• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Net to Net with pfsense ?

Scheduled Pinned Locked Moved IPsec
11 Posts 3 Posters 6.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    ministry
    last edited by Feb 21, 2006, 1:12 PM

    Hi guys.

    I have a little question. I have connect an pfsense vpnserver and a mobile client with Greenbw VPN CLIENT the tunnel is up and running ( i can ping WAN & LAN interface of pfsense server ) but i don't ping any host under my firewall. Is it a limitation of pfesense or i'm so stupid  ;)

    Sorry for my english but i'm italian…

    P.S. This is my ipsec log:

    
    Feb 21 14:09:24 racoon: INFO: generated policy, deleting it. 
    Feb 21 14:09:24 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1988892285\. 
    Feb 21 14:09:24 racoon: INFO: purging ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
    Feb 21 14:09:24 racoon: INFO: purged IPsec-SA spi=127285352\. 
    Feb 21 14:09:24 racoon: INFO: purged ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
    Feb 21 14:09:25 racoon: INFO: ISAKMP-SA deleted 192.168.0.3[500]-84.222.55.236[500] spi:ecb96a4507c9063f:117755bb14afe179 
    Feb 21 14:09:35 racoon: INFO: respond new phase 1 negotiation: 192.168.0.3[500]<=>84.222.55.236[500] 
    Feb 21 14:09:35 racoon: INFO: begin Aggressive mode. 
    Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
    Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
    Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
    Feb 21 14:09:35 racoon: INFO: received Vendor ID: DPD 
    Feb 21 14:09:35 racoon: INFO: ISAKMP-SA established 192.168.0.3[500]-84.x.x.x[500] spi:86648da13392417c:9bb7173b56ae1c6d 
    Feb 21 14:09:35 racoon: INFO: respond new phase 2 negotiation: 192.168.0.3[0]<=>84.x.x.x[0] 
    Feb 21 14:09:35 racoon: INFO: no policy found, try to generate the policy : 192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in 
    Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 84.222.55.236[0]->192.168.0.3[0] spi=25498633(0x1851409) 
    Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.3[0]->84.x.x.x[0] spi=2345139734(0x8bc7fe16) 
    Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in" 
    Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.3/32[0] proto=any dir=out" 
    
    
    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Feb 21, 2006, 10:55 PM

      Try pinging from workstation to workstation.

      If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

      1 Reply Last reply Reply Quote 0
      • M
        ministry
        last edited by Feb 21, 2006, 11:41 PM

        From the mobile client ( 192.168.0.2 ) i can ping both interface of the pfsense but i can't ping any host in the lan of pfsense ( 4 exemple a server web at the address 192.168.0.254 )

        My version is STABLE 26-12-05

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Feb 21, 2006, 11:42 PM

          Double check you're subnets.  I see a /32 in there.

          1 Reply Last reply Reply Quote 0
          • M
            ministry
            last edited by Feb 21, 2006, 11:47 PM

            Sorry but  I don't understand. My english is not so good  ::)

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by Feb 21, 2006, 11:49 PM

              "192.168.1.3/32"

              I doubt you want a /32 there.  Most likely a /24 ?

              1 Reply Last reply Reply Quote 0
              • M
                ministry
                last edited by Feb 21, 2006, 11:52 PM

                Sure /24..

                The error is in the client configuration ?

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by Feb 21, 2006, 11:59 PM

                  I would guess so, yes.  A /32 will lock you down to the firewall only.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by Feb 22, 2006, 12:45 AM

                    @sullrich:

                    Try pinging from workstation to workstation.

                    If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

                    Just a hint: you can do that from the webgui using diagnostics>ping and select the lan interface with a remote ip.

                    1 Reply Last reply Reply Quote 0
                    • M
                      ministry
                      last edited by Feb 22, 2006, 1:20 PM

                      I can ping my remote computer by webgui but from my remote computer ( connect to pfsense via greenbow vpn client ) i can ping only the  LAN interface of pfsense box  ???

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by Feb 22, 2006, 9:34 PM

                        Again, its an issue with the client.

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received