PfSense 2.0 RC3 amd64 OpenVPN issue after upgrade with pfSense 1.2.3 x86 site



  • Hello All,

    I have a pfSense 2.0 router running the snap shot from 8/8/2011.  I imported my configuration back up from 1.2.3 into 2.0.  Everything is working except my Site to Site OpenVPN.

    According to the logs on the server (the pfSense 2.0 site), the OpenVPN link is established, but I am unable to ping the remote client network (the pfSense 1.2.3 site) from the 2.0 site.  If I boot the server site back into version 1.2.3, I can ping the remote client network, and the tunnel works as it should.

    Here are the open vpn log messages from the 2.0 server:

    Aug 10 15:55:40 	openvpn[33328]: ss.ss.ss.ss/cc.cc.cc.cc:57228 send_push_reply(): safe_cap=960
    Aug 10 15:55:38 	openvpn[33328]: ss.ss.ss.ss/cc.cc.cc.cc:57228 MULTI_sva: pool returned IPv4=10.0.19.6, IPv6=8846:201:800:0:2200::
    Aug 10 15:55:38 	openvpn[33328]: cc.cc.cc.cc:57228 [ss.ss.ss.ss] Peer Connection Initiated with [AF_INET]cc.cc.cc.cc:57228
    Aug 10 15:55:37 	openvpn[33328]: TCPv4_SERVER link remote: [AF_INET]cc.cc.cc.cc:57228
    Aug 10 15:55:37 	openvpn[33328]: TCPv4_SERVER link local: [undef]
    Aug 10 15:55:37 	openvpn[33328]: TCP connection established with [AF_INET]cc.cc.cc.cc:57228
    Aug 10 15:55:37 	openvpn[33328]: LZO compression initialized
    Aug 10 15:55:37 	openvpn[33328]: Re-using SSL/TLS context
    Aug 10 15:55:18 	openvpn[33328]: Initialization Sequence Completed
    Aug 10 15:55:18 	openvpn[33328]: TCPv4_SERVER link remote: [undef]
    Aug 10 15:55:18 	openvpn[33328]: TCPv4_SERVER link local (bound): [AF_INET]ss.ss.ss.ss:1294
    Aug 10 15:55:18 	openvpn[33328]: Listening for incoming TCP connection on [AF_INET]ss.ss.ss.ss:1294
    Aug 10 15:55:18 	openvpn[31751]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1544 10.0.19.1 10.0.19.2 init
    Aug 10 15:55:18 	openvpn[31751]: /sbin/ifconfig ovpns4 10.0.19.1 10.0.19.2 mtu 1500 netmask 255.255.255.255 up
    Aug 10 15:55:18 	openvpn[31751]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Aug 10 15:55:18 	openvpn[31751]: TUN/TAP device /dev/tun4 opened
    Aug 10 15:55:18 	openvpn[31751]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 10 15:55:18 	openvpn[31751]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    Aug 10 15:55:18 	openvpn[31751]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 8 2011
    
    

    Here is the log info from the 1.2.3 client during the same session:

    Aug 10 15:55:43 	openvpn[214]: Initialization Sequence Completed
    Aug 10 15:55:42 	openvpn[214]: /etc/rc.filter_configure tun0 1500 1544 10.0.19.6 10.0.19.5 init
    Aug 10 15:55:42 	openvpn[214]: /sbin/ifconfig tun0 10.0.19.6 10.0.19.5 mtu 1500 netmask 255.255.255.255 up
    Aug 10 15:55:42 	openvpn[214]: TUN/TAP device /dev/tun0 opened
    Aug 10 15:55:42 	openvpn[214]: gw cc.cc.cc.1
    Aug 10 15:55:40 	openvpn[214]: /etc/rc.filter_configure tun0 1500 1544 10.0.19.2 10.0.19.1 init
    Aug 10 15:55:40 	openvpn[214]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Aug 10 15:55:40 	openvpn[214]: Preserving previous TUN/TAP instance: tun0
    Aug 10 15:55:40 	openvpn[214]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: topology (2.0.6)
    Aug 10 15:55:39 	openvpn[214]: [xpc-router.the-borg.com] Peer Connection Initiated with ss.ss.ss.ss:1294
    Aug 10 15:55:37 	openvpn[214]: TCPv4_CLIENT link remote: ss.ss.ss.ss:1294
    Aug 10 15:55:37 	openvpn[214]: TCPv4_CLIENT link local: [undef]
    Aug 10 15:55:37 	openvpn[214]: TCP/UDP: Dynamic remote address changed during TCP connection establishment
    Aug 10 15:55:37 	openvpn[214]: TCP connection established with ss.ss.ss.ss:1294
    
    

    I haven't changed anything in the server config since the upgrade.  Is there a setting that needs to be changed to make the 2.0 server work with the 1.2.3 client that isn't handled by the restore process?

    Thanks,

    Scott


  • Rebel Alliance Developer Netgate

    If that is a site-to-site SSL/TLS tunnel, with only one client, make sure you are using a /30 subnet for the tunnel network on both sides.


Locked