Snort/Barnyard2 will not connect to MySQL (Snorby) over IPsec Tunnel.



  • Snort/Barnyard2 will not connect to MySQL (Snorby) over IPsec Tunnel.

    I can connect from the remote site from an Ubuntu box. 
    When I perform a packet capture I don't see it even attempt to connect to MySql via IPsec.

    pfSense Snort instances at the same site as the MySQL server connect well.

    If there a setting somewhere that I am missing to tell Barnyard to use the tunnel?
    I am fairly sure I have done this in the past.  Maybe a racoon vs charon issue?



  • Not sure I can be much help with this one.  The MySQL traffic from Barnyard2 to your DB is plain vanilla and should not be affected by going over the tunnel.  I would start my troubleshooting by looking at the routing.

    Can you ping the MySQL box from the firewall's console (the one where you can't get Barnyard2 to connect from)?  Can you ping the MySQL box from some host that is on the same subnet as Snort is running on?

    In other words, forget Snort and Barnyard2 for the moment and test just basic network connectivity across the tunnel between a host on the LAN behind the Snort interface on the source firewall and the target MySQL box.

    Bill



  • Thank you for the reply.  I tried that.  It is only the remote pfSense box that isn't using the tunnel.  The remote pfSence box wont even ping across the tunnel.

    I can connect to the MySQL from the remote site over the IPsec VPN tunnel from a Linux box.  The pfSense box cannot even ping across the tunnel, everything else can.

    2.1.5-RELEASE at the local site.

    2.2-RELEASE at the remote site.

    After update the remote site only the pfSense box cannot ping across the tunnel.
    The local site pfSense box can ping across the tunnel.

    Is there something I need to do to get the pfSense box to recognize its own routing?



  • OK I connected a tunnel from another pfSense box using 2.2.1-RELEASE and another using version 2.0.1-RELEASE ….I get the same result.

    I can ping from other computers on the remote LAN subnet to computers on the local LAN subnet but not from the pfSense boxes themselves.

    This should be an IPsec topic not a IDS/IPS topic.  I will start a new thread in the IPsec fourm.


Log in to reply