Strange behavior. IP ending with .2 works, ending with .3 not.



  • Hey guys,

    I'm running an OpenVPN Server on a pfSense for road warriors. And I have a reeaally strange problem since a couple days:

    13:12:34.338995 IP 10.225.226.3 > 10.225.226.1: ICMP echo request, id 14, seq 1, length 32
    13:12:35.332080 IP 10.225.226.3 > 10.225.226.1: ICMP echo request, id 14, seq 2, length 32
    13:12:36.331939 IP 10.225.226.3 > 10.225.226.1: ICMP echo request, id 14, seq 3, length 32
    13:12:51.894961 IP 10.225.226.2 > 10.225.226.1: ICMP echo request, id 2, seq 1214, length 40
    13:12:51.894967 IP 10.225.226.1 > 10.225.226.2: ICMP echo reply, id 2, seq 1214, length 40
    13:12:52.913033 IP 10.225.226.2 > 10.225.226.1: ICMP echo request, id 2, seq 1215, length 40
    13:12:52.913036 IP 10.225.226.1 > 10.225.226.2: ICMP echo reply, id 2, seq 1215, length 40
    13:12:53.913385 IP 10.225.226.2 > 10.225.226.1: ICMP echo request, id 2, seq 1216, length 40
    13:12:53.913389 IP 10.225.226.1 > 10.225.226.2: ICMP echo reply, id 2, seq 1216, length 40
    
    

    When I'm connecting to the VPN as the first client, recieving IP 10.225.226.2, it works flawless. However, when I'm connecting and recieve the IP 10.225.226.3, it stops working. I can't even get a replay from the VPN Gateway (10.225.226.1) or anything.

    This happens on multiple devices, with multiple configs. I even created a second roadwarrior vpn by the wizard, with a different transport network and it still doesnt work for the IP ending with .3.

    I have checked the logs when logging in, it all looks the same, for both IPs, and it shouldn't work ever, if theres a wrong configuration I guess.

    I have firewall rules to pass any on the openvpn Interface and the corresponding road warrior interface.

    I hope someone has an idea :)

    Regards


  • LAYER 8 Rebel Alliance

    Show your OpenVPN settings and Firewall Rules (screenshots).
    Do you maybe share the same cert for all Users in SSL/TLS mode?

    -Rico



  • hey Rico,

    here are the screenshots
    0_1552308094091_ovpn settings.png

    0_1552308080123_client export.png

    0_1552308108466_firewall.png

    0_1552308112537_firewall2.png

    0_1552308117356_firewall3.png

    thank you for your time :)


  • LAYER 8 Rebel Alliance

    Looks OK to me.
    How about the routing table?
    I see you added the OpenVPN RAS as Interface...did you maybe add any strange setting to this interface?

    -Rico



  • Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            ......167.145     UGS         ix1
    5.28.101.167     .....167.145     UGHS        ix1
    10.3.103.1         link#11            UHS         lo0
    10.3.103.2         link#11            UH       ovpns2
    10.5.105.1         link#17            UHS         lo0
    10.5.105.2         link#17            UH       ovpns6
    10.6.106.1         link#14            UHS         lo0
    10.6.106.2         link#14            UH     ipsec100
    10.10.0.0/16       link#1             U           ix0
    10.10.10.12        link#1             UHS         lo0
    10.102.202.1       link#13            UHS         lo0
    10.102.202.2       link#13            UH       ovpns1
    10.104.204.1       link#15            UHS         lo0
    10.104.204.2       link#15            UH       ovpns4
    10.225.226.1       link#12            UHS         lo0
    10.225.226.2       link#12            UH       ovpns3
    10.227.228.0/24    10.227.228.2       UGS      ovpns5
    10.227.228.1       link#16            UHS         lo0
    10.227.228.2       link#16            UH       ovpns5
    78.88.188.166      212.36.167.145     UGHS        ix1
    127.0.0.1          link#8             UH          lo0
    192.168.1.0/24     10.6.106.2         UGS    ipsec100
    192.168.155.0/29   10.102.202.2       UGS      ovpns1
    192.168.165.0/29   10.102.202.2       UGS      ovpns1
    192.168.202.0/24   10.102.202.2       UGS      ovpns1
    192.168.203.0/24   10.3.103.2         UGS      ovpns2
    192.168.205.0/24   10.104.204.2       UGS      ovpns4
    192.168.206.0/24   10.5.105.2         UGS      ovpns6
    
    
    traceroute to 10.225.226.3 (10.225.226.3), 64 hops max, 40 byte packets
     1  .....167.145 (.....167.145)  1.333 ms  39.956 ms  0.322 ms
     2 ***
    [2.4.4-RELEASE][root@FW01.corp]/root: traceroute 10.225.226.2
    traceroute to 10.225.226.2 (10.225.226.2), 64 hops max, 40 byte packets
     1  10.225.226.2 (10.225.226.2)  11.706 ms  10.196 ms  9.799 ms
    [2.4.4-RELEASE][root@FW01.corp]/root: traceroute 10.225.226.3
    traceroute: findsaddr: failed to connect to peer for src addr selection.
    
    

    When I add a static route (10.225.226.0/24 via 10.225.226.1) it says "failed to connect to peer for src addr selection." upon tracerouting. Without the static route it simply tries to route that through the ISP Gateway (...167.145), instead of the OpenVPN one

    dev ovpns3
    verb 0
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local .....167.150
    tls-server
    server 10.225.226.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server3
    verify-client-cert none
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user Y29ycC5pbm5vdmFtYXh4LmRl false server3 1196
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.corp.......' 1"
    lport 1196
    management /var/etc/openvpn/server3.sock unix
    push "route 10.10.0.0 255.255.0.0"
    push "dhcp-option DOMAIN corp.......
    push "dhcp-option DNS 10.10.10.2"
    push "dhcp-option DNS 1.1.1.1"
    push "dhcp-option DNS 9.9.9.9"
    ca /var/etc/openvpn/server3.ca
    cert /var/etc/openvpn/server3.cert
    key /var/etc/openvpn/server3.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server3.tls-auth 0
    ncp-disable
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet
    
    

    Basically it's really just the IP. 10.225.226.2 works without problems. On any device. As soon as a device gets the 10.225.226.3 or higher, it just doesn't work anymore. If the device had .2 before, it worked during that time too, but up until it gets the .3



  • I also noticed, when I create a new server on a different port, with the exact settings (wich worked before all this began to happen), and that new server also has the exact same problem. I created a tunnel network 10.226.227.0/24, and as soon as someone gets the .3 or higher, it doesnt work.


  • LAYER 8 Rebel Alliance

    Any overlapping IPsec networks?

    -Rico



  • No there were not.

    I have deleted everything related to the RoadWarrior Server now and recreated it with another cipher, but same settings/TunnelNetwork/Buffer/Rules. It seems to work now. Could it be that pfSense sometimes doesn't activate rules unless you recreate them? It felt like that, though I dont really know why it didn't work and now works.


Log in to reply