PfSense to FreeBSD VPN/IPsec



  • I have FreeBSD gateway/router server installed at one of my clients', Cisco 28xx at another clients', Soekris/nanoBSD box at home and currently trying to setup Soekris/pfSense box in my studio (I'm a photographer and I'm sending photos to the clients via FTP and Samba servers, and we also use their 3Com NBX100 phone system for direct communications and conferences). Both clients cooperate closely and have a VPN (GRE-based transport) between FreeBSD box and Cisco.

    nanoBSD box I have at home has a VPN/IPsec tunnel to "Client 1" FreeBSD box. This allows me to upload to Client 1, and to talk to him via intercom. I can access the other client's FTP server and phones from home using the connection clients have between them. I can reach both Clients' networks, and their phones - from home workstations and from the nanoBSD box.

    pfSense box now allows my studio workstations to reach FreeBSD server and phones at Client1 (that was a bit tricky to set up spdadd as I was forced to use completely different policy from the one suggested in FreeBSD Handbook); but not Client2. Also I can't ping Client 1 from the box itself (ifconfig'ing the pfSense box shows no gifs, and I can't figure out how to substitute my customary route add -net 192.168.0 -interface gif0). However I can ping the box from Client 1 FreeBSD server.

    Sorry for the long post, but maybe it will give you an idea of the problems inexperienced user can have  ;D



  • Are there any log messages in Diagnostics -> System Logs -> IPSEC concerning Client 2?



  • Not that I saw. I will be in the studio in half an hour. BTW if you will need any photos for your project I will do what I can. I like pfSense.



  • Yes, I will take you up on that offer. ;)



  • @sullrich:

    Yes, I will take you up on that offer. ;)

    Deal.

    "Diagnostics: System logs: IPSEC VPN" , my version of pfSense is 1.0.1. After an attempt to ping a host at Client 2 (it answers from my home nanoBSD box) from the pfSense box at studio (from shell)  - all packets lost, and no mentioning of anything but ISAKMP-SA/ESP between external IP of studio and external IP of Client 1. The only warning is "setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument"

    traceroute from pfSense box to the gateway at Client 1 output is attempts to reach the host through internet cloud. Tracert from notebook connected to pfSense box shows normal output, 3 hops.

    IMHO if it would be possible to ping Client1 host from the box itself all the rest would be easier.

    Edit:

    Highlighted lines look slightly confusing to me. They are not shown in SAD/SPD web interface

    setkey -DP

    192.168.200.0/24[any] 192.168.200.1[any] any
            in none
            spid=1 seq=3 pid=3087
            refcnt=1
    192.168.0.1/24[any] 192.168.200.1/24[any] any
            in ipsec
            esp/tunnel/$Client1_ip-$Studio-ip/unique#16386
            spid=4 seq=2 pid=3087
            refcnt=1
    192.168.200.1[any] 192.168.200.0/24[any] any
            out none
            spid=2 seq=1 pid=3087
            refcnt=1
    192.168.200.1/24[any] 192.168.0.1/24[any] any
            out ipsec
            esp/tunnel/$Studio-ip-$Client1_ip/unique#16385
            spid=3 seq=0 pid=3087
            refcnt=1

    Edit 2:

    And here is spdadd on FreeBSD Client 1:

    spdadd 192.168.0.1/24 192.168.200.1/24 any -P out ipsec esp/tunnel/$Client1_ip-$Studio-ip/require;
    spdadd 192.168.200.1/24 192.168.0.1/24 any -P in ipsec esp/tunnel/$Studio-ip-$Client1_ip/require;

    In FreeBSD <-> nanoBSD setup it is:

    spdadd $Client1_ip/24 $Home-ip/24 any -P out ipsec esp/tunnel/$Client1_ip-$Home-ip/require;
    spdadd $Home-ip/24 $Client1_ip/24 any -P in ipsec esp/tunnel/$Home-ip-$Client1_ip/require;

    In FreeBSD Handbook suggested setup is also using external IPs only:

    spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
    spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;

    This type of thing was not working on pfSense, so looking into FreeBSD racoon log I saw the requested policy from pfSense box was using phantom IPs; so I adjusted spdaddd on FreeBSD to generate same policy.

    BTW a wizard that would generate recommended settings for the host connected to pfSense box would be a great addition for us photographers :)



  • So where are we now, does it work? :)



  • @sullrich:

    So where are we now, does it work? :)

    My problem seems to be that I can't reach 192.168.0.1 directly from pfSense box. Pings from the box to that address drop. Because of that I can't create proper route 192.168.1/24 via 192.168.0.1

    Maybe I should try to create another VPN that will connect 192.169.200.1 host to 192.168.0.1 host to force traffic?



  • You can't route through IPSEC. You need to wither sum up all networks by creating a bigger subnetmask or you need parallel tunnels.



  • @hoba:

    You can't route through IPSEC. You need to wither sum up all networks by creating a bigger subnetmask or you need parallel tunnels.

    Can you please explain why it works from nanoBSD but not with pfSense? To create one more GRE tunnel to Client 2 will be very difficult as their sysadmin is not a nice person to deal with.

    Currently my pfSense tunnel is 192.168.0.1/24 <-> 192.168.200.1/24 Where should I use a larger mask, on the 192.168.0.1 end?

    And why I can't ping 192.168.0.1 from 192.168.200.1, but can ping it from 192.168.200.199 ?

    Sorry I know I ask too much :)



  • Guess because it's a gif/ipsec tunnel?

    You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.



  • @hoba:

    Guess because it's a gif/ipsec tunnel?

    You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.

    Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed…



  • Awesome.  That's great to hear.

    Now where can we some of your work? :)



  • @sullrich:

    Awesome.  That's great to hear.

    Now where can we some of your work? :)

    Photography you mean? Well I work for private clients, not something to show. If you have anything photography in mind let's take it to e-mails?



  • @J.Borg:

    Photography you mean? Well I work for private clients, not something to show. If you have anything photography in mind let's take it to e-mails?

    Sure.  sullrich@gmail.com



  • @J.Borg:

    @hoba:

    Guess because it's a gif/ipsec tunnel?

    You can run it with one tunnel like 192.168.200.0/24 <-> 192.168.0.0/16. Ask the admin of the other box to change his tunneldefinition this way and change it at your end and you should be fine.

    Thank you, after I edited spdadd as per your advice things start to look better now (have not edited gif on FreeBSD client 1 side however). I can reach Client 2 phone system. Some more work is needed…

    dear all

    I want to make connection between pfSense and FreeBSD 6.2RC vis IPSec

    But no works. could any one establish successfully?


Locked