[Solved] Cant access pfsense https over IPSec



  • We got this realy strange problem.
    We worked with 3 senior it employees on this problem and we cant find the solution.

    We got an IPSec connection between 2 sites.
    We can ping from both sides the internal lan ip of the pfsense.
    But from site 1 we are unable to open https sites on site 2 on the lan ip.
    From site 2 to site 1 this isn't a problem.
    We changed the firewalls on both sides for pfsense still the same problem.
    Strange thing is we can't connect to the pfsense lan over https and also a Linux web server is giving the same problem, what is even more strange is that we can access a Windows iis webserver over the same vpn.

    We tried changing ip ranges and rebuild the firewalls on both sides. We even connected a third site over vpn. This site has no problem what so ever.

    Hope you can help us out.
    We are planning to restart the switches at site 1 to see if that solves the problem



  • Is it only the PfSense http/https service which is broken?

    Can you confirm by calling other urls from different sites?

    I had the same problem which was solved by enable MSS clamping on VPN traffic.



  • @julianbros:

    Is it only the PfSense http/https service which is broken?

    Can you confirm by calling other urls from different sites?

    I had the same problem which was solved by enable MSS clamping on VPN traffic.

    Thank you for that answer i will try it next moday.
    I sort of fixed it by changing the mtu value of the nic.
    We needed to setup a remote veeam back-up and access the esx over ipsec.
    This wasn't possible only after lowering the mtu value.
    It was both on http and https 80/443
    Site 1 has fiber 100/100 and site 2 has 250/250.
    It just stopped working, maybe the isp changed something.

    This is not a really nice fix and i will try the MSS clamping maybe this wil fix it for the whole network.



  • @julianbros:

    Is it only the PfSense http/https service which is broken?

    Can you confirm by calling other urls from different sites?

    I had the same problem which was solved by enable MSS clamping on VPN traffic.

    MSS clamping has solved it for the complete network, thank you!