Openvpn fails while using CARP?



  • Hi,

    I installed two pfsense 1.2 firewalls on one site, using carp for failover. This works like a charm.
    But we do need to havez acces trough VPN from several offices.
    I allready did openvpn setups before with pfsense without any problems.

    But here it goes wrong.

    |                                    |
                          WAN                            WAN
      (LAN2)            | (.195)      (.205)    (.194)|    (LAN2)
    –--------------fwA-----------carp--------fwB--------------
    |                      |LAN  (192.168.100.102)    |LAN                |
    |                    (192.168.100.98)  (192.168.100.99)              |
    |                                                                                  |
    |                                                                                  |
    |(172.16.186.198)            CARP:(172.16.186.205)                |(172.16.186.199)

    LAN: 192.168.100.0/24
    WAN: /27
    LAN2: 172.16.186.0/24
    office 1 LAN: 172.17.0.0/24

    This is how the setup of the installation looks like... just to give you an idea.

    When firewall A fails, B takes over controll. (CARPING WAN, LAN LAN2 and VIP's for 1:1 NAT)

    I configured firewall A as openvpnserver (site-to-site), here in office 1 I configured another pfsense as client.
    From my notebook here in office 1, I'm able to ping the LAN interface of fwA, but nothing else.
    When I do a ping from fwA to severall systems here in the office, I never get a positive response.
    But while doing the same from fwB...  I have a positive response. (when a make a static route for office lan with gtw 'fwA lan interface' 192.168.100.98)

    I don't know why this is happening.

    Could it be possible that this fails because of the firewalls are running carped?
    I can't find any other reason for the moment.

    Thank you in advance for your response.

    Frederik.



  • Could you please show the log output of openVPN (client and server)?
    Also to which address does your openVPN client connect to?
    Can you post here the config file of the server and the client?



  • Hi GruensFroeschli,
    Thank you for your reply.

    Here is the information you're asking for:

    Server log:

    Apr 23 11:51:59 openvpn[29917]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
    Apr 23 11:51:59 openvpn[29917]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible
    Apr 23 11:51:59 openvpn[29917]: LZO compression initialized
    Apr 23 11:51:59 openvpn[29917]: gw xx.xxx.xxx.222
    Apr 23 11:51:59 openvpn[29917]: TUN/TAP device /dev/tun0 opened
    Apr 23 11:51:59 openvpn[29917]: /sbin/ifconfig tun0 192.168.30.1 192.168.30.2 mtu 1500 netmask 255.255.255.255 up
    Apr 23 11:51:59 openvpn[29917]: /etc/rc.filter_configure tun0 1500 1545 192.168.30.1 192.168.30.2 init
    Apr 23 11:51:59 openvpn[29930]: UDPv4 link local (bound): [undef]:1190
    Apr 23 11:51:59 openvpn[29930]: UDPv4 link remote: [undef]

    Client Log:

    Apr 23 11:58:25 openvpn[16214]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007
    Apr 23 11:58:25 openvpn[16214]: WARNING: file '/var/etc/openvpn_client0.secret' is group or others accessible
    Apr 23 11:58:25 openvpn[16214]: LZO compression initialized
    Apr 23 11:58:25 openvpn[16214]: gw 213.219.168.1
    Apr 23 11:58:25 openvpn[16214]: TUN/TAP device /dev/tun0 opened
    Apr 23 11:58:25 openvpn[16214]: /sbin/ifconfig tun0 172.17.0.2 172.17.0.1 mtu 1500 netmask 255.255.255.255 up
    Apr 23 11:58:25 openvpn[16214]: /etc/rc.filter_configure tun0 1500 1545 172.17.0.2 172.17.0.1 init
    Apr 23 11:58:33 openvpn[16232]: UDPv4 link local (bound): [undef]:1194
    Apr 23 11:58:33 openvpn[16232]: UDPv4 link remote: xx.xxx.xxx.195:1190

    The client connects to .195, so the WAN adress of fwA.

    Config files:

    Server config:

    <openvpnserver><config><disable><protocol>UDP</protocol>
    <dynamic_ip>on</dynamic_ip>
    <local_port>1190</local_port>
    <addresspool>192.168.30.0/24</addresspool>
    <nopool><local_network><remote_network>172.17.0.0/24</remote_network>
    <client2client><crypto>BF-CBC</crypto>
    <auth_method>shared_key</auth_method>
    <shared_key>PRIVATE__KEY</shared_key>
    <ca_cert><server_cert><server_key><dh_params><crl><dhcp_domainname><dhcp_dns><dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
    <dhcp_nbtscope><dhcp_nbtdisable><use_lzo>on</use_lzo>
    <custom_options><description>Site-To-Site VPN ITAF NETWORK Shop Gent</description></custom_options></dhcp_nbtdisable></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_dns></dhcp_domainname></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config></openvpnserver>

    Client config:

    <openvpnclient><config><disable><protocol>UDP</protocol>
    <serveraddr>xx.xxx.xxx.195</serveraddr>
    <serverport>1190</serverport>
    <interface_ip>172.17.0.0/24</interface_ip>
    <remote_network>192.168.100.0/24</remote_network>
    <proxy_hostname><proxy_port>3128</proxy_port>
    <crypto>BF-CBC</crypto>
    <auth_method>shared_key</auth_method>
    <shared_key>PRIVATE__KEY</shared_key>
    <ca_cert><client_cert><client_key><use_lzo>on</use_lzo>
    <use_shaper><use_dynamicport><custom_options><description>Site-To-Site VPN ITAF NETWORK Haarlem</description></custom_options></use_dynamicport></use_shaper></client_key></client_cert></ca_cert></proxy_hostname></disable></config></openvpnclient>

    I hope this is the information you need?

    <edit>The devices in the LAN (of fwA) uses 192.168.100.102 (CARP VIP) as default gateway</edit>



  • You have a configuration missmatch between your server and client.

    Your transfer-net is configured as 192.168.30.0/24 on the server.
    On your client you've configured it as 172.17.0.0/24



  • Yes, I saw this today.

    I edited the configuration today and made a mistake.
    I moved it to the previous configuration but I still had the same problem.

    I redid the vpnconfig from source, I reconfigured the Rule and I found a bug in my config (one device used a gateway who wasn't anymore in use).

    I managed to get it working. So it was a silly mistake of me.

    Thank you anyway for the help.


Locked