next »

[Visseroth]

OK, so I'm trying to setup a tunnel between two PfSense boxes using OpenVPN because IPSec, well, I just won't go there. Anyhow so I used the guide on http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Certificates_on_pfSense and instead of setting up a xp machine to connect to the server I used the client option on the client PfSense box to connect to the server. I put the ca.crt, server.crt, server.key and DH key where it's supposed to be on the server and put the ca.crt, client.crt and client.key on the client box but it's erroring out and I'm hoping I can get some help here.

Here is the errors....


Server:
openvpn[19636]: 64.xxx.xxx.xxx:13058 TLS Error: TLS handshake failed
Oct 28 22:49:12    openvpn[19636]: 64.xxx.xxx.xxx:13058 TLS Error: TLS object -> incoming plaintext read error
Oct 28 22:49:12    openvpn[19636]: 64.xxx.xxx.xxx9:13058 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Client:
Oct 28 22:49:10    openvpn[23853]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 28 22:49:10    openvpn[23853]: [server] Inactivity timeout (--ping-restart), restarting
Oct 28 22:48:09    openvpn[23853]: UDPv4 link remote: 204.xxx.xxx.xxx:1194
Oct 28 22:48:09    openvpn[23853]: UDPv4 link local: [undef]
Oct 28 22:48:09    openvpn[23852]: LZO compression initialized
Oct 28 22:48:09    openvpn[23852]: WARNING: file '/var/etc/openvpn_client1.key' is group or others accessible
Oct 28 22:48:09    openvpn[23852]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 28 22:48:09    openvpn[23852]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
Oct 28 22:48:09    openvpn[23852]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Oct 28 22:48:09    openvpn[23852]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Sep 18 2009

Configuration is as such:
Protocol: UDP
DynamipIP (Ticked)
Address pool 192.168.5.0/24
Local Network 192.168.0.0/24
Client-to-client VPN (Ticked)
Cryptography BY-CBC (128-bit)
Authentication method PKI (Public Key Infrastructure)
DHCP-Opt.: Disable NetBIOS (Ticked)
LZO compression (Ticked)

Server IP is 192.168.0.0
OpenVPN DHCP is 192.168.5.0
Client IP is 10.0.0.0

Help? What am I doing wrong here?

[GruensFroeschli]

Oct 28 22:49:12    openvpn[19636]: 64.xxx.xxx.xxx9:13058 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Did you generate for the client it's own key/certificate?
Did you per mistake give the wrong certificate to the client?
Does the client have the ca certificate?

[Visseroth]

OK, so I double checked to make sure that I have the right keys in the right place and it appears that I do. I re-pasted all the keys into place and I still get a failed handshake. The only key I question is the file generated that has nothing before the .crt. I assume this is the server certificate. Also when generating the keys I get what i believe to be an error stating that the batch file was unable to write random state.

Any ideas?

[GruensFroeschli]

Can you post the exact error?

Could you describe what you did when you created the certificates/keys?
Did you follow a tutorial?
(like this one: http://www.informit.com/articles/article.aspx?p=605499&seqNum=2 )

What do you mean with

The only key I question is the file generated that has nothing before the .crt

Do you mean the CA.crt?

There is a difference between the .crt and the .key files.

You generate:
1 x CA.crt at the very beginning.
Each and every client and server needs to have this.

1 x Server.crt; 1x Server.key (optional to create multiple of these if you want to run multiple servers, possible for failover/loadbalancing)
Only the server has these two files.

n x client_n.crt; n x client_n.key
Only the respective client has these files.

[Visseroth]

Thank you for that link. It sure did simplify things a bit.

I did figure out what my problem was, well part of it anyhow and now I'm one step closer to making this work. Thanks guys...... Se here's what happen........

The scripts were setup for a x86 environment not a x64 environment so when OpenVPN installed it installed to the (x86) folder so I copied it to the programs folder and wam it started writing the random states. So I generated the keys as per the instructions, copied the keys to the server and client and they are handshaking. Problem now is that I am getting the error

Oct 30 04:12:24    php: : Sipproxd is installed but not started. Not installing redirect rules.
Oct 30 04:12:23    check_reload_status: reloading filter
Oct 30 04:12:16    php: : Sipproxd is installed but not started. Not installing redirect rules.
Oct 30 04:12:14    routed[841]: setsockopt(IP_ADD_MEMBERSHIP RIP): Invalid argument
Oct 30 04:12:14    routed[841]: setsockopt(IP_ADD_MEMBERSHIP RIP): Invalid argument

on both the server and client and I have a rule on the lan set for * 192.168.5.0/24 * * * *

Do I need a OpenVPN rule on the WAN?

Also, I am able to ping from the server to the client side (only to the client box, not the network) but not from the client to server side

[GruensFroeschli]

Do i understand you right, that you want to have a site-to-site connection?
In this case i would drop the whole PKI and set up a PSK.

This sticky thread has more information about that (And the further linked threads):
http://forum.pfsense.org/index.php/topic,12888.0.html

[Visseroth]

When I try and ping another device on the client side from the server side I get the following.................

PING 10.0.0.200 (10.0.0.200) from 192.168.0.1: 56 data bytes
92 bytes from core-antoine.air-pipe.com (208.81.157.73): Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 77ee   0 0000  3a  01 3d4a 192.168.0.1  10.0.0.200

[Visseroth]

ahh, ok, well thank you for that link, as I am dead tired atm and have to be up in about 4 or 5 hours I'm going to hit the sack atm but will get on that thread asap, thanks!

[Visseroth]

OK, so I have the connections established between the server and the client via OpenVPN. There are no errors in the system or vpn logs but I am unable to get traffic through from one network to the other.

Any suggestions?

Trying to go from and to (Server) 192.168.0.0 <-> (VPN Tunnel) 192.168.5.0 <-> (Client) 10.0.0.0

[GruensFroeschli]

Do you have a PSK or PKI now?
Did you add any route/pushes to the config?
Are the routes on both sides to get to the other side known?

[afvadmin]

try enabling netbios should work is that a client to client vpn if so i dont think you actually need that option at the moment

[Visseroth]

Well unfortunately it's not working. I can ping from the server to the client router but not the client network. I can not ping at all from the client to the server network.

[GruensFroeschli]

Do you have a PSK or PKI now?
Did you add any route/pushes to the config?
Are the routes on both sides to get to the other side known?

?

Assumption:
You use a PSK. You didn't add any routes. The client of your remote network is the default gateway for this subnet.

-->
You need to add on the server side to the custom config field: "route subnetID_of_clientnet netmask" (ie. route 192.168.0.0 255.255.255.0)
This adds on the server dynamically a static route for the remote subnet when the tunnel comes up.
You also need a similar entry on the client router. "route subnetID_of_servernet netmask".
To add dynamically the static route pointing to the server subnet.

[Visseroth]

I tried it with "route 10.0.0.0 255.255.255.0" on the server and "route 192.168.0.0 255.255.255.0" on the client but the logs state that there was an error setting up the routes and they exitted with a signal 1.

I also tried "route 10.0.0.0/24" and "route 192.168.0.0/24" and nothing came up in the logs regarding errors but still they will not route traffic. I can't get traffic in either direction.

[GruensFroeschli]

What error?
(Post it)