[SOLVED] pfsense 2.0 RC3 site to site not working, bug?

crosmuller

Hi,

I want to set up a site to site connection with two pfsense 2.0 RC3 boxes but it's not working. Both are also openvpn server for road warriors which works fine. I get an error on the client:

ERROR: FreeBSD route add command failed: external program exited with error status: 1

connection succeeds but I cannot ping any of the hosts on the other network.

here's what I am trying to set up:

server lan = 192.168.4.0/24
client lan  192.168.2.0/24

openvpn network tunnel 192.168.0.18.0/24
openvpn network road warrior on server 192.168.14.0/24
openvpn road warrior on client 192.168.12.0/24

This the server config (I use port 1193 because I already used 1194 for road warriors

Server Mode peer to peer (shared key)
protocol udp
device tun
interface wan
local port 1193
encryption algorithm BF-CBC
Tunnel Network 192.168.18.0/24
local network 192.168.4.0/24
remote network 192.168.2.0/24
lzo compression enabled

Client config:

Server Mode peer to peer (shared key)
protocol udp
device tun
interface wan
Server host or address <ext ip="" server="">Server port 1193
encryption algorithm BF-CBC
Tunnel Network 192.168.18.0/24
remote network 192.168.4.0/24
lzo compression enabled

server log:

Jul 20 06:46:05 openvpn[61860]: event_wait : Interrupted system call (code=4)
Jul 20 06:46:05 openvpn[61860]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1545 192.168.18.1 192.168.18.2 init
Jul 20 06:46:05 openvpn[61860]: SIGTERM[hard,] received, process exiting
Jul 20 06:46:06 openvpn[30187]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 9 2011
Jul 20 06:46:06 openvpn[30187]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jul 20 06:46:06 openvpn[30187]: LZO compression initialized
Jul 20 06:46:06 openvpn[30187]: TUN/TAP device /dev/tun2 opened
Jul 20 06:46:06 openvpn[30187]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 20 06:46:06 openvpn[30187]: /sbin/ifconfig ovpns2 192.168.18.1 192.168.18.2 mtu 1500 netmask 255.255.255.255 up
Jul 20 06:46:07 openvpn[30187]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1545 192.168.18.1 192.168.18.2 init
Jul 20 06:46:07 openvpn[31177]: UDPv4 link local (bound): [AF_INET]10.138.20.66:1193
Jul 20 06:46:07 openvpn[31177]: UDPv4 link remote: [undef]

client log

Jul 20 06:55:40 openvpn[26533]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jul 20 06:55:40 openvpn[26533]: Re-using pre-shared static key
Jul 20 06:55:40 openvpn[26533]: LZO compression initialized
Jul 20 06:55:40 openvpn[26533]: Preserving previous TUN/TAP instance: ovpnc3
Jul 20 06:55:40 openvpn[26533]: UDPv4 link local (bound): [AF_INET]10.138.20.67
Jul 20 06:55:40 openvpn[26533]: UDPv4 link remote: [AF_INET]83.163.179.73:1193
Jul 20 06:55:41 openvpn[26533]: event_wait : Interrupted system call (code=4)
Jul 20 06:55:41 openvpn[26533]: /usr/local/sbin/ovpn-linkdown ovpnc3 1500 1545 192.168.18.2 192.168.18.1 init
Jul 20 06:55:41 openvpn[26533]: SIGTERM[hard,] received, process exiting
Jul 20 06:55:41 openvpn[60448]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 9 2011
Jul 20 06:55:41 openvpn[60448]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jul 20 06:55:42 openvpn[60448]: LZO compression initialized
Jul 20 06:55:42 openvpn[60448]: TUN/TAP device /dev/tun3 opened
Jul 20 06:55:42 openvpn[60448]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 20 06:55:42 openvpn[60448]: /sbin/ifconfig ovpnc3 192.168.18.2 192.168.18.1 mtu 1500 netmask 255.255.255.255 up
Jul 20 06:55:42 openvpn[60448]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1545 192.168.18.2 192.168.18.1 init
Jul 20 06:55:42 openvpn[60448]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Jul 20 06:55:42 openvpn[61557]: UDPv4 link local (bound): [AF_INET]10.138.20.67
Jul 20 06:55:42 openvpn[61557]: UDPv4 link remote: [AF_INET]<extip>:1193

routing table server (192.168.14.0/24 is the road warrior network)
:

default 10.138.20.65 UGS 0 21325 1500 sis0
10.138.20.0/24 link#1 U 0 40091 1500 sis0
10.138.20.66 link#1 UHS 0 0 16384 lo0
127.0.0.1 link#5 UH 0 47 16384 lo0
192.168.2.0/24 192.168.18.2 UGS 0 17 1500 ovpns2
192.168.4.0/24 link#2 U 0 112413 1500 sis1
192.168.4.8 link#2 UHS 0 17 16384 lo0
192.168.14.0/24 192.168.14.2 UGS 0 1135 1500 ovpns3
192.168.14.1 link#10 UHS 0 0 16384 lo0
192.168.14.2 link#10 UH 0 0 1500 ovpns3
192.168.18.1 link#9 UHS 0 0 16384 lo0
192.168.18.2 link#9 UH 0 0 1500 ovpns2

routing table client:

default 10.138.20.68 UGS 0 40850 1500 sis0
10.138.20.0/24 link#1 U 0 31725 1500 sis0
10.138.20.67 link#1 UHS 0 0 16384 lo0
127.0.0.1 link#5 UH 0 47 16384 lo0
192.168.2.0/24 link#2 U 0 63824 1500 sis1
192.168.2.8 link#2 UHS 0 0 16384 lo0
192.168.4.0/24 192.168.12.2 UGS 0 489 1500 ovpns1
192.168.12.0/24 192.168.12.2 UGS 0 1233 1500 ovpns1
192.168.12.1 link#8 UHS 0 0 16384 lo0
192.168.12.2 link#8 UH 0 0 1500 ovpns1
192.168.18.1 link#9 UH 0 0 1500 ovpnc3
192.168.18.2 link#9 UHS 0 0 16384 lo0</extip></ext>

crosmuller

Solved! But I think I found a bug in the pfsense software …..... ??

The clue was here:

routing table client:

default    10.138.20.68    UGS    0    40850    1500    sis0    
10.138.20.0/24    link#1    U    0    31725    1500    sis0    
10.138.20.67    link#1    UHS    0    0    16384    lo0    
127.0.0.1    link#5    UH    0    47    16384    lo0    
192.168.2.0/24    link#2    U    0    63824    1500    sis1    
192.168.2.8    link#2    UHS    0    0    16384    lo0    
192.168.4.0/24    192.168.12.2    UGS    0    489    1500    ovpns1  
192.168.12.0/24    192.168.12.2    UGS    0    1233    1500    ovpns1    
192.168.12.1    link#8    UHS    0    0    16384    lo0    
192.168.12.2    link#8    UH    0    0    1500    ovpns1    
192.168.18.1    link#9    UH    0    0    1500    ovpnc3    
192.168.18.2    link#9    UHS    0    0    16384    lo0

Initially I wanted a tls site to site tunnel and I used this pfsense box as server, I put 192.168.4.0/24 as remote network. Afterwards I deleted it, set up a road warrior network with tls and conigured a shared key tunnel for the site to site connection. 192.168.4.0/24 was removed from the server configuration (at least when I looked at the interface). I wanted to at 192.168.4.0/24 as remote network to the client but it refused to add the route. When I looked at the routing table I noticed that 192.168.4.0 was still connected to the server interface ovpns1! I made a backup of the configuration and there I saw an item <remote_network>192.168.4.0/24</remote_network> in the server config. (Again, in the interface this was nowhere to be seen!).

I removed <remote_network>192.168.4.0/24</remote_network> from the xml and restored the edited config file and…...... it works :).