Net to Net with pfsense ?

ministry

Hi guys.

I have a little question. I have connect an pfsense vpnserver and a mobile client with Greenbw VPN CLIENT the tunnel is up and running ( i can ping WAN & LAN interface of pfsense server ) but i don't ping any host under my firewall. Is it a limitation of pfesense or i'm so stupid  ;)

Sorry for my english but i'm italian…

P.S. This is my ipsec log:

Feb 21 14:09:24 racoon: INFO: generated policy, deleting it. 
Feb 21 14:09:24 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1988892285\. 
Feb 21 14:09:24 racoon: INFO: purging ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
Feb 21 14:09:24 racoon: INFO: purged IPsec-SA spi=127285352\. 
Feb 21 14:09:24 racoon: INFO: purged ISAKMP-SA spi=ecb96a4507c9063f:117755bb14afe179\. 
Feb 21 14:09:25 racoon: INFO: ISAKMP-SA deleted 192.168.0.3[500]-84.222.55.236[500] spi:ecb96a4507c9063f:117755bb14afe179 
Feb 21 14:09:35 racoon: INFO: respond new phase 1 negotiation: 192.168.0.3[500]<=>84.222.55.236[500] 
Feb 21 14:09:35 racoon: INFO: begin Aggressive mode. 
Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
Feb 21 14:09:35 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
Feb 21 14:09:35 racoon: INFO: received Vendor ID: DPD 
Feb 21 14:09:35 racoon: INFO: ISAKMP-SA established 192.168.0.3[500]-84.x.x.x[500] spi:86648da13392417c:9bb7173b56ae1c6d 
Feb 21 14:09:35 racoon: INFO: respond new phase 2 negotiation: 192.168.0.3[0]<=>84.x.x.x[0] 
Feb 21 14:09:35 racoon: INFO: no policy found, try to generate the policy : 192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in 
Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 84.222.55.236[0]->192.168.0.3[0] spi=25498633(0x1851409) 
Feb 21 14:09:35 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.3[0]->84.x.x.x[0] spi=2345139734(0x8bc7fe16) 
Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.1.3/32[0] 192.168.0.0/24[0] proto=any dir=in" 
Feb 21 14:09:35 racoon: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.3/32[0] proto=any dir=out" 

sullrich

Try pinging from workstation to workstation.

If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

ministry

From the mobile client ( 192.168.0.2 ) i can ping both interface of the pfsense but i can't ping any host in the lan of pfsense ( 4 exemple a server web at the address 192.168.0.254 )

My version is STABLE 26-12-05

sullrich

Double check you're subnets.  I see a /32 in there.

ministry

Sorry but  I don't understand. My english is not so good  ::)

sullrich

"192.168.1.3/32"

I doubt you want a /32 there.  Most likely a /24 ?

ministry

Sure /24..

The error is in the client configuration ?

sullrich

I would guess so, yes.  A /32 will lock you down to the firewall only.

hoba

@sullrich:

Try pinging from workstation to workstation.

If you wish to ping from pfSense to the remote firewall you need to add the -S (source) option and include the lan ip.

Just a hint: you can do that from the webgui using diagnostics>ping and select the lan interface with a remote ip.

ministry

I can ping my remote computer by webgui but from my remote computer ( connect to pfsense via greenbow vpn client ) i can ping only the  LAN interface of pfsense box  ???

sullrich

Again, its an issue with the client.