block_size=20
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER block_size=16 iv_size=16
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
      Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC size=20 block_size=20
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER block_size=16 iv_size=16
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
      Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key 
      

      I have a feeling the tunnels are standing, but not right.

      Okay, one Problem is solved, i can ping the virtual ip on my zeroshell (foo):

      PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
      64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
      64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
      64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms
      
      --- 10.2.28.2 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
      

      This problem was missconfiguration in the vpn settings (PFSense) - i delete the valus and left blank!

      IPv4 Remote Network/s = 192.168.3.0/24
      

      But now, i must ping the Network behind ZeroShell an the virtual IP 10.2.28.1

      1 Reply Last reply Reply Quote 0
      • P
        p54
        last edited by

        Hey.

        I don't understand the problem, why he won't go out with the ping over the vpn tunnel.

        My settings for OvpnServer:

        0_1540368233072_2018-10-24_095723.png
        0_1540368267816_2018-10-24_095758.png
        0_1540368275740_2018-10-24_095816.png

        My Firewallrules:
        0_1540368290883_2018-10-24_095837.png

        My Interfaces:
        0_1540368311257_2018-10-24_095911.png

        My Interface setting OPT6:
        0_1540368337438_2018-10-24_095928.png

        My Gateway OPT6:
        0_1540368373009_2018-10-24_095959.png

        My static route:
        0_1540368405969_2018-10-24_100028.png

        I take a traceroute to destination 192.168.3.32 over my local LAN Interface:
        0_1540368589274_2018-10-24_100905.png

        I've only see this:

         1  10.2.28.1  0.240 ms  3.165 ms  0.200 ms
         2  10.2.28.1  3.687 ms  3.664 ms  0.228 ms
         3  10.2.28.1  3.593 ms  3.703 ms  0.244 ms
         4  10.2.28.1  3.639 ms  3.698 ms  0.241 ms
         5  10.2.28.1  3.650 ms  3.765 ms  0.254 ms
         6  10.2.28.1  0.260 ms  0.238 ms  3.648 ms
         7  10.2.28.1  3.676 ms  0.257 ms  3.640 ms
         8  10.2.28.1  3.711 ms  0.270 ms  0.270 ms
         9  10.2.28.1  0.286 ms  0.277 ms  0.286 ms
        10  10.2.28.1  0.288 ms  0.248 ms  3.631 ms
        11  10.2.28.1  3.826 ms  0.283 ms  3.729 ms
        12  10.2.28.1  3.736 ms  0.289 ms  3.544 ms
        13  10.2.28.1  3.830 ms  0.314 ms  0.297 ms
        14  10.2.28.1  0.309 ms  0.365 ms  0.311 ms
        15  10.2.28.1  0.318 ms  0.315 ms  0.316 ms
        16  10.2.28.1  0.328 ms  0.323 ms  0.321 ms
        17  10.2.28.1  0.319 ms  0.325 ms  0.339 ms
        18  10.2.28.1  0.326 ms  0.331 ms  0.333 ms
        

        But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good:

        PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
        64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
        64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
        64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms
        
        --- 10.2.28.2 ping statistics ---
        3 packets transmitted, 3 packets received, 0.0% packet loss
        round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
        

        Does anyone have any idea what I missed?

        BR

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.