Can't access one site remotely over VPN

Bigsease30

Hello All, I am new to the forum but not necessary to pfSense. I have recently ran into a weird situation that I need some professional help in finding the problem and fixing. I will post my connection info and then the problem below.

CONNECTION: Sites ALPHA, BRAVO and CHARLIE.
(All three sites have identical hardware and settings)
ALPHA - 192.168.1.0/24
BRAVO - 192.168.2.0/24
CHARLIE - 192.168.3.0/24

Phase 1
Key Exchange version  |  V1
Internet Protocol  |  IPv4
Remote gateway  |  xxx.xxx.xxx.xxx
Authentication method  |  Mutual PSK
Negotiation mode  |  Aggressive
My identifier  -  KeyID tag
Peer identifier  -  KeyID tag
Pre-Shared Key  |  XXxxXXxxXXxx
Encryption algorithm  |  3DES
Hash algorithm  |  SHA1
DH key group  |  2(1024 bit)
Lifetime  |  28800
NAT Traversal  |  Force

Phase 2
Mode  |  Tunnel IPv4
Local Network  |  Lan Subnet
Remote Network  |  Network    |  Address: 192.168.X.0/24
Protocol  |  ESP
Encryption algorithms  |  AES 128 bits
Hash algorithms  |  SHA1
PFS key group  |  2 (1024 bit)
Lifetime  |  3600

PROBLEM: I have three sites connected via IPSec. I can ping and RDP into Servers in all three networks from each VPN separately. Sites ALPHA and BRAVO can remotely access the pfSense web GUI on all locations. Site CHARLIE can ONLY access its local GUI and not the other two locations. How can I adjust this so that site CHARLIE can access the web GUI of both sites ALPHA and BRAVO as well?

I find it weird that I build one location from ground up and cloned the other two locations from the initial build. Site CHARLIE was the second one that I built. I can access all computers on the other subnets but just not the pfSense routers.

Bigsease30

Anyone have any ideas?

Bigsease30

Anyone out there?

laped

Sounds some some routing/firewall issue.

Why do you use 3DES? Don't you want some kind of security?

3DES - weak
SHA1 - weak
DH 1024 - weak

Bigsease30

I changed it to 3DES to see if the encryption was the issue.

joselebert

Hi Bigsease, I don't think encryption settings is your problem here.

I think it comes to routing or firewalling as laped said.

What works for me? I usually login via ssh to the pfsense box and use tcpdump to check if the traffic shows up on the related interfaces.

The simplest way is: tcpdump -i [em0, em1 or em2….] -nn host [the IP address of your PC, or server you want to access]
It could be something like:
tcpdump -i em0 -nn host 192.168.3.25
Also, you could narrow it down to a combination host and port:
tcpdump -i em0 -nn host 192.168.3.25 and port 443

For security reasons, I would recommend you to encrypt using AES256 and hash using SHA256. Every decent Core i5 and the newest Core i3 processors have included AES-NI instruction set to accelerate processing.

I hope that helps you!

joegeorge

I assume your firewall isn't blocking this? Does a packet capture show the incoming connection?