Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN to OpenWrt Strongswan Travel Router

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      highc
      last edited by

      I am trying to make my OpenWrt Travel Router connect via VPN to my pfSense. While I can get this going with OpenVPN, performance on the OpenWrt is not really overwhelming, so I'd like to use IPSec instead.

      The ideal target scenario would be for the OpenWrt router to route all traffic from all connected clients to pfSense. However, I'm running into some very basic issues, as the two are not connecting. The error message I'm getting on the pfSense side is

      peer requested EAP, config unacceptable

      I'm not sure if this means that I configured the wrong authorization method on OpenWrt, if there is something wrong with how I'm using the certificate created with pfSense, or if it's something else. The OpenWrt side just says "received AUTHENTICATION_FAILED notify error", which means even less to me.

      In case it helps, I have attached more log information and the configuration below.

      pfsense log

      [...]
Apr 30 18:52:36 	charon 		09[CFG] <5> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Apr 30 18:52:36 	charon 		09[CFG] <5> received supported signature hash algorithms: sha256 sha384 sha512 identity
Apr 30 18:52:36 	charon 		09[CFG] <5> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Apr 30 18:52:36 	charon 		09[IKE] <5> sending cert request for "C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA"
Apr 30 18:52:36 	charon 		09[ENC] <5> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 30 18:52:36 	charon 		09[NET] <5> sending packet: from 192.168.1.1[500] to 192.168.1.27[500] (297 bytes)
Apr 30 18:52:36 	charon 		09[NET] <5> received packet: from 192.168.1.27[4500] to 192.168.1.1[4500] (608 bytes)
Apr 30 18:52:36 	charon 		09[ENC] <5> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 30 18:52:36 	charon 		09[IKE] <5> received cert request for "C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA"
Apr 30 18:52:36 	charon 		09[CFG] <5> looking for peer configs matching 192.168.1.1[C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA]...192.168.1.27[CN=OpenwrtVPN, C=..., ST=..., L=..., O=...]
Apr 30 18:52:36 	charon 		09[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Apr 30 18:52:36 	charon 		09[CFG] <bypasslan|5> selected peer config 'bypasslan'
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> peer requested EAP, config unacceptable
Apr 30 18:52:36 	charon 		09[CFG] <bypasslan|5> no alternative config found
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> processing INTERNAL_IP4_ADDRESS attribute
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> processing INTERNAL_IP4_DNS attribute
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> peer supports MOBIKE
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> got additional MOBIKE peer address: 192.168.168.1
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> got additional MOBIKE peer address: fd3c:741b:b3ff::1
Apr 30 18:52:36 	charon 		09[ENC] <bypasslan|5> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 30 18:52:36 	charon 		09[NET] <bypasslan|5> sending packet: from 192.168.1.1[4500] to 192.168.1.27[4500] (80 bytes)
Apr 30 18:52:36 	charon 		09[IKE] <bypasslan|5> IKE_SA bypasslan[5] state change: CONNECTING => DESTROYING

      On the openwrt side, it looks like this:

      Tue Apr 30 16:52:36 2019 daemon.info : 06[CFG]   id '192.168.1.1' not confirmed by certificate, defaulting to 'C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA'
Tue Apr 30 16:52:36 2019 daemon.info : 06[CFG] added configuration 'ikev2-eap-tls-asymmetric'
Tue Apr 30 16:52:36 2019 daemon.info : 08[CFG] received stroke: initiate 'ikev2-eap-tls-asymmetric'
Tue Apr 30 16:52:36 2019 daemon.info : 08[IKE] initiating IKE_SA ikev2-eap-tls-asymmetric[1] to 192.168.1.1
Tue Apr 30 16:52:36 2019 authpriv.info : 08[IKE] initiating IKE_SA ikev2-eap-tls-asymmetric[1] to 192.168.1.1
Tue Apr 30 16:52:36 2019 daemon.info : 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Apr 30 16:52:36 2019 daemon.info : 08[NET] sending packet: from 192.168.1.27[500] to 192.168.1.1[500] (1072 bytes)
Tue Apr 30 16:52:36 2019 daemon.info : 11[NET] received packet: from 192.168.1.1[500] to 192.168.1.27[500] (297 bytes)
Tue Apr 30 16:52:36 2019 daemon.info : 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Tue Apr 30 16:52:36 2019 daemon.info : 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Tue Apr 30 16:52:36 2019 daemon.info : 11[IKE] received cert request for "C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA"
Tue Apr 30 16:52:36 2019 daemon.info : 11[IKE] sending cert request for "C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA"
Tue Apr 30 16:52:36 2019 daemon.info : 11[IKE] establishing CHILD_SA ikev2-eap-tls-asymmetric{1}
Tue Apr 30 16:52:36 2019 authpriv.info : 11[IKE] establishing CHILD_SA ikev2-eap-tls-asymmetric{1}
Tue Apr 30 16:52:36 2019 daemon.info : 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Apr 30 16:52:36 2019 daemon.info : 11[NET] sending packet: from 192.168.1.27[4500] to 192.168.1.1[4500] (608 bytes)
Tue Apr 30 16:52:36 2019 daemon.info : 12[NET] received packet: from 192.168.1.1[4500] to 192.168.1.27[4500] (80 bytes)
Tue Apr 30 16:52:36 2019 daemon.info : 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Tue Apr 30 16:52:36 2019 daemon.info : 12[IKE] received AUTHENTICATION_FAILED notify error

      I have setup pfSense as follows:
      IPSec Tunnels.png Phase 1-1.png Phase 1-2.png Phase 2-1.png Phase 2-2.png

      On the OpenWrt side, I am using these configs:

      ipsec.conf:

      conn rw-base
    dpdaction=restart
    dpddelay=30
    dpdtimeout=90
    fragmentation=yes

conn vip-base
    also=rw-base
    leftsourceip=%config

conn ikev2-eap-tls-asymmetric
    also=vip-base
    keyexchange=ikev2
    leftcert=/etc/certs.d/openwrt.crt
    leftauth=eap-tls
    rightauth=pubkey
    rightcert=/etc/certs.d/pfsense_ca.crt

    right = 192.168.1.1
    rightsubnet=0.0.0.0/0
    auto=start

      ipsec.secrets:

      : RSA /etc/certs.d/openwrt.key

      swanctl.conf:

      connections {

    ikev2-eap-tls-asymmetric {
        version = 2
        remote_addrs = 192.168.1.1
        vips = 0.0.0.0, ::
        local-1 {
            auth = eap-tls
            certs = /etc/certs.d/openwrt.crt
        }
        remote-1 {
            certs = /etc/certs.d/pfsense_ca.crt
        }
        children {
            ikev2-eap-tls-asymmetric {
                remote_ts = 0.0.0.0/0
            }
        }
    }

secrets {
    private-mine {
        file = /etc/certs.d/openwrt.key
    }
}

      pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
      pfSense 2.6 on Super Micro 5018D-FN4T (retired)

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @highc
        last edited by

        @highc said in IPSec VPN to OpenWrt Strongswan Travel Router:

        OpenWrt Travel Router

        Hey

        1. I think you are wrong to set up Openwrt
          Here is a link that may help you
          https://strongswan.org/testresults.html (example 215)

        2. I think you need a site-to-site connection between Pfsense and Openwrt
          But the problem is that maybe your Openwrt router does not have a fixed ip address, and you can create such a connection using Dyndns ( I did not try ) or making changes to the configuration files PFSense ( this option works for me)

        1 Reply Last reply Reply Quote 0
        • H
          highc
          last edited by

          Thanks for trying to help me. I tried to do what you said, i.e. setup a new site-to-site config in pfSense, and changed OpenWrt configs in line with example 215. I also used local addresses for a start. However, I am still getting the error "peer requested EAP, config unacceptable" in pfSense and "AUTHENTICATION_FAILED" in OpenWrt...

          log from pfsense:

          May 1 12:33:24 	ipsec_starter 	97379 	'con1000' routed
May 1 12:33:54 	charon 		10[NET] <1> received packet: from 192.168.1.27[500] to 192.168.1.1[500] (548 bytes)
May 1 12:33:54 	charon 		10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 1 12:33:54 	charon 		10[CFG] <1> looking for an IKEv2 config for 192.168.1.1...192.168.1.27
May 1 12:33:54 	charon 		10[CFG] <1> candidate: %any...%any, prio 24
May 1 12:33:54 	charon 		10[CFG] <1> candidate: 192.168.1.1...192.168.1.27, prio 3100
May 1 12:33:54 	charon 		10[CFG] <1> found matching ike config: 192.168.1.1...192.168.1.27 with prio 3100
May 1 12:33:54 	charon 		10[IKE] <1> 192.168.1.27 is initiating an IKE_SA
May 1 12:33:54 	charon 		10[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
May 1 12:33:54 	charon 		10[CFG] <1> selecting proposal:
May 1 12:33:54 	charon 		10[CFG] <1> proposal matches
May 1 12:33:54 	charon 		10[CFG] <1> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
May 1 12:33:54 	charon 		10[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 1 12:33:54 	charon 		10[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 1 12:33:54 	charon 		10[CFG] <1> received supported signature hash algorithms: sha256 sha384 sha512 identity
May 1 12:33:54 	charon 		10[IKE] <1> DH group CURVE_25519 unacceptable, requesting MODP_2048
May 1 12:33:54 	charon 		10[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 1 12:33:54 	charon 		10[NET] <1> sending packet: from 192.168.1.1[500] to 192.168.1.27[500] (38 bytes)
May 1 12:33:54 	charon 		10[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
May 1 12:33:54 	charon 		10[NET] <2> received packet: from 192.168.1.27[500] to 192.168.1.1[500] (772 bytes)
May 1 12:33:54 	charon 		10[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 1 12:33:54 	charon 		10[CFG] <2> looking for an IKEv2 config for 192.168.1.1...192.168.1.27
May 1 12:33:54 	charon 		10[CFG] <2> candidate: %any...%any, prio 24
May 1 12:33:54 	charon 		10[CFG] <2> candidate: 192.168.1.1...192.168.1.27, prio 3100
May 1 12:33:54 	charon 		10[CFG] <2> found matching ike config: 192.168.1.1...192.168.1.27 with prio 3100
May 1 12:33:54 	charon 		10[IKE] <2> 192.168.1.27 is initiating an IKE_SA
May 1 12:33:54 	charon 		10[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
May 1 12:33:54 	charon 		10[CFG] <2> selecting proposal:
May 1 12:33:54 	charon 		10[CFG] <2> proposal matches
May 1 12:33:54 	charon 		10[CFG] <2> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/MODP_2048/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/MODP_2048/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192
May 1 12:33:54 	charon 		10[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 1 12:33:54 	charon 		10[CFG] <2> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 1 12:33:54 	charon 		10[CFG] <2> received supported signature hash algorithms: sha256 sha384 sha512 identity
May 1 12:33:54 	charon 		10[CFG] <2> sending supported signature hash algorithms: sha256 sha384 sha512 identity
May 1 12:33:54 	charon 		10[IKE] <2> sending cert request for "C=..., ST=..., L=..., O=..., E=..., CN=pfSenseOpenVPNCA"
May 1 12:33:54 	charon 		10[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
May 1 12:33:54 	charon 		10[NET] <2> sending packet: from 192.168.1.1[500] to 192.168.1.27[500] (489 bytes)
May 1 12:33:55 	charon 		09[NET] <2> received packet: from 192.168.1.27[4500] to 192.168.1.1[4500] (416 bytes)
May 1 12:33:55 	charon 		09[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 1 12:33:55 	charon 		09[CFG] <2> looking for peer configs matching 192.168.1.1[192.168.1.1]...192.168.1.27[CN=OpenwrtVPN, C=..., ST=..., L=..., O=...]
May 1 12:33:55 	charon 		09[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
May 1 12:33:55 	charon 		09[CFG] <bypasslan|2> selected peer config 'bypasslan'
May 1 12:33:55 	charon 		09[IKE] <bypasslan|2> peer requested EAP, config unacceptable
May 1 12:33:55 	charon 		09[CFG] <bypasslan|2> no alternative config found
May 1 12:33:55 	charon 		09[IKE] <bypasslan|2> peer supports MOBIKE
May 1 12:33:55 	charon 		09[IKE] <bypasslan|2> got additional MOBIKE peer address: 192.168.168.1
May 1 12:33:55 	charon 		09[IKE] <bypasslan|2> got additional MOBIKE peer address: fd3c:741b:b3ff::1
May 1 12:33:55 	charon 		09[ENC] <bypasslan|2> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 1 12:33:55 	charon 		09[NET] <bypasslan|2> sending packet: from 192.168.1.1[4500] to 192.168.1.27[4500] (80 bytes)
May 1 12:33:55 	charon 		09[IKE] <bypasslan|2> IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING

          openwrt.log (timezone not set correctly...):

          Wed May  1 10:33:54 2019 daemon.info : 13[NET] sending packet: from 192.168.1.27[500] to 192.168.1.1[500] (548 bytes)
Wed May  1 10:33:54 2019 daemon.info : 14[NET] received packet: from 192.168.1.1[500] to 192.168.1.27[500] (38 bytes)
Wed May  1 10:33:54 2019 daemon.info : 14[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Wed May  1 10:33:54 2019 daemon.info : 14[IKE] peer didn't accept DH group CURVE_25519, it requested MODP_2048
Wed May  1 10:33:54 2019 daemon.info : 14[IKE] initiating IKE_SA home[1] to 192.168.1.1
Wed May  1 10:33:54 2019 daemon.info : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed May  1 10:33:54 2019 daemon.info : 14[NET] sending packet: from 192.168.1.27[500] to 192.168.1.1[500] (772 bytes)
Wed May  1 10:33:54 2019 daemon.info : 15[NET] received packet: from 192.168.1.1[500] to 192.168.1.27[500] (489 bytes)
Wed May  1 10:33:54 2019 daemon.info : 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Wed May  1 10:33:54 2019 daemon.info : 15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Wed May  1 10:33:55 2019 daemon.info : 15[IKE] received 1 cert requests for an unknown ca
Wed May  1 10:33:55 2019 daemon.info : 15[IKE] establishing CHILD_SA home{1}
Wed May  1 10:33:55 2019 daemon.info : 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed May  1 10:33:55 2019 daemon.info : 15[NET] sending packet: from 192.168.1.27[4500] to 192.168.1.1[4500] (416 bytes)
Wed May  1 10:33:55 2019 daemon.info : 16[NET] received packet: from 192.168.1.1[4500] to 192.168.1.27[4500] (80 bytes)
Wed May  1 10:33:55 2019 daemon.info : 16[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Wed May  1 10:33:55 2019 daemon.info : 16[IKE] received AUTHENTICATION_FAILED notify error

          pfSense config:

          IPSec Tunnels.png
          Phase 1-1.png
          Phase 1-2.png
          Phase 2.png

          pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
          pfSense 2.6 on Super Micro 5018D-FN4T (retired)

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @highc
            last edited by Konstanti

            @highc said in IPSec VPN to OpenWrt Strongswan Travel Router:

            Thanks for trying to help me. I tried to do what you said, i.e. setup a new site-to-site config in pfSense

            Look at the file on the PFSense side
            /var/etc/ipsec/ipsec.conf
            This is an example of what settings should be on the Openwrt router . These settings should mirror the settings on the PFSense (left/right)

            https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

            https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html

            For example , my file ipsec.conf (CentOS server, site-to-site connection)

            conn es_ru_pfsense_rsa
        keyexchange=ikev2
        authby=pubkey
        fragmentation = yes
        ikelifetime=28800s
        
        ike = aes256-sha256-modp2048,aes-sha256-modp2048!
        esp = aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes128gcm16-sha256-modp2048,aes128gcm64-sha256-modp2048!
        left=XX.XXX.XX.XX
        leftsubnet=0.0.0.0/0
        leftcert=strongswan_rsa.pem
        leftca="C=ES, O=M, CN=e.m.org"
        leftid=@strongswan.m.org
        leftfirewall=yes
        lefthostaccess=no
        right=YY.YY.YY.YYY
        rightid=@pfsense.m.org
        rightsubnet=192.168.55.32/27
        auto=add
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.