[Solved] Cant access pfsense https over IPSec
-
We got this realy strange problem.
We worked with 3 senior it employees on this problem and we cant find the solution.We got an IPSec connection between 2 sites.
We can ping from both sides the internal lan ip of the pfsense.
But from site 1 we are unable to open https sites on site 2 on the lan ip.
From site 2 to site 1 this isn't a problem.
We changed the firewalls on both sides for pfsense still the same problem.
Strange thing is we can't connect to the pfsense lan over https and also a Linux web server is giving the same problem, what is even more strange is that we can access a Windows iis webserver over the same vpn.We tried changing ip ranges and rebuild the firewalls on both sides. We even connected a third site over vpn. This site has no problem what so ever.
Hope you can help us out.
We are planning to restart the switches at site 1 to see if that solves the problem -
Is it only the PfSense http/https service which is broken?
Can you confirm by calling other urls from different sites?
I had the same problem which was solved by enable MSS clamping on VPN traffic.
-
Is it only the PfSense http/https service which is broken?
Can you confirm by calling other urls from different sites?
I had the same problem which was solved by enable MSS clamping on VPN traffic.
Thank you for that answer i will try it next moday.
I sort of fixed it by changing the mtu value of the nic.
We needed to setup a remote veeam back-up and access the esx over ipsec.
This wasn't possible only after lowering the mtu value.
It was both on http and https 80/443
Site 1 has fiber 100/100 and site 2 has 250/250.
It just stopped working, maybe the isp changed something.This is not a really nice fix and i will try the MSS clamping maybe this wil fix it for the whole network.
-
Is it only the PfSense http/https service which is broken?
Can you confirm by calling other urls from different sites?
I had the same problem which was solved by enable MSS clamping on VPN traffic.
MSS clamping has solved it for the complete network, thank you!