VPN site to site between ZeroShell and PFSense



  • Hi @ all.

    I have a problem between ZeroShell (ZS foo) and PFSense.
    Since I have two sites and they are currently connected to the ZS a Lan to Lan VPN, I need to try in advance if PFSense is temporarily connected to the ZS managing a VPN.
    I want to replace it with PFSense in two steps.

    The connection seems to be established. But I don't get traffic to the other side. Maybe I overlooked something, because PFSense is not so familiar to me yet. But this firewall is just the "hammer" ;)

    Now, to my PFSense, it is up2date: 2.4.4-RELEASE

    In the vpn configuration page from PFSense I set:
    Server Mode: peer 2 peer
    Device Mode: tap Layer 2
    IPv4 Tunnel Network = 10.2.28.0/30
    IPv4 Local Network/s = 192.168.221.0/24
    IPv4 Remote Network/s = 192.168.3.0/24

    Gateway:

    Name               Default Interface  Gateway    Monitor IP Description
    TestPFS2ZS                 PFS2ZS     10.2.28.1  10.2.28.1  TestPFS2ZS
    

    Static Routes:

    Network        Gateway 	           Interface Description 	Actions
    192.168.3.0/24 PFS2ZS  - 10.2.28.1 PFS2ZS    TestPFS2ZS
    

    In my Firewall / NAT / Outbound i see this information:

    10.10.10.1/32 127.0.0.0/8 ::1/128 192.168.3.0/24 192.168.221.0/24 10.2.28.0/30 
    

    Routes on PFSense:

    192.168.3.0/24	10.2.28.1	UGS	15	1500	ovpns1
    

    my ping test from the pfsense:

    PING 192.168.3.252 (192.168.3.252) from 10.2.28.1: 56 data bytes
    36 bytes from 10.2.28.1: Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 a8fb   0 0000  01  01 2607 10.2.28.1  192.168.3.252 
    
    36 bytes from 10.2.28.1: Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 4e2f   0 0000  01  01 80d3 10.2.28.1  192.168.3.252 
    
    36 bytes from 10.2.28.1: Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 1a7d   0 0000  01  01 b485 10.2.28.1  192.168.3.252 
    
    
    --- 192.168.3.252 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    

    but the p2p Networkinterface can ping google:

    PING 8.8.8.8 (8.8.8.8) from 10.2.28.1: 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=6.457 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=5.711 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=124 time=5.686 ms
    
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 5.686/5.951/6.457/0.358 ms
    

    how can find the error, any ideas about it?

    BR, p54

    EDIT: The verboslog tell me this:

    Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client disconnected
    Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'quit'
    Oct 23 14:06:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'status 2'
    Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
    Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client disconnected
    Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'quit'
    Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'status 2'
    Oct 23 14:06:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Oct 23 14:06:43 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:42 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:41 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:40 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:39 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:39 	openvpn 	14650 	UDPv4 READ [68] from [AF_INETPUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:38 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:06:37 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 
    ...
    ...
    Oct 23 14:01:49 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:01:48 	openvpn 	14650 	WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.2.28.0 255.255.255.252'
    Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [180] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=180
    Oct 23 14:01:48 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
    Oct 23 14:01:46 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
    Oct 23 14:01:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
    Oct 23 14:01:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:01:44 	openvpn 	14650 	UDPv4 WRITE [100] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=100
    Oct 23 14:01:44 	openvpn 	14650 	TUN READ [42]  
    

    And now, i have found one Problem :

    Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
    Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    
    Oct 23 14:09:37 	openvpn 	89691 	RECEIVED PING PACKET
    Oct 23 14:09:37 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [1_______________________________________________________________] 1540296359:203 1540296359:204 t=1540296577[0] r=[-1,64,15,0,1] sl=[0,64,64,528]
    Oct 23 14:09:37 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:09:37 	openvpn 	89691 	UDPv4 WRITE [148] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=148
    Oct 23 14:09:37 	openvpn 	89691 	Initialization Sequence Completed
    Oct 23 14:09:37 	openvpn 	89691 	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 23 14:09:37 	openvpn 	89691 	TUN READ [90]
    Oct 23 14:09:36 	openvpn 	89691 	RECEIVED PING PACKET
    Oct 23 14:09:36 	openvpn 	89691 	Peer Connection Initiated with [AF_INET]PUBLIC.IP.UUU.OOO:1198
    Oct 23 14:09:36 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [] 0:0 1540296359:203 t=1540296576[0] r=[0,64,15,0,1] sl=[0,0,64,528]
    Oct 23 14:09:36 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
    Oct 23 14:09:36 	openvpn 	89691 	TUN READ [86]
    Oct 23 14:09:36 	openvpn 	89691 	TUN READ [110]
    Oct 23 14:09:35 	openvpn 	89691 	TUN READ [90]
    Oct 23 14:09:35 	openvpn 	89691 	TUN READ [42]
    Oct 23 14:09:35 	openvpn 	89691 	SENT PING
    Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link remote: [AF_UNSPEC]
    Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link local (bound): [AF_INET]MY-FIREWALL-IP:1198
    Oct 23 14:09:35 	openvpn 	89691 	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Oct 23 14:09:35 	openvpn 	89691 	Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
    Oct 23 14:09:35 	openvpn 	89691 	Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
    Oct 23 14:09:35 	openvpn 	89691 	Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:401 ET:32 EL:3 ]
    Oct 23 14:09:35 	openvpn 	89691 	/usr/local/sbin/ovpn-linkup ovpns1 1500 1592 10.2.28.1 255.255.255.252 init
    Oct 23 14:09:35 	openvpn 	89691 	/sbin/ifconfig ovpns1 10.2.28.1 netmask 255.255.255.252 mtu 1500 up
    Oct 23 14:09:35 	openvpn 	89691 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device /dev/tap1 opened
    Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device ovpns1 exists previously, keep at program end
    Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
    Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Oct 23 14:09:35 	openvpn 	89691 	ROUTE_GATEWAY MY-GATEWAY-IP/255.255.255.0 IFACE=em0 HWADDR=00:22:4d:84:a5:5e
    Oct 23 14:09:35 	openvpn 	89691 	MTU DYNAMIC mtu=1450, flags=2, 1592 -> 1450
    Oct 23 14:09:35 	openvpn 	89691 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 60 bytes
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC size=20 block_size=20
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER block_size=16 iv_size=16
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
    Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC size=20 block_size=20
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER block_size=16 iv_size=16
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
    Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key 
    

    I have a feeling the tunnels are standing, but not right.

    Okay, one Problem is solved, i can ping the virtual ip on my zeroshell (foo):

    PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
    64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
    64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
    64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms
    
    --- 10.2.28.2 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
    

    This problem was missconfiguration in the vpn settings (PFSense) - i delete the valus and left blank!

    IPv4 Remote Network/s = 192.168.3.0/24
    

    But now, i must ping the Network behind ZeroShell an the virtual IP 10.2.28.1



  • Hey.

    I don't understand the problem, why he won't go out with the ping over the vpn tunnel.

    My settings for OvpnServer:

    0_1540368233072_2018-10-24_095723.png
    0_1540368267816_2018-10-24_095758.png
    0_1540368275740_2018-10-24_095816.png

    My Firewallrules:
    0_1540368290883_2018-10-24_095837.png

    My Interfaces:
    0_1540368311257_2018-10-24_095911.png

    My Interface setting OPT6:
    0_1540368337438_2018-10-24_095928.png

    My Gateway OPT6:
    0_1540368373009_2018-10-24_095959.png

    My static route:
    0_1540368405969_2018-10-24_100028.png

    I take a traceroute to destination 192.168.3.32 over my local LAN Interface:
    0_1540368589274_2018-10-24_100905.png

    I've only see this:

     1  10.2.28.1  0.240 ms  3.165 ms  0.200 ms
     2  10.2.28.1  3.687 ms  3.664 ms  0.228 ms
     3  10.2.28.1  3.593 ms  3.703 ms  0.244 ms
     4  10.2.28.1  3.639 ms  3.698 ms  0.241 ms
     5  10.2.28.1  3.650 ms  3.765 ms  0.254 ms
     6  10.2.28.1  0.260 ms  0.238 ms  3.648 ms
     7  10.2.28.1  3.676 ms  0.257 ms  3.640 ms
     8  10.2.28.1  3.711 ms  0.270 ms  0.270 ms
     9  10.2.28.1  0.286 ms  0.277 ms  0.286 ms
    10  10.2.28.1  0.288 ms  0.248 ms  3.631 ms
    11  10.2.28.1  3.826 ms  0.283 ms  3.729 ms
    12  10.2.28.1  3.736 ms  0.289 ms  3.544 ms
    13  10.2.28.1  3.830 ms  0.314 ms  0.297 ms
    14  10.2.28.1  0.309 ms  0.365 ms  0.311 ms
    15  10.2.28.1  0.318 ms  0.315 ms  0.316 ms
    16  10.2.28.1  0.328 ms  0.323 ms  0.321 ms
    17  10.2.28.1  0.319 ms  0.325 ms  0.339 ms
    18  10.2.28.1  0.326 ms  0.331 ms  0.333 ms
    

    But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good:

    PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
    64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
    64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
    64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms
    
    --- 10.2.28.2 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms
    

    Does anyone have any idea what I missed?

    BR