Site-to-site PKI: one tunnel doesn't work
-
I've been working on this for several days. Any help would be appreciated.
I've got a 1 server, 3 client setup OpenVPN site-to-site. 2 Tunnels work great, 1 does not. I have a road warrior setup on the same pfsense box so the site-to-site has been moved to port 1195. I thought the servers would need different ports. For the two sites that work I have the "dynamic sourceport" unchecked. The one that doesn't work gives this error if I leave it unchecked:openvpn[32494]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Not sure why it has port 1194 listed. The client configuration definitely says 1195. I was fooling around with setting up a road warrior OpenVPN server on this box in the past, but that has been deleted. The routes all look normal.
Here are the errors I get from server and client when the client has "dynamic sourceport" checked:
Server:Aug 12 16:44:32 openvpn[9142]: Initialization Sequence Completed
Aug 12 16:44:32 openvpn[9142]: UDPv4 link remote: [undef]
Aug 12 16:44:32 openvpn[9142]: UDPv4 link local (bound): [undef]:1195
Aug 12 16:44:31 openvpn[9118]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.1 10.0.0.2 init
Aug 12 16:44:31 openvpn[9118]: /sbin/ifconfig tun1 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.255 up
Aug 12 16:44:31 openvpn[9118]: TUN/TAP device /dev/tun1 opened
Aug 12 16:44:31 openvpn[9118]: gw <isp gateway="">Aug 12 16:44:31 openvpn[9118]: WARNING: file '/var/etc/openvpn_server1.key' is group or others accessible
Aug 12 16:44:31 openvpn[9118]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Aug 12 16:44:29 openvpn[58754]: SIGTERM[hard,] received, process exiting
Aug 12 16:44:28 openvpn[58754]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.1 10.0.0.2 init
Aug 12 16:44:28 openvpn[58754]: event_wait : Interrupted system call (code=4)
Aug 12 16:38:07 openvpn[58754]: 208.107.xxx.xxx:7315 [Peer Connection Initiated with 208.107.123.63:7315
Aug 12 16:38:06 openvpn[58754]: 208.107.xxx.xxx:7315 LZO compression initialized
Aug 12 16:38:06 openvpn[58754]: 208.107.xxx.xxx:7315 Re-using SSL/TLS context
Aug 12 15:24:04 openvpn[58754]: 208.107.xxx.xxx:59128](Peer Connection Initiated with 208.107.123.63:7315 <br />Aug 12 16:38:06 openvpn[58754]: 208.107.xxx.xxx:7315 LZO compression initialized <br />Aug 12 16:38:06 openvpn[58754]: 208.107.xxx.xxx:7315 Re-using SSL/TLS context <br />Aug 12 15:24:04 openvpn[58754]: 208.107.xxx.xxx:59128 [link] Peer Connection Initiated with 208.107.123.63:59128 <br />Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 LZO compression initialized <br />Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 Re-using SSL/TLS context <br /><br />Client:<br /><br />Aug 12 16:45:29 openvpn[54267]: Initialization Sequence Completed <br />Aug 12 16:45:29 openvpn[54267]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1 <br />Aug 12 16:45:28 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.6 10.0.0.5 init <br />Aug 12 16:45:28 openvpn[54267]: /sbin/ifconfig tun1 10.0.0.6 10.0.0.5 mtu 1500 netmask 255.255.255.255 up <br />Aug 12 16:45:28 openvpn[54267]: TUN/TAP device /dev/tun1 opened <br />Aug 12 16:45:28 openvpn[54267]: gw <ISP gateway><br />Aug 12 16:45:26 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.14 10.0.0.13 init <br />Aug 12 16:45:26 openvpn[54267]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. <br />Aug 12 16:45:26 openvpn[54267]: Preserving previous TUN/TAP instance: tun1 <br />Aug 12 16:45:25 openvpn[54267]: [server] Peer Connection Initiated with 24.111.xxx.xxx:1195 <br />Aug 12 16:45:24 openvpn[54267]: UDPv4 link remote: 24.111.xxx.xxx:1195 <br />Aug 12 16:45:24 openvpn[54267]: UDPv4 link local: [undef] <br />Aug 12 16:45:24 openvpn[54267]: LZO compression initialized <br />Aug 12 16:45:24 openvpn[54267]: Re-using SSL/TLS context <br />Aug 12 16:45:24 openvpn[54267]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. <br />Aug 12 16:45:24 openvpn[54267]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. <br />Aug 12 16:45:22 openvpn[54267]: SIGUSR1[soft,ping-restart] received, process restarting <br />Aug 12 16:45:22 openvpn[54267]: [server] Inactivity timeout (--ping-restart), restarting <br />[/link]) [Peer Connection Initiated with 208.107.123.63:59128
Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 LZO compression initialized
Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 Re-using SSL/TLS contextClient:
Aug 12 16:45:29 openvpn[54267]: Initialization Sequence Completed
Aug 12 16:45:29 openvpn[54267]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1
Aug 12 16:45:28 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.6 10.0.0.5 init
Aug 12 16:45:28 openvpn[54267]: /sbin/ifconfig tun1 10.0.0.6 10.0.0.5 mtu 1500 netmask 255.255.255.255 up
Aug 12 16:45:28 openvpn[54267]: TUN/TAP device /dev/tun1 opened
Aug 12 16:45:28 openvpn[54267]: gw <isp gateway="">Aug 12 16:45:26 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.14 10.0.0.13 init
Aug 12 16:45:26 openvpn[54267]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Aug 12 16:45:26 openvpn[54267]: Preserving previous TUN/TAP instance: tun1
Aug 12 16:45:25 openvpn[54267]: [server] Peer Connection Initiated with 24.111.xxx.xxx:1195
Aug 12 16:45:24 openvpn[54267]: UDPv4 link remote: 24.111.xxx.xxx:1195
Aug 12 16:45:24 openvpn[54267]: UDPv4 link local: [undef]
Aug 12 16:45:24 openvpn[54267]: LZO compression initialized
Aug 12 16:45:24 openvpn[54267]: Re-using SSL/TLS context
Aug 12 16:45:24 openvpn[54267]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 12 16:45:24 openvpn[54267]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Aug 12 16:45:22 openvpn[54267]: SIGUSR1[soft,ping-restart] received, process restarting
Aug 12 16:45:22 openvpn[54267]: [server] Inactivity timeout (–ping-restart), restarting</isp>](Peer Connection Initiated with 208.107.123.63:59128 <br />Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 LZO compression initialized <br />Aug 12 15:24:03 openvpn[58754]: 208.107.xxx.xxx:59128 Re-using SSL/TLS context <br /><br />Client:<br /><br />Aug 12 16:45:29 openvpn[54267]: Initialization Sequence Completed <br />Aug 12 16:45:29 openvpn[54267]: ERROR: FreeBSD route add command failed: shell command exited with error status: 1 <br />Aug 12 16:45:28 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.6 10.0.0.5 init <br />Aug 12 16:45:28 openvpn[54267]: /sbin/ifconfig tun1 10.0.0.6 10.0.0.5 mtu 1500 netmask 255.255.255.255 up <br />Aug 12 16:45:28 openvpn[54267]: TUN/TAP device /dev/tun1 opened <br />Aug 12 16:45:28 openvpn[54267]: gw <ISP gateway><br />Aug 12 16:45:26 openvpn[54267]: /etc/rc.filter_configure tun1 1500 1542 10.0.0.14 10.0.0.13 init <br />Aug 12 16:45:26 openvpn[54267]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. <br />Aug 12 16:45:26 openvpn[54267]: Preserving previous TUN/TAP instance: tun1 <br />Aug 12 16:45:25 openvpn[54267]: [server] Peer Connection Initiated with 24.111.xxx.xxx:1195 <br />Aug 12 16:45:24 openvpn[54267]: UDPv4 link remote: 24.111.xxx.xxx:1195 <br />Aug 12 16:45:24 openvpn[54267]: UDPv4 link local: [undef] <br />Aug 12 16:45:24 openvpn[54267]: LZO compression initialized <br />Aug 12 16:45:24 openvpn[54267]: Re-using SSL/TLS context <br />Aug 12 16:45:24 openvpn[54267]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. <br />Aug 12 16:45:24 openvpn[54267]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. <br />Aug 12 16:45:22 openvpn[54267]: SIGUSR1[soft,ping-restart] received, process restarting <br />Aug 12 16:45:22 openvpn[54267]: [server] Inactivity timeout (--ping-restart), restarting <br />)</isp> -
I got it to work.
It was a hardware issue. I won't be using any NICs with RealTech chips anymore.
I'm using an old Dell server with a pfsense installation (1 GHz processor 512 RAM), it has an integrated NIC and I added a PCI NIC. I think it was a used D-Link. I came to the conclusion after reviewing the settings many times that there was nothing wrong with them. I replaced the D-Link NIC with an old Linksys. The tunnel came up, but then all the LAN computers lost internet and couldn't even ping the pfsense box. After some more troubleshooting I moved the card to a new PCI slot and now everything works (for now).