IPSec and Virtual IPs

xibalba

Hi,
I have a pfSense in my local datacenter with 4 IPs 3 of which are aliased for 1:1 NAT redirection. I am trying to establish an IPSec tunnel between the router at my house (pfSense) and my pfSense machine at the data center on it's non-aliased IP. When i completed the settings of the IPSec tunnel on the data center machine, i recieve the following output from the filter reload monitor.

There were error(s) loading the rules: no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179/tmp/rules.debug:101: could not parse host specification no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:102: could not parse host specification no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:103: could not parse host specification no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:104: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [101]: pass out quick on $wan proto udp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 port = 500 keep state label "IPSEC: Reza - House - outbound isakmp"…

This is the following from /tmp/rules.debug on line 101..

VPN Rules

pass out quick on $wan proto udp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 port = 500 keep state label "IPSEC: Reza - House - outbound isakmp"
pass in quick on $wan proto udp from 72.132.236.227 to 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 port = 500 keep state label "IPSEC: Reza - House - inbound isakmp"
pass out quick on $wan proto esp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 keep state label "IPSEC: Reza - House - outbound esp proto"
pass in quick on $wan proto esp from 72.132.236.227 to 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 keep state label "IPSEC: Reza - House - inbound esp proto"

I see it is trying to add the ipsec tunnel for the aliased ips as well, i dont know if this is a bug in my configuration or in the way pfsense handles the virtual ip's of the machine. Any help is greatly appreciated.

i was able to over come this for the time being by modifying the file and reloading pf, i dont know if this will stick across reboots though.

jeroen234

i think the rules has to be this:

VPN Rules

pass out quick on $wan proto udp from {66.11.117.176 66.11.117.177 66.11.117.178 66.11.117.179 } to 72.132.236.227 port = 500 keep state label "IPSEC: Reza - House - outbound isakmp"
pass in quick on $wan proto udp from 72.132.236.227 to { 66.11.117.176 66.11.117.177 66.11.117.178 66.11.117.179 } port = 500 keep state label "IPSEC: Reza - House - inbound isakmp"
pass out quick on $wan proto esp from { 66.11.117.176 66.11.117.177 66.11.117.178 66.11.117.179 } to 72.132.236.227 keep state label "IPSEC: Reza - House - outbound esp proto"
pass in quick on $wan proto esp from 72.132.236.227 to { 66.11.117.176 66.11.117.177 66.11.117.178 66.11.117.179 } keep state label "IPSEC: Reza - House - inbound esp proto"

xibalba

Yeh I modified the rules to only allow the IPSec traffic on the non-aliased IP

pfctl -s all | grep -i esp

pass out quick on vr0 inet proto esp from 66.11.117.176 to 72.132.236.227 keep state label "IPSEC: Reza - House - outbound esp proto"
pass in quick on vr0 inet proto esp from 72.132.236.227 to 66.11.117.176 keep state label "IPSEC: Reza - House - inbound esp proto"

and reloaded the packet filter. Do you know where the pfSense stores the firewall configuration? I dont know if this is going to stick across reboots.

jeroen234

its in /cf/conf/config.xml

the rules and other config things are made on boottime from that file

xibalba

the xml config file looks correct, do you know where the parsing for the firewall exists? I think there might be something wrong with how it handles virtual ip's on the system while parsing the rules.

the vpn tunnel config info for the pfSense box at the data center is below..
<tunnel><interface>wan</interface>
                        <local-subnet><network>lan</network></local-subnet>
                        <remote-subnet>192.168.1.0/24</remote-subnet>
                        <remote-gateway>72.132.236.227</remote-gateway>
                        <p1><mode>aggressive</mode>
                                <myident><fqdn>**</fqdn></myident>
                                <encryption-algorithm>blowfish</encryption-algorithm>
                                <hash-algorithm>sha1</hash-algorithm>
                                <dhgroup>2</dhgroup>
                                <lifetime>28800</lifetime>
                                <pre-shared-key></pre-shared-key>
                                <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
                        <p2><protocol>esp</protocol>
                                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                                <pfsgroup>1</pfsgroup>
                                <lifetime>43200</lifetime></p2>
                        <descr>Reza - House</descr></tunnel>

my home pfSense router is below.
<tunnel><interface>wan</interface>
                        <local-subnet><network>lan</network></local-subnet>
                        <remote-subnet>192.168.0.0/24</remote-subnet>
                        <remote-gateway>66.11.117.176</remote-gateway>
                        <p1><mode>aggressive</mode>
                                <myident><fqdn></fqdn></myident>
                                <encryption-algorithm>blowfish</encryption-algorithm>
                                <hash-algorithm>sha1</hash-algorithm>
                                <dhgroup>2</dhgroup>
                                <lifetime>28800</lifetime>
                                <pre-shared-key></pre-shared-key>
                                <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
                        <p2><protocol>esp</protocol>
                                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                                <pfsgroup>1</pfsgroup>
                                <lifetime>43200</lifetime></p2>
                        <descr>Colo pfSense</descr></tunnel>

xibalba

I just upgraded to 1.0-RELEASE last night on my machine at the colocation center. It has 3 Virtual IP addresses for 1:1 NAT Forwarding on top of the router's own IP Address. When I try to setup an IPSEC tunnel between my hosue and the machine at the colocation facility i recieve the following error on the filter reload screen

There were error(s) loading the rules: no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179/tmp/rules.debug:112: could not parse host specification no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:113: could not parse host specification
no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:114: could not parse host specification
no IP address found for 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 /tmp/rules.debug:115: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [112]: pass out quick on $wan proto udp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 port = 500 keep state label "IPSEC: Reza house - outbound isakmp"…

/tmp/rules.debug is as follows on line 112

VPN Rules

pass out quick on $wan proto udp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 port = 500 keep state label "IPSEC: Reza house - outbound isakmp"
pass in quick on $wan proto udp from 72.132.236.227 to 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 port = 500 keep state label "IPSEC: Reza house - inbound isakmp"
pass out quick on $wan proto esp from 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 to 72.132.236.227 keep state label "IPSEC: Reza house - outbound esp proto"
pass in quick on $wan proto esp from 72.132.236.227 to 66.11.117.17666.11.117.17766.11.117.17866.11.117.179 keep state label "IPSEC: Reza house - inbound esp proto"

I'm pretty sure now that there is a problem in the way pfSense handles the parsing of virtual ip's when you try to setup IPSEC tunnels. I'm trying to setup an IPSEC tunnel on 66.11.117.176 which is NOT one of the 3 aliased IPs. Thanks ahead of time for any insight.

billm

I've been working in private on this.  Short of it is that the issue stems from adding alias addresses to the interface outside of pfSense.  The aliases should have been setup using CARP or Proxy ARP VIP types.

–Bill

xibalba

Thanks Bill, the problem has been resolved with your advice. I was thinking about this aliased ip situation from the wrong angle. thanks again for the support.