Site to Site Question



  • Is this a problem? If so it looks like guide http://pfsense.untouchable.net/tutorials/openvpn/pfsense-ovpn.pdf has the wrong information in it… I am just curious.  I am having a tunnel keep randomly dropping.  Thanks for the help!

    openvpn[38541]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.22.1 192.168.22.2', remote='ifconfig 10.0.0.1 10.0.0.2'



  • Are you using a PKI or SKI?
    I dont think the guide is wrong but that you inputted something wrong.

    could you post a diagrom of how you want your network to look like?

    as a sidenote: you need a separate subnet for the VPN as a kind of "transfer subnet"



  • I'm getting the same messages in my logg but i'm not experiencing any problems (that i know of) so have ignored them. I am curious as to what they mean though  :)



  • are you sure that it works? it shouldnt.

    This message means that the 2 virtual interfaces of the VPN (on both sides of the tunnel) have IP's which shouldnt work together.

    Like when you connect 2 computers directly with a crossovercable and then set the IP's manually but you have IP's that dont work together.
    like in the message above:

    computer1: 192.168.22.1/24
    computer2: 10.0.0.1/24

    with this setup the two coputers shouldnt be able to communicate with each other.
    the same goes for a VPN connection. If the two IP's on both sides of the tunnel are within a different subnet they shouldnt be able to communicate.
    that's why i wrote in the last message that you need a "transfer subnet".



  • Lan1 (openvpn server) - 192.168.10.0/24
    Lan1 (server address pool) - 192.168.22.0/24
    Lan2 (openvpn client)  - 10.0.0.0/24

    "“Address pool” must be a network you do not use anywhere else, I used
    192.168.10.0/24 since neither Office1 nor Office2 use this subnet." <– That is in the documentation for the howto.  I am not sure if this is correct or not.  But I think this is why I am throwing the errors.  Any ideas?



  • Your client needs to have 2 IP's too.
    A "real" IP in your LAN2 (whatever subnet you have in LAN2)
    and a "virtual" IP for the VPN.
    In your case the virtual openVPN client should be 192.168.22.x/24



  • I just don't understand why I am getting that error in the logs then

    openvpn[38541]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.22.1 192.168.22.2', remote='ifconfig 10.0.0.1 10.0.0.2'



  • Yes, GruensFroeschli, I'm sure it works, I've been using the tunnel for two weeks now  :)

    I've corrected what was wrong though….For me it was that i had configured the "Interface IP" as the same subnet as my LAN-subnet on the client side. That is...to correct the problem i configured "Address pool" on the server to the same subnet as "Interface IP" on the client (and that subnet don't exist anywhere else).



  • @b00gz:

    I just don't understand why I am getting that error in the logs then

    openvpn[38541]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.22.1 192.168.22.2', remote='ifconfig 10.0.0.1 10.0.0.2'

    Is this warning on the client side?
    If yes then your settings on the serverside are incorrect. Your current "virtual" IP on the serverside is (in case the warning is on the client side) in the 10.0.0.x subnet but it should be in the 192.168.22.x subnet.
    if you take a look at the serverlog you will see a similar warning with the IPs in question exchanged.



  • Attached are my server settings and client settings.  This is exactly how that documentation reads (I believe) Please let me know what is wrong and why I am getting the errors.  I get the errors on both sides.

    Server Error
    openvpn[33890]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.22.1 192.168.22.2', remote='ifconfig 10.0.0.1 10.0.0.2'

    Client Error
    openvpn[34604]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.0.2 10.0.0.1', remote='ifconfig 192.168.22.2 192.168.22.1'






  • These settings are a bit inconsistant.

    On your server:

    You specify an IP-range which should be assigned dynamically to your clients connecting, but you assign a static IP to the client.
    Either you define a Range and then let the IP's be assigned automatically (this is used in a PKI),
    or you set with the "Address pool" field you local IP (in a PSK setup).
    This is maybe a bit confusing named.
    You have to decide what you want. If you want a site-to-site connection, connecting two LAN's you better use a PSK setup with static IP's. If you have mobile clients connecting you better assign them dynamically.

    You specify on your server a "remote network" is that the subnet of your second LAN?
    I still dont really understand where you have what subnet.
    I'll explain with IP's i have running between my home and that of a friend:

    me:
    LAN: 172.17.100.x
    VPNserver: 10.0.0.1

    friend:
    LAN: 172.22.100.x
    VPNclient: 10.0.0.2

    So i set on my pfSense (the openVPN server) as remote network 172.22.100.0/24

    On your client:

    The interface IP you specify here is a virtual interface.
    It is the endpoint of the tunnel you create. This has to be in the same subnet than you specified on the server. In my example above the client is 10.0.0.2 (while the server is 10.0.0.1).
    Here you specify as remote network the network on the other side of the tunnel (in my case 172.17.100.x).

    i hope this makes it a bit more clear :)



  • Doesn't what you just said make the documentation for http://pfsense.untouchable.net/tutorials/openvpn/pfsense-ovpn.pdf wrong?  I am pretty sure I match the documentation for the site to site setup.



  • I wrote an email to the author of the documentation.
    If you take a close look you see there is a cursor in the screenshot on page 21 in the interface field.
    i think this is more of a typo than an error ^^"

    But i think general sense should tell you that two interfaces between which is traffic transfered should be in the same subnet.



  • So just to clarify you are saying that where the cursor is should say 192.168.10.0 ?



  • yes.


Log in to reply