Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - bel574

Pages: [1]
General Questions / Re: pfSense Gold & AutoConfigBackup
« on: February 06, 2018, 03:59:04 pm »
I think only Netgate could answer that definitively for you.

I'm guessing you didn't bother to keep a local backup of the configs?

Thanks for the answer. Believe you or not I have the local backup for the alive host and don't have for the died one. Plus if I had it I would simply restore the config from the local backup.

There is a catch22 regarding the idea to contact Netgate. To contact them I need to open a ticket. To open a ticket  I need at least "professional" level of subscription which I don't have.

They say: "To initiate chat, you must first register your pfSense Gold Subscription. Once activated, you will be able to log into the Support Portal and you will see the online chat option." But "chat option" is not even an option for "professional" subscription, it starts from "enterprise" only.   And finally: "If you elected not to get a paid support plan you may take advantage of various our community support resources:" - this is how I ended up at the forum.

General Questions / pfSense Gold & AutoConfigBackup
« on: February 06, 2018, 02:51:38 pm »

I would appreciate your advice on the following matter:

a) I was a pfSense Gold subscriber in 2017-2018 and was backing up 2 pfSense hosts;

b) the subscription has expired 2 weeks ago and after that one of those pfSense hosts has died;

c) I ordered a new  SG-3100 which will be here in several days, it comes with  a one year subscription to pfSense Gold;

My question is what should I do in order to be able to restore the previously saved config on the remote backup pfSense server to my new  SG-3100. I can renew the expired subscription right now and it will cover up to 10  hosts. But will I be able to get access to the previously saved backups after several weeks of inactivity?  If not then I would rather not to renew the subscription because the configuration has not changed for the last year - at all.
On the other hand, I am getting a new   SG-3100, pfSense Gold (which covers another 10 hosts) included. If I renew the subscription right away then it will be overkill since it will allow me to backup up to 20 hosts while I don't need it.


IPsec / Re: StowngSwan ipsec and Screwsoft VPN panic
« on: January 22, 2017, 11:49:41 pm »
For those who still have problem with Shrew VPN client and pfSense Mobile Client:  to make it work try the following settings in the Shrew client:

a) General -> Auto Configuration -> ike config pull

b) Phase 2 ( this is what  gives you the grief or at least what is being discussed in this topic) -> esp-aes / 256 / md5 / pfs - group 2 (can be any if set properly on both ends)

and everything should work.

If it does not, run Shrew VPN Trace ( a utility coming with the Shrew VPN) , change the debug log verbosity, you will get a log. Examine both logs (Shrew's one and pfSense's IPsec log and things should be more or less clear, you will see what is wrong).

That's beyond me  why when I set up a site to site tunnel in Shrew  I can easily do that with manual configuration  and phase 2 settings mentioned in multiple pfSense tutorials: eso-aes / 256 / sha 1  But for  the mobile client pfSense requires  esp-aes / 256 / md5 - that is utterly strange.

Over last 2 days I read a lot of posts on this forum and other places regarding Shrew VPN related problems. I guess it speaks  a volume. Anyway, I am glad that eventually I made it work.

IPsec / Re: StowngSwan ipsec and Screwsoft VPN panic
« on: January 22, 2017, 03:42:36 am »
I must ask if this StrongSwan really works at all? I have never had this much huge problems with ipsec in my life than with StrongSwan ipsec in pfSense.

Fully working ScrewSoft VPN connection stopped totally to work after upgrade 2.2 RELEASE to 2.2.1 RELEASE!

No getting error:
Code: [Select]
Mar 20 10:19:26 charon: 11[ENC] generating INFORMATIONAL_V1 request 3506100324 [ HASH N(INVAL_ID) ]
Mar 20 10:19:26 charon: 11[IKE] no matching CHILD_SA config found
Mar 20 10:19:26 charon: 11[IKE] <con5|161> no matching CHILD_SA config found

Has it ever been solved?  I decided to switch from Zywall  USG 50 to pfSense (2.3.2-RELEASE-p1)  and so far was very impressed with it. There are some rough edges but at the moment I am mostly concerned with not working VPN. The Shrew client worked (and still works) great for 3 years with USG 50 (very reliable and decent device with only one drawback - 60/70 Mbps throughput). I quickly configured  pfSense and already spent several hours just banging my head on the table - I am getting the same error quoted above.

What is hurting the most is that at the same time using the same set of settings (except for different FQDN) USG 50 continues to work with this particular remote PC running the Shrew client. At this point I begin to wonder if the implementation of IPsec in pfSense is mature enough to be used in small business environment (unfortunately,  that alone would be enough to stop using pfSense).

What would you say ?


Pages: [1]