headers
Josh Stompro | 1 Mar 2006 23:06

LEX Light system

I have had luck getting my Lex box to work with 
1.0-BETA1-TESTING-SNAPSHOT-2-19-06/pfSense.iso.gz.  I booted with an ide 
cdrom drive.

While installing to a hard drive the installer stopped with several 
errors having to do with fdisk and the number of cylinders.  I can 
provide the install log if this isn't a known problem. I just skipped 
the errors and was able to install just fine.

I was able to upgrade to 
http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/pfSense-Full-Update-TESTING-SNAPSHOT-02-20-06.tgz
via the firmware upgrade method.

Everything appears ok so far. 

Josh
Permalink | Reply | 2 comments |
headers
Scott Ullrich | 1 Mar 2006 23:08
Picon
Gravatar

Re: LEX Light system

Yes, please email me /tmp/installer.log to sullrich@...

Thanks!

On 3/1/06, Josh Stompro <stomproj@...> wrote:
> I have had luck getting my Lex box to work with
> 1.0-BETA1-TESTING-SNAPSHOT-2-19-06/pfSense.iso.gz.  I booted with an ide
> cdrom drive.
>
> While installing to a hard drive the installer stopped with several
> errors having to do with fdisk and the number of cylinders.  I can
> provide the install log if this isn't a known problem. I just skipped
> the errors and was able to install just fine.
>
> I was able to upgrade to
> http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/pfSense-Full-Update-TESTING-SNAPSHOT-02-20-06.tgz
> via the firmware upgrade method.
>
> Everything appears ok so far.
>
> Josh
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: support-unsubscribe@...
> For additional commands, e-mail: support-help@...
>
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Derrick MacPherson | 2 Mar 2006 02:15
Picon

version to run?

I am running the 1.0BETA downloaded off a ftp site a few weeks back,
where can I find a newer version?
Permalink | Reply | 1 comment |
headers
Derrick MacPherson | 2 Mar 2006 02:44
Picon

Re: version to run?

Sorry, I just found a snapshot dated 2-20-06. thanks.

On Wed, 2006-03-01 at 17:15 -0800, Derrick MacPherson wrote:
> I am running the 1.0BETA downloaded off a ftp site a few weeks back,
> where can I find a newer version?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: support-unsubscribe@...
> For additional commands, e-mail: support-help@...
> 
>
Permalink | Reply | 0 comments |
headers
Bennett | 2 Mar 2006 08:20
Favicon

Site-to-site IPSec

I'm trying to connect a main office with a branch office (two Windows 2003 networks with pfSense firewalls) via IPSec VPN.  However, the VPN is only partially successful.
 
WORKS ACROSS VPN:
1)  Ping (30-100ms)
2)  Browse shares by IP
3)  Browse web servers by IP or computer name
4)  WINS replication
 
DOESN'T WORK:
1)  Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure (note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window)
2)  Exchange 2003 servers on either end of the VPN can't see each other
3)  Browse shares by computer name
 
What's really got me puzzled is the remote desktop, which is going to be one of the VPN's primary uses.  I can VPN from my home pfSense box to either site and remote desktop from my house to the site works just fine.  I can't see any difference between the VPN setups.  I've checked all the WAN and subnets and IPSec settings a dozen times.  The SADs all match up and SPDs look correct.  All the pfSense boxes are running pfSense dated Feb. 28, 2006 on identical hardware.  So, if remote desktop over VPN works from my house on identical hardware, and it works site-to-site enough to get an initial handshake, why doesn't it fully work site-to-site?  (I'm not looking to turn this into a remote desktop discussion--I'm just using it to troubleshoot my pfSense VPN.)
 
Any ideas what's wrong or how to troubleshoot this?  Am I missing something?  I'll be happy to provide specific settings if you ask for them--just didn't want to dump superfluous configuration data here.
 
--Bennett
Permalink | Reply | 1 comment |
headers
Tommaso Di Donato | 2 Mar 2006 08:38
Picon

Problem with ipsec tunnel

Hi guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well..


I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom

Permalink | Reply | 2 comments |
headers
Tommaso Di Donato | 2 Mar 2006 08:41
Picon

Re: Site-to-site IPSec



On 3/2/06, Bennett <pfSense <at> bennettandgina.com> wrote:

DOESN'T WORK:
1)  Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure (note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window)

In my personal experience with Linux, this was due to  tcpmss-clamping e path-MTU discovery. Try to specify a fixed MTU.. But I have to say that I'm not a pf guru....

2)  Exchange 2003 servers on either end of the VPN can't see each other
3)  Browse shares by computer name

I think they are related..
Hope it helps
Tom

Permalink | Reply | 0 comments |
headers
John Cianfarani | 2 Mar 2006 08:54
Favicon

RE: Problem with ipsec tunnel

1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface.

2. Not sure but my guess would be no (without a lot of easy configuration changes)

One think that was reversed in previous builds (not sure if is changed in 2-20) is the “Prefer old IPSec Sa” checkbox under System-Advnced.  Bill found that in the code pfsense already tries old sa’s first, so when you check this box it will make it prefer NEW Sa’s.  That was the heart of a lot of my Ipsec troubles.

 

Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s)

 

What are you using as your local identified IP or FQDN?

 

Once you get a session up can you do a “ping –c 5 –S <your pfsense lan ip> <remote pfsense lan ip>” from the Diag -> Command Prompt tab?

 

Thanks

John

From: Tommaso Di Donato [mailto:tommaso.didonato-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]
Sent: Thursday, March 02, 2006 2:38 AM
To: support-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
Subject: [pfSense Support] Problem with ipsec tunnel

 

Hi guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well..


I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom

Permalink | Reply | 1 comment |
headers
John Cianfarani | 2 Mar 2006 08:56
Favicon

RE: Site-to-site IPSec

Tom might be on the right track here you can also try to ping across the link making the packetsize larger and larger with (-l size) and with the do not fragment set  (-f).

 

Thanks

John

 

From: Tommaso Di Donato [mailto:tommaso.didonato-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]
Sent: Thursday, March 02, 2006 2:41 AM
To: support-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
Subject: Re: [pfSense Support] Site-to-site IPSec

 

 

On 3/2/06, Bennett <pfSense-j5z7G+fWKl6cTZpN5gYauNBPR1lH4CV8@public.gmane.org> wrote:

 

DOESN'T WORK:

1)  Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure (note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window)


In my personal experience with Linux, this was due to  tcpmss-clamping e path-MTU discovery. Try to specify a fixed MTU.. But I have to say that I'm not a pf guru....

 

2)  Exchange 2003 servers on either end of the VPN can't see each other

3)  Browse shares by computer name


I think they are related..
Hope it helps
Tom

 

Permalink | Reply | 0 comments |
headers
Tommaso Di Donato | 2 Mar 2006 09:25
Picon

Re: Problem with ipsec tunnel



On 3/2/06, John Cianfarani <jcianfarani-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:

1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN
interface.


I'm sorry... I cannot understand the point..

PC -------- pfSense -------- Cisco 827 ----------internet

Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp)   

2. Not sure but my guess would be no (without a lot of easy configuration changes)


You mean you guess there is no port 4500? 

One think that was reversed in previous builds (not sure if is changed in 2-20) is the "Prefer old IPSec Sa" checkbox under System-Advnced.  Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's.  That was the heart of a lot of my Ipsec troubles.


mmh, I tried both  ways... no differences...

Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s)


Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box  here in order to send logs...

What are you using as your local identified IP or FQDN?


I tried both. Obviously, changing  psk accordingly...

Once you get a session up can you do a "ping –c 5 –S <your pfsense lan ip> <remote pfsense lan ip>" from the Diag -> Command Prompt tab?


Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side.

I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation).
Ah, by the way.. when I see a SPD or  a SA established, sould something be wisible with netstat -rn?
Thank you again...

Thanks

John

From: Tommaso Di Donato [mailto:tommaso.didonato-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]
Sent: Thursday, March 02, 2006 2:38 AM
To: support-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
Subject: [pfSense Support] Problem with ipsec tunnel

 

Hi guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well..


I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom


Permalink | Reply | 0 comments |

Gmane