Pfsense 2 Site2Site PKI



  • Hi guys.

    I'm working on my vpn's on pfsense 2, I want to connect 2 pfsense machine running 2 RC3, I want to use the p2p PKI, in 1 machine I already create my ca, cert and setup my first server on port 1194 UDP.

    Now, in the other server, what I have to do?

    1; Send my ca/cert/shared key?
    2; Create a client with this files not a server?

    I have been reading about but I still don't get setup.

    Thanks!!!



  • Well I try this:

    1; Create my CA/CERT.
    2; Setup pfsense1 as server peer2peer tls/ssl using the ca/cert created step 1, let him create  a shared key automatically, etc.
    This are my settings:

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-192-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local Public Address
    tls-server
    server 10.0.19.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.19.1 10.0.19.2
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 2
    push "route 192.168.50.0 255.255.255.0"
    route 192.168.2.0 255.255.255.0
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    verb 5
    suppress-timestamps
    client-config-dir /var/etc/openvpn/ccd

    Then on the other machine pfsense2,
    1; Copy the ca/cert/shared key from the server machine.
    2; I setup a client peer2peer.

    This is my setup:

    dev ovpnc1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-192-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local public-address
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote pfsense1-public-address 1194
    route 192.168.50.0 255.255.255.0
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo
    verb 5
    suppress-timestamps

    After this, setup the rule to let both vpn connection cross without issues, the client side can reach any machine behind the server network, but the server network cannot access the network behind the client.

    I add the option:

    push "route 192.168.2.0 255.255.255.0"

    In the client side and no effect.

    Reading my setup,did I miss something?

    Thanks!!!



  • Now let see my routes:

    This server cannot reach any client on the other end.

    server side

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            pUBLIC-ip UGS        0  130063  fxp0
    10.0.19.0          10.0.19.2          UGS        0      90 ovpns1
    10.0.19.1          link#8            UHS        0        3    lo0
    10.0.19.2          link#8            UH          0        3 ovpns1
    localhost          link#4            UH          0      267    lo0
    172.16.0.0        link#3            U          0        0    xl1
    172.16.4.1        link#3            UHS        0        0    lo0
    192.168.2.0        10.0.19.2          UGS        0        4 ovpns1
    192.168.50.0      link#2            U          0    44834    xl0
    gw                link#2            UHS        0      24    lo0
    pUBLIC-ip      link#1            U          0    87611  fxp0
    pUBLIC-ip.X link#1            UHS        0        0    lo0
    dns1X.X.c 00:03:47:06:cd:5a  UHS        0      308  fxp0
    dns2X.X.c 00:03:47:06:cd:5a  UHS        0      242  fxp0

    client routes

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            PublicIP.ded. UGS        0  136910 pppoe1
    10.0.1.1          link#10            UHS        0        0    lo0 =>
    10.0.1.1/32        link#10            U          0        0 ath0_w
    10.0.19.1/32      10.0.19.5          UGS        0        0 ovpnc1
    10.0.19.5          link#11            UH          0        2 ovpnc1
    10.0.19.6          link#11            UHS        0        2    lo0
    localhost          link#6            UH          0      291    lo0
    192.168.2.0        link#1            U          0    58886    vr0
    gw                link#1            UHS        0        0    lo0
    192.168.50.0      10.0.19.5          UGS        0      56 ovpnc1
    PublicIP.ded. link#9            UH          0    64902 pppoe1
    PublicIPdsl link#9            UHS        0        0    lo0

    This client can reach any client behind the server.

    My goal that both sides network can see each other what is behind each pfsense networks, I will continue, thanks!!!



  • Periko -

    As far as the certificates, the only certificate you need to copy over from the PfSense server side is the CA certificate and TLS key over to the PFSense client side.  You avoid confusion and minimize errors when creating the tunnel, I find it best to create the "Cerificates" from the node itself.

    Since this is a 1 site to 1 site connection and your network on each side is one /24 network, make it simple by filling in the "Remote Network" each side instead of using " the "route x.x.x.x y.y.y.y"  or "push "route x.x.x.x y.y.y.y"" commands.  The only time you need to use the route and push command (in my opinion) if you have more than one subnet on each side that are not contiguous and then you would leave the "Remote Network" field blank.

    Will assume that your firewall is set up to allow traffic between 192.168.50.0/24 and 192.168.2.0/24 to go through.



  • I had check my firewall and there is no block in my connection.

    Looks like I understand the ca/cert creation, now about "remote network" u can see that my settings have:

    server side

    push "route 192.168.50.0 255.255.255.0"

    client side

    route 192.168.50.0 255.255.255.0

    I didn't add any setting by hand.

    The funny thing is that, my clients behind my server network can ping the other end pfsense box by his virtual IP but not the client behind  :o

    Reading openvpn about this issues, it say to enable ipforward which is by default, then ccd dir, my client cert name is client1, I create a file with that name and add the command:

    iroute 192.168.2.0 255.255.255.0

    Which is my client network.

    I had use tcpdump in my client side pfsense box:

    tcpdump -i ovpnc1

    Ping from a client behind the server but no output.

    Now at the same time, I use the same command but with my ovpn if:

    tcpdump -i ovpns1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpns1, link-type NULL (BSD loopback), capture size 96 bytes
    19:19:11.472540 IP fam-winbox. – . --.org > 192.168.2.11: ICMP echo request, id 768, seq 19200, length 40
    19:19:16.615626 IP fam-winbox.--. --.org > 192.168.2.11: ICMP echo request, id 768, seq 19456, length 40

    My server side works but is not crossing the network packets, any tip will be appreciated, thanks!!!



  • Periko, I was just looking at your previous post/configuration.  How come you have the tunnel network ip on the client side?  Your server side showed "ifconfig 10.0.19.1 10.0.19.2" but you don't have one on the client side. On your client side, you should an ip address of 10.0.19.2, but you don't from your route table on the client side.  You should have a similar "ifconfig" statement on the client site with ip address in the reverse order.



  • Network layout.

    192.168.50.0/24 <–->  pfsense-server <-------------------------->pfsense-client<--->192.168.2.0/24
                                                                                               
                                                                        10.0.19.0/24
    net-1= 192.168.50.0/24
    net-2 = 192.168.2.0/24

    I will give u my GUI settings, please see my attach files, the issue continue.

    pfsense-server ovpns1:

    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
           options=80000 <linkstate>inet6 fe80::203:47ff:fe06:cd5a%ovpns1 prefixlen 64 scopeid 0x8
           inet 10.0.19.1 –> 10.0.19.2 netmask 0xffffffff
           nd6 options=3 <performnud,accept_rtadv>Opened by PID 8278</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

    pfsense-client ovpnc1

    ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
           options=80000 <linkstate>inet6 fe80::20d:b9ff:fe1b:b4f0%ovpnc1 prefixlen 64 scopeid 0xb
           inet 10.0.19.6 –> 10.0.19.5 netmask 0xffffffff
           nd6 options=3 <performnud,accept_rtadv>Opened by PID 58043</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

    The third image show a error that always appear on my client side box went start a connection to my pfsense-server.

    The routes looks good.

    pfsense-server:

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            public-ip UGS         0     8288   fxp0
    10.0.19.0          10.0.19.2          UGS         0       13 ovpns1
    10.0.19.1          link#8             UHS         0        1    lo0
    10.0.19.2          link#8             UH          0        0 ovpns1
    localhost          link#4             UH          0      132    lo0
    172.16.0.0         link#3             U           0        0    xl1
    172.16.4.1         link#3             UHS         0        0    lo0
    public-ip       link#1             U           0    45591   fxp0
    public-ip.cab link#1             UHS         0        0    lo0
    192.168.2.0        10.0.19.2          UGS         0       18 ovpns1
    192.168.50.0       link#2             U           0    10077    xl0
    gw                 link#2             UHS         0        0    lo0
    public-ip 00:03:47:06:cd:5a  UHS         0      112   fxp0
    public-ip.c 00:03:47:06:cd:5a  UHS         0      159   fxp0

    pfsense-client:

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            public-ip. UGS         0   122541 pppoe1
    10.0.19.1/32       10.0.19.5          UGS         0        4 ovpnc1
    10.0.19.5          link#11            UH          0        0 ovpnc1
    10.0.19.6          link#11            UHS         0        0    lo0
    localhost          link#6             UH          0      132    lo0
    link#9             UHS         0        0    lo0
    192.168.2.0        link#1             U           0    30537    vr0
    gw                 link#1             UHS         0        0    lo0
    192.168.50.0       10.0.19.5          UGS         0        0 ovpnc1
    public-ip. link#9             UH          0   205731 pppoe1

    My firewall are open.

    Current things:

    pfsense-client box can reach pfsense-server box and any machine in net-1. ping net-2 –> 192.168.50.x good.
    pfsense-server/net-1 can only reach pfsense-client box using his virtual IP 10.0.19.6, ping net-1 --> 192.168.2.x don't work.

    Went pfsense-client make the connection, my pfsense-server openvpn logs don't show any errors.

    Them,I still here troubleshooting this, anything  about I will appreciated!!!

    NOTE: In pictures I remove the shared-key to save some size in my files.

    pfsense-server: 2.0-RC3 (i386) built on Fri Aug 5 12:14:15 EDT 2011
    pfsenser-client: 2.0-RC3 (i386) built on Tue Jun 21 18:21:10 EDT 2011

    I will update my embedded a soon as I increase the size of the image.










  • Good link.  Glad to hear it's working for you now.



  • During the day I will review the config, because I still don't know what he need to build a custom config for the client in the server side? I think is the tricky part, maybe someone with more experience in this field could clarify me.

    thanks probie  ;D.


Locked