Another newbie needing site-to-site help



  • So I've tried following the directions in the how-to listed in the stickies, was able to get client-to-pfsense OpenVPN connections working fine. I'm having some troubles with getting a site-to-site connection going though.

    According to the logs, it is connected, but I cannot access any of the machines, on either side, from either location, once it's 'connected'.

    The server side is set up as follows:

    Server listening on TCP port 1193
    dynamic IP's are enabled
    address pool is 192.168.10.0/24 (not used by either side)
    remote network is 192.168.251.0/24

    Client side is set up as follows:

    protocol is TCP
    server address is ourdomain.com
    port is 1193
    interface IP is 192.168.251.0/24 – as suggested by the how-to, used the local network at that site
    remote network is 192.168.252.0/24

    Here's the entries from the log when this connects:

    Server Log :
    Sep 20 16:29:00 openvpn[7167]: TCP connection established with xxx.xxx.xxx.xxx:58096
    Sep 20 16:29:00 openvpn[7167]: TCPv4_SERVER link local (bound): [undef]:1193
    Sep 20 16:29:00 openvpn[7167]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:58096
    Sep 20 16:29:00 openvpn[7167]: Peer Connection Initiated with xxx.xxx.xxx.xxx:58096
    Sep 20 16:29:01 openvpn[7167]: Initialization Sequence Completed
    Sep 20 16:29:10 openvpn[7167]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.10.1 192.168.10.2', remote='ifconfig 192.168.251.1 192.168.251.2'

    Client log :
    Sep 20 16:29:00 openvpn[61329]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sep 20 16:29:00 openvpn[61329]: Re-using pre-shared static key
    Sep 20 16:29:00 openvpn[61329]: Preserving previous TUN/TAP instance: tun1
    Sep 20 16:29:00 openvpn[61329]: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:1193
    Sep 20 16:29:00 openvpn[61329]: TCP connection established with xxx.xxx.xxx.xxx:1193
    Sep 20 16:29:00 openvpn[61329]: TCPv4_CLIENT link local: [undef]
    Sep 20 16:29:00 openvpn[61329]: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:1193
    Sep 20 16:29:00 openvpn[61329]: Peer Connection Initiated with xxx.xxx.xxx.xxx:1193
    Sep 20 16:29:01 openvpn[61329]: Initialization Sequence Completed
    Sep 20 16:29:10 openvpn[61329]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.251.2 192.168.251.1', remote='ifconfig 192.168.10.2 192.168.10.1'



  • as far as i can see it you have it right now like that:

    |(LAN) 192.168.?.?
        pfSense1
            |(TUN0) 192.168.10.1/24
            |
            |
            |(TUN0) 192.168.251.2
      pfSense2
            |(LAN) 192.168.?.?

    The two interfaces on both ends of the openVPN tunnel need to have IP's out of the same subnet.
    You say the how-to suggested to use the local network on the other side of the tunnel as VPN-IP?
    could you provide a link to this how-to? because this is plain wrong.



  • @GruensFroeschli:

    The two interfaces on both ends of the openVPN tunnel need to have IP's out of the same subnet.

    so the 'Tun' interfaces should be on seperate subnets?

    here's what I'm trying to accomplish:

    |(LAN)192.168.252.0/24
    |pfSense1 (server)
    |TUN0(???) - this IP just has to be in a subnet that is not used be any LAN correct?
    |
    |TUN0(???) - my thought would be that this needs to be in the same subnet as the other TUN interface.. right/wrong?
    |pfSense2 (client)
    |(LAN)192.168.251.0/24

    I will get the how-to once I am back to the office this morning.

    Thanks for your help.

    EDIT: here's a link to a screen-cap of the document, it's the 'pfsense-ovpn.pdf,' but I cannot recall exactly where I downloaded it from

    in that paragraph you can see where it says "“Interface IP” should be filled with your local subnet."



  • @twardnw:

    |(LAN)192.168.252.0/24
    |pfSense1 (server)
    |TUN0(???) - this IP just has to be in a subnet that is not used be any LAN correct?
    |
    |TUN0(???) - my thought would be that this needs to be in the same subnet as the other TUN interface.. right/wrong?
    |pfSense2 (client)
    |(LAN)192.168.251.0/24

    right.

    …but:

    Sep 20 16:29:10    openvpn[7167]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.10.1 192.168.10.2', remote='ifconfig 192.168.251.1 192.168.251.2'

    Sep 20 16:29:10    openvpn[61329]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.251.2 192.168.251.1', remote='ifconfig 192.168.10.2 192.168.10.1'

    The output of your logs indicate that this is not the case right now.



  • Hello

    I am fighting with this right now too, and I need to know if that documentation is wrong or not. I had my tunnel up and running done step for step according to the same docuemntation. This was on embedded version 1.0.1. The tunnel would stay up for a day or so and crash. I found this: http://forum.pfsense.org/index.php/topic,2785.0.html in the forum about a bug. I then upgraded both client and server from embedded 1.0.1 to embedded 1.2-RC2: Now I am getting the same error message:

    Oct 26 09:55:31 openvpn[2892]: event_wait : Interrupted system call (code=4)
    Oct 26 09:55:31 openvpn[2892]: /etc/rc.filter_configure tun0 1500 1546 10.31.79.1 10.31.79.2 init
    Oct 26 09:55:32 openvpn[2892]: SIGTERM[hard,] received, process exiting
    Oct 26 09:55:33 openvpn[6026]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Oct 26 09:55:33 openvpn[6026]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Oct 26 09:55:33 openvpn[6026]: gw 192.168.4.10
    Oct 26 09:55:33 openvpn[6026]: TUN/TAP device /dev/tun0 opened
    Oct 26 09:55:33 openvpn[6026]: /sbin/ifconfig tun0 10.100.100.1 10.100.100.2 mtu 1500 netmask 255.255.255.255 up
    Oct 26 09:55:33 openvpn[6026]: /etc/rc.filter_configure tun0 1500 1546 10.100.100.1 10.100.100.2 init
    Oct 26 09:55:38 openvpn[6058]: Listening for incoming TCP connection on [undef]:1194
    Oct 26 09:55:40 openvpn[6058]: TCP connection established with 88.88.138.211:33590
    Oct 26 09:55:40 openvpn[6058]: TCPv4_SERVER link local (bound): [undef]:1194
    Oct 26 09:55:40 openvpn[6058]: TCPv4_SERVER link remote: 88.88.138.211:33590
    Oct 26 09:55:40 openvpn[6058]: Peer Connection Initiated with 88.88.138.211:33590
    Oct 26 09:55:41 openvpn[6058]: Initialization Sequence Completed
    Oct 26 09:55:50 openvpn[6058]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.100.100.1 10.100.100.2', remote='ifconfig 10.31.79.1 10.31.79.2'

    But no traffic is flowing. I then changed the local pool on the server to reflect remote LAN subnet. That got rid of the warning but no traffic went through the tunnel.

    Whats up?



  • Just for the record. My problem had to do with routing. And I can confirm that the server-side pool addresses are the same as the remote LAN. What I dont understand is how I got everything to work following that documentation if it is fundamentally wrong in that aspect.

    Thanks again,

    Pedro


Log in to reply