Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Net to Net with pfsense ?

    IPsec
    3
    11
    6251
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      ministry last edited by

      Hi guys.

      I have a little question. I have connect an pfsense vpnserver and a mobile client with Greenbw VPN CLIENT the tunnel is up and running ( i can ping WAN & LAN interface of pfsense server ) but i don't ping any host under my firewall. Is it a limitation of pfesense or i'm so stupid  ;)

      Sorry for my english but i'm italian…

      P.S. This is my ipsec log:

      
      Feb 21 14:09:24 racoon: INFO: generated policy, deleting it. 
      Feb 21 14:09:24 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1988892285\. 
      Feb 21 14:09:24 racoon: INFO: purging ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
      Feb 21 14:09:24 racoon: INFO: purged IPsec-SA spi=127285352\. 
      Feb 21 14:09:24 racoon: INFO: purged ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
      Feb 21 14:09:25 racoon: INFO: ISAKMP-SA deleted 192.168.0.3[500]-84.222.55.236[500] spi:ecb96a4507c9063f:117755bb14afe179 
      Feb 21 14:09:35 racoon: INFO: respond new phase 1 negotiation: 192.168.0.3[500]<=>84.222.55.236[500] 
      Feb 21 14:09:35 racoon: INFO: begin Aggressive mode. 
      Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
      Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
      Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
      Feb 21 14:09:35 racoon: INFO: received Vendor ID: DPD 
      Feb 21 14:09:35 racoon: INFO: ISAKMP-SA established 192.168.0.3[500]-84.x.x.x[500] spi:86648da13392417c:9bb7173b56ae1c6d 
      Feb 21 14:09:35 racoon: INFO: respond new phase 2 negotiation: 192.168.0.3[0]<=>84.x.x.x[0] 
      Feb 21 14:09:35 racoon: INFO: no policy found, try to generate the policy : 192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in 
      Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 84.222.55.236[0]->192.168.0.3[0] spi=25498633(0x1851409) 
      Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.3[0]->84.x.x.x[0] spi=2345139734(0x8bc7fe16) 
      Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in" 
      Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.3/32[0] proto=any dir=out" 
      
      
      1 Reply Last reply Reply Quote 0
      • S
        sullrich last edited by

        Try pinging from workstation to workstation.

        If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

        1 Reply Last reply Reply Quote 0
        • M
          ministry last edited by

          From the mobile client ( 192.168.0.2 ) i can ping both interface of the pfsense but i can't ping any host in the lan of pfsense ( 4 exemple a server web at the address 192.168.0.254 )

          My version is STABLE 26-12-05

          1 Reply Last reply Reply Quote 0
          • S
            sullrich last edited by

            Double check you're subnets.  I see a /32 in there.

            1 Reply Last reply Reply Quote 0
            • M
              ministry last edited by

              Sorry but  I don't understand. My english is not so good  ::)

              1 Reply Last reply Reply Quote 0
              • S
                sullrich last edited by

                "192.168.1.3/32"

                I doubt you want a /32 there.  Most likely a /24 ?

                1 Reply Last reply Reply Quote 0
                • M
                  ministry last edited by

                  Sure /24..

                  The error is in the client configuration ?

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich last edited by

                    I would guess so, yes.  A /32 will lock you down to the firewall only.

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba last edited by

                      @sullrich:

                      Try pinging from workstation to workstation.

                      If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

                      Just a hint: you can do that from the webgui using diagnostics>ping and select the lan interface with a remote ip.

                      1 Reply Last reply Reply Quote 0
                      • M
                        ministry last edited by

                        I can ping my remote computer by webgui but from my remote computer ( connect to pfsense via greenbow vpn client ) i can ping only the  LAN interface of pfsense box  ???

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich last edited by

                          Again, its an issue with the client.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post