[SOLVED] pfsense 2.0 RC3 site to site not working, bug?



  • Hi,

    I want to set up a site to site connection with two pfsense 2.0 RC3 boxes but it's not working. Both are also openvpn server for road warriors which works fine. I get an error on the client:

    ERROR: FreeBSD route add command failed: external program exited with error status: 1

    connection succeeds but I cannot ping any of the hosts on the other network.

    here's what I am trying to set up:

    server lan = 192.168.4.0/24
    client lan  192.168.2.0/24

    openvpn network tunnel 192.168.0.18.0/24
    openvpn network road warrior on server 192.168.14.0/24
    openvpn road warrior on client 192.168.12.0/24

    This the server config (I use port 1193 because I already used 1194 for road warriors

    Server Mode peer to peer (shared key)
    protocol udp
    device tun
    interface wan
    local port 1193
    encryption algorithm BF-CBC
    Tunnel Network 192.168.18.0/24
    local network 192.168.4.0/24
    remote network 192.168.2.0/24
    lzo compression enabled

    Client config:

    Server Mode peer to peer (shared key)
    protocol udp
    device tun
    interface wan
    Server host or address <ext ip="" server="">Server port 1193
    encryption algorithm BF-CBC
    Tunnel Network 192.168.18.0/24
    remote network 192.168.4.0/24
    lzo compression enabled

    server log:

    Jul 20 06:46:05 openvpn[61860]: event_wait : Interrupted system call (code=4)
    Jul 20 06:46:05 openvpn[61860]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1545 192.168.18.1 192.168.18.2 init
    Jul 20 06:46:05 openvpn[61860]: SIGTERM[hard,] received, process exiting
    Jul 20 06:46:06 openvpn[30187]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 9 2011
    Jul 20 06:46:06 openvpn[30187]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jul 20 06:46:06 openvpn[30187]: LZO compression initialized
    Jul 20 06:46:06 openvpn[30187]: TUN/TAP device /dev/tun2 opened
    Jul 20 06:46:06 openvpn[30187]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jul 20 06:46:06 openvpn[30187]: /sbin/ifconfig ovpns2 192.168.18.1 192.168.18.2 mtu 1500 netmask 255.255.255.255 up
    Jul 20 06:46:07 openvpn[30187]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1545 192.168.18.1 192.168.18.2 init
    Jul 20 06:46:07 openvpn[31177]: UDPv4 link local (bound): [AF_INET]10.138.20.66:1193
    Jul 20 06:46:07 openvpn[31177]: UDPv4 link remote: [undef]

    client log

    Jul 20 06:55:40 openvpn[26533]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jul 20 06:55:40 openvpn[26533]: Re-using pre-shared static key
    Jul 20 06:55:40 openvpn[26533]: LZO compression initialized
    Jul 20 06:55:40 openvpn[26533]: Preserving previous TUN/TAP instance: ovpnc3
    Jul 20 06:55:40 openvpn[26533]: UDPv4 link local (bound): [AF_INET]10.138.20.67
    Jul 20 06:55:40 openvpn[26533]: UDPv4 link remote: [AF_INET]83.163.179.73:1193
    Jul 20 06:55:41 openvpn[26533]: event_wait : Interrupted system call (code=4)
    Jul 20 06:55:41 openvpn[26533]: /usr/local/sbin/ovpn-linkdown ovpnc3 1500 1545 192.168.18.2 192.168.18.1 init
    Jul 20 06:55:41 openvpn[26533]: SIGTERM[hard,] received, process exiting
    Jul 20 06:55:41 openvpn[60448]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 9 2011
    Jul 20 06:55:41 openvpn[60448]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jul 20 06:55:42 openvpn[60448]: LZO compression initialized
    Jul 20 06:55:42 openvpn[60448]: TUN/TAP device /dev/tun3 opened
    Jul 20 06:55:42 openvpn[60448]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jul 20 06:55:42 openvpn[60448]: /sbin/ifconfig ovpnc3 192.168.18.2 192.168.18.1 mtu 1500 netmask 255.255.255.255 up
    Jul 20 06:55:42 openvpn[60448]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1545 192.168.18.2 192.168.18.1 init
    Jul 20 06:55:42 openvpn[60448]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Jul 20 06:55:42 openvpn[61557]: UDPv4 link local (bound): [AF_INET]10.138.20.67
    Jul 20 06:55:42 openvpn[61557]: UDPv4 link remote: [AF_INET]<extip>:1193

    routing table server (192.168.14.0/24 is the road warrior network)
    :

    default 10.138.20.65 UGS 0 21325 1500 sis0
    10.138.20.0/24 link#1 U 0 40091 1500 sis0
    10.138.20.66 link#1 UHS 0 0 16384 lo0
    127.0.0.1 link#5 UH 0 47 16384 lo0
    192.168.2.0/24 192.168.18.2 UGS 0 17 1500 ovpns2
    192.168.4.0/24 link#2 U 0 112413 1500 sis1
    192.168.4.8 link#2 UHS 0 17 16384 lo0
    192.168.14.0/24 192.168.14.2 UGS 0 1135 1500 ovpns3
    192.168.14.1 link#10 UHS 0 0 16384 lo0
    192.168.14.2 link#10 UH 0 0 1500 ovpns3
    192.168.18.1 link#9 UHS 0 0 16384 lo0
    192.168.18.2 link#9 UH 0 0 1500 ovpns2

    routing table client:

    default 10.138.20.68 UGS 0 40850 1500 sis0
    10.138.20.0/24 link#1 U 0 31725 1500 sis0
    10.138.20.67 link#1 UHS 0 0 16384 lo0
    127.0.0.1 link#5 UH 0 47 16384 lo0
    192.168.2.0/24 link#2 U 0 63824 1500 sis1
    192.168.2.8 link#2 UHS 0 0 16384 lo0
    192.168.4.0/24 192.168.12.2 UGS 0 489 1500 ovpns1
    192.168.12.0/24 192.168.12.2 UGS 0 1233 1500 ovpns1
    192.168.12.1 link#8 UHS 0 0 16384 lo0
    192.168.12.2 link#8 UH 0 0 1500 ovpns1
    192.168.18.1 link#9 UH 0 0 1500 ovpnc3
    192.168.18.2 link#9 UHS 0 0 16384 lo0</extip></ext>



  • Solved! But I think I found a bug in the pfsense software …..... ??

    The clue was here:

    routing table client:

    default    10.138.20.68    UGS    0    40850    1500    sis0    
    10.138.20.0/24    link#1    U    0    31725    1500    sis0    
    10.138.20.67    link#1    UHS    0    0    16384    lo0    
    127.0.0.1    link#5    UH    0    47    16384    lo0    
    192.168.2.0/24    link#2    U    0    63824    1500    sis1    
    192.168.2.8    link#2    UHS    0    0    16384    lo0    
    192.168.4.0/24    192.168.12.2    UGS    0    489    1500    ovpns1  
    192.168.12.0/24    192.168.12.2    UGS    0    1233    1500    ovpns1    
    192.168.12.1    link#8    UHS    0    0    16384    lo0    
    192.168.12.2    link#8    UH    0    0    1500    ovpns1    
    192.168.18.1    link#9    UH    0    0    1500    ovpnc3    
    192.168.18.2    link#9    UHS    0    0    16384    lo0

    Initially I wanted a tls site to site tunnel and I used this pfsense box as server, I put 192.168.4.0/24 as remote network. Afterwards I deleted it, set up a road warrior network with tls and conigured a shared key tunnel for the site to site connection. 192.168.4.0/24 was removed from the server configuration (at least when I looked at the interface). I wanted to at 192.168.4.0/24 as remote network to the client but it refused to add the route. When I looked at the routing table I noticed that 192.168.4.0 was still connected to the server interface ovpns1! I made a backup of the configuration and there I saw an item <remote_network>192.168.4.0/24</remote_network> in the server config. (Again, in the interface this was nowhere to be seen!).

    I removed <remote_network>192.168.4.0/24</remote_network> from the xml and restored the edited config file and…...... it works :).


Log in to reply