4. VPN site to site between ZeroShell and PFSense

VPN site to site between ZeroShell and PFSense

  • P

    Hi @ all.

    I have a problem between ZeroShell (ZS foo) and PFSense.
    Since I have two sites and they are currently connected to the ZS a Lan to Lan VPN, I need to try in advance if PFSense is temporarily connected to the ZS managing a VPN.
    I want to replace it with PFSense in two steps.

    The connection seems to be established. But I don't get traffic to the other side. Maybe I overlooked something, because PFSense is not so familiar to me yet. But this firewall is just the "hammer" ;)

    Now, to my PFSense, it is up2date: 2.4.4-RELEASE

    In the vpn configuration page from PFSense I set:
    Server Mode: peer 2 peer
    Device Mode: tap Layer 2
    IPv4 Tunnel Network = 10.2.28.0/30
    IPv4 Local Network/s = 192.168.221.0/24
    IPv4 Remote Network/s = 192.168.3.0/24

    Gateway:

    Name               Default Interface  Gateway    Monitor IP Description
TestPFS2ZS                 PFS2ZS     10.2.28.1  10.2.28.1  TestPFS2ZS

    Static Routes:

    Network        Gateway 	           Interface Description 	Actions
192.168.3.0/24 PFS2ZS  - 10.2.28.1 PFS2ZS    TestPFS2ZS

    In my Firewall / NAT / Outbound i see this information:

    10.10.10.1/32 127.0.0.0/8 ::1/128 192.168.3.0/24 192.168.221.0/24 10.2.28.0/30

    Routes on PFSense:

    192.168.3.0/24	10.2.28.1	UGS	15	1500	ovpns1

    my ping test from the pfsense:

    PING 192.168.3.252 (192.168.3.252) from 10.2.28.1: 56 data bytes
36 bytes from 10.2.28.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 a8fb   0 0000  01  01 2607 10.2.28.1  192.168.3.252 

36 bytes from 10.2.28.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 4e2f   0 0000  01  01 80d3 10.2.28.1  192.168.3.252 

36 bytes from 10.2.28.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 1a7d   0 0000  01  01 b485 10.2.28.1  192.168.3.252 


--- 192.168.3.252 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

    but the p2p Networkinterface can ping google:

    PING 8.8.8.8 (8.8.8.8) from 10.2.28.1: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=6.457 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=5.711 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=124 time=5.686 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.686/5.951/6.457/0.358 ms

    how can find the error, any ideas about it?

    BR, p54

    EDIT: The verboslog tell me this:

    Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client disconnected
Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'quit'
Oct 23 14:06:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: CMD 'status 2'
Oct 23 14:06:45 	openvpn 	52141 	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client disconnected
Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'quit'
Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: CMD 'status 2'
Oct 23 14:06:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:44 	openvpn 	14650 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Oct 23 14:06:43 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:42 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:41 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:40 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:39 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:39 	openvpn 	14650 	UDPv4 READ [68] from [AF_INETPUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:38 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:06:37 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68 
...
...
Oct 23 14:01:49 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:01:48 	openvpn 	14650 	WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.2.28.0 255.255.255.252'
Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [180] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=180
Oct 23 14:01:48 	openvpn 	14650 	UDPv4 WRITE [68] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:01:48 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
Oct 23 14:01:46 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
Oct 23 14:01:45 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO: 1198: DATA len=68
Oct 23 14:01:44 	openvpn 	14650 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:01:44 	openvpn 	14650 	UDPv4 WRITE [100] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=100
Oct 23 14:01:44 	openvpn 	14650 	TUN READ [42]

    And now, i have found one Problem :

    Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

    Oct 23 14:09:37 	openvpn 	89691 	RECEIVED PING PACKET
Oct 23 14:09:37 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [1_______________________________________________________________] 1540296359:203 1540296359:204 t=1540296577[0] r=[-1,64,15,0,1] sl=[0,64,64,528]
Oct 23 14:09:37 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:09:37 	openvpn 	89691 	UDPv4 WRITE [148] to [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=148
Oct 23 14:09:37 	openvpn 	89691 	Initialization Sequence Completed
Oct 23 14:09:37 	openvpn 	89691 	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 23 14:09:37 	openvpn 	89691 	TUN READ [90]
Oct 23 14:09:36 	openvpn 	89691 	RECEIVED PING PACKET
Oct 23 14:09:36 	openvpn 	89691 	Peer Connection Initiated with [AF_INET]PUBLIC.IP.UUU.OOO:1198
Oct 23 14:09:36 	openvpn 	89691 	PID_TEST [0] [STATIC-0] [] 0:0 1540296359:203 t=1540296576[0] r=[0,64,15,0,1] sl=[0,0,64,528]
Oct 23 14:09:36 	openvpn 	89691 	UDPv4 READ [68] from [AF_INET]PUBLIC.IP.UUU.OOO:1198: DATA len=68
Oct 23 14:09:36 	openvpn 	89691 	TUN READ [86]
Oct 23 14:09:36 	openvpn 	89691 	TUN READ [110]
Oct 23 14:09:35 	openvpn 	89691 	TUN READ [90]
Oct 23 14:09:35 	openvpn 	89691 	TUN READ [42]
Oct 23 14:09:35 	openvpn 	89691 	SENT PING
Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link remote: [AF_UNSPEC]
Oct 23 14:09:35 	openvpn 	89691 	UDPv4 link local (bound): [AF_INET]MY-FIREWALL-IP:1198
Oct 23 14:09:35 	openvpn 	89691 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 23 14:09:35 	openvpn 	89691 	Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Oct 23 14:09:35 	openvpn 	89691 	Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto UDPv4,ifconfig 10.2.28.0 255.255.255.252,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Oct 23 14:09:35 	openvpn 	89691 	Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:401 ET:32 EL:3 ]
Oct 23 14:09:35 	openvpn 	89691 	/usr/local/sbin/ovpn-linkup ovpns1 1500 1592 10.2.28.1 255.255.255.252 init
Oct 23 14:09:35 	openvpn 	89691 	/sbin/ifconfig ovpns1 10.2.28.1 netmask 255.255.255.252 mtu 1500 up
Oct 23 14:09:35 	openvpn 	89691 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device /dev/tap1 opened
Oct 23 14:09:35 	openvpn 	89691 	TUN/TAP device ovpns1 exists previously, keep at program end
Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.3.0
Oct 23 14:09:35 	openvpn 	89691 	OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Oct 23 14:09:35 	openvpn 	89691 	ROUTE_GATEWAY MY-GATEWAY-IP/255.255.255.0 IFACE=em0 HWADDR=00:22:4d:84:a5:5e
Oct 23 14:09:35 	openvpn 	89691 	MTU DYNAMIC mtu=1450, flags=2, 1592 -> 1450
Oct 23 14:09:35 	openvpn 	89691 	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 60 bytes
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC size=20 block_size=20
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER block_size=16 iv_size=16
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
Oct 23 14:09:35 	openvpn 	89691 	Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC size=20 block_size=20
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: HMAC KEY: 539df7a0 161ef4a7 431d9aa7 20420fd7 e66253bf
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER block_size=16 iv_size=16
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: CIPHER KEY: eda8124f 237b110b 42161185 303089db 64869e74 051cec3d 1ac3b7e2 72caee2c
Oct 23 14:09:35 	openvpn 	89691 	Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key

    I have a feeling the tunnels are standing, but not right.

    Okay, one Problem is solved, i can ping the virtual ip on my zeroshell (foo):

    PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms

--- 10.2.28.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms

    This problem was missconfiguration in the vpn settings (PFSense) - i delete the valus and left blank!

    IPv4 Remote Network/s = 192.168.3.0/24

    But now, i must ping the Network behind ZeroShell an the virtual IP 10.2.28.1

    0
  • P

    Hey.

    I don't understand the problem, why he won't go out with the ping over the vpn tunnel.

    My settings for OvpnServer:

    0_1540368233072_2018-10-24_095723.png
    0_1540368267816_2018-10-24_095758.png
    0_1540368275740_2018-10-24_095816.png

    My Firewallrules:
    0_1540368290883_2018-10-24_095837.png

    My Interfaces:
    0_1540368311257_2018-10-24_095911.png

    My Interface setting OPT6:
    0_1540368337438_2018-10-24_095928.png

    My Gateway OPT6:
    0_1540368373009_2018-10-24_095959.png

    My static route:
    0_1540368405969_2018-10-24_100028.png

    I take a traceroute to destination 192.168.3.32 over my local LAN Interface:
    0_1540368589274_2018-10-24_100905.png

    I've only see this:

     1  10.2.28.1  0.240 ms  3.165 ms  0.200 ms
 2  10.2.28.1  3.687 ms  3.664 ms  0.228 ms
 3  10.2.28.1  3.593 ms  3.703 ms  0.244 ms
 4  10.2.28.1  3.639 ms  3.698 ms  0.241 ms
 5  10.2.28.1  3.650 ms  3.765 ms  0.254 ms
 6  10.2.28.1  0.260 ms  0.238 ms  3.648 ms
 7  10.2.28.1  3.676 ms  0.257 ms  3.640 ms
 8  10.2.28.1  3.711 ms  0.270 ms  0.270 ms
 9  10.2.28.1  0.286 ms  0.277 ms  0.286 ms
10  10.2.28.1  0.288 ms  0.248 ms  3.631 ms
11  10.2.28.1  3.826 ms  0.283 ms  3.729 ms
12  10.2.28.1  3.736 ms  0.289 ms  3.544 ms
13  10.2.28.1  3.830 ms  0.314 ms  0.297 ms
14  10.2.28.1  0.309 ms  0.365 ms  0.311 ms
15  10.2.28.1  0.318 ms  0.315 ms  0.316 ms
16  10.2.28.1  0.328 ms  0.323 ms  0.321 ms
17  10.2.28.1  0.319 ms  0.325 ms  0.339 ms
18  10.2.28.1  0.326 ms  0.331 ms  0.333 ms

    But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good:

    PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes
64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms
64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms
64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms

--- 10.2.28.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms

    Does anyone have any idea what I missed?

    BR

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy