Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 09 November 2024, 09:00:58 am

Login with username, password and session length

Download the latest community FREE version  HERE
14250 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  pfSense to Endian OpenVPN Site-to-Site
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: pfSense to Endian OpenVPN Site-to-Site  (Read 15909 times)
shcc
Jr. Member
*
Offline Offline

Posts: 6


« on: Sunday 31 August 2014, 07:38:37 am »

I'm trying to get EFW 2.5.1 or 3.0 to establish a site-to-site (Gw2Gw) OpenVPN tunnel to pfSense 2.1.5 with no success.

Does anyone have experience with this configuration? I've done a lot of Internet research and found there may be a Tun/Tap and/or PSK incompatibility between these two OpenVPN implementations.

Any help would be greatly appreciated. I can't make any major changes to the EFW OVPN server side as I have about a dozen Gw2Gw tunnels already established. So modifying the .tmpl files isn't advisable in my situation.

Thanks
Logged
shcc
Jr. Member
*
Offline Offline

Posts: 6


« Reply #1 on: Wednesday 03 September 2014, 09:40:34 am »

Some more info - I think I'm close.

pfSense 2.1.5  Endian Community 3.0  site to site.


Working so far:

pfSense 2.1.5 as a client to Endian 3.0 test bed. The pfSense box can ping clients on the Endian net but Endian box can't to the reverse. Clients on either net can't ping across.

pfSense Config:
 - Client tab
    - Server Mode: Peer to Peer (SSL/TLS)
    - Protocol: UDP
    - Device Mode: Tun
    - Interface: WAN
    - Local port: "blank"
    - Server host: "public IP"
    - Server port: 1194
    - No proxy stuff
    - Server host name res: unchecked
    - Desc: pfSense as client to Endian
   
 - Crypto Settings
    - TLS Auth: unchecked
    - Peer Cert Authority: CA cert from Endian
    - Client Cert: Cert for and Endian user created for site-to-site
    - Encryption alg: BF-CBC (128)   what Endian expects
    - H/W Cryto: none
 
 - Tunnel Settings:
    - IPv4 Tunnel net: 10.0.8.0/24
    - IPv6: none
    - Limit bandwidth: none
    - Compression: LZO found Endian was using this in /etc/openvpn/openvpn.1.conf
    - Type-of-Service: unchecked

 - Advanced
     auth-user-pass /cf/conf/client2-auth.txt  file with user/pass matching the client cert
     link-mtu 1574  gleaned from pfSense OVPN log

 - Firewll Rules
    - WAN: 1194 allowed inbound
    - OpenVPN: Wide open. * * * * *


Endian Config:

- Server settings:
    - Auth type: PSK (user/pass)
    - Cert config: Use selected (the self-signed default one)
    - CA: Same as above. The one export for CA for pfSense.
    - Dev type: TUN
    - Protocol: UDP
    - Port: 1194
    - VPN Subnet: 10.0.8.0/24
    - Advanced options: none

- Added to endian in a shell:
route add -net "IP segment for pfSense net" netmask 255.255.255.0 tun0


Can ping from the pfSense box in a shell all clients on the Endian net.
Can't ping any Endian net from pfSense net clients.
Can't ping from Endian box or Endian net anything on the pfSense net.

Tried to establish a reverse tunnel using an additional OVPN server on pfSense and an Endian GW2GW client with absolutely no luck in even getting the tunnel to come up after hours of trying different config scenarios.

So, I think I'm close. Suggestions?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.031 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com