IPSec can't access webGUI



  • Hello everyone

    I have a little problem. I setup IPSec from home to my warehouse I use any to any rule on IPSec interface for now, but I still have a problems here. I accessed one of my windows server remote desktop on the warehouse side and I opened my home pfsense webgui

    1 When I went to my warehouse I didn't have access to my home. nor I was be able to access like I did from home to RD server back to my home pfsense webgui. well I can live with that.
    2 Now I am at home and I can access everything but not the pfsense webGUI on my warehouse side

    any idea what I am doing wrong here

    Thank you


  • Netgate

    Are you accessing the pfSense GUI using an address that is interesting to IPsec (Contained in a phase 2)?

    Please use complete inside IP addresses. Nobody but you knows what "warehouse" and "home" are. Thanks.



  • sorry

    this is my phase 2 at home

    tunnel LAN 192.168.10.0/24 ESP AES256-GCM (auto) SHA256
    tunnel LAN 192.168.40.0/24 ESP AES256-GCM (auto) SHA256
    tunnel LAN 192.168.50.0/24 ESP AES256-GCM (auto) SHA256

    my network at home is 192.168.1.0/24

    @Derelict:

    Are you accessing the pfSense GUI using an address that is interesting to IPsec (Contained in a phase 2)?

    Please use complete inside IP addresses. Nobody but you knows what "warehouse" and "home" are. Thanks.


  • Netgate

    Great. What IP address are you sourcing from, and what IP address is the destination?



  • I am currently on 192.168.1.254 and I am trying to reach 192.168.10.1

    I can ping it I can also ssh to it but I can't access the WEBgui I did before and all the changes I've made on 192.168.10.1 is the time server and rule pass network alias of all my networks to LAN address NTP port so they can use those NTP servers "0.pfsense.pool.ntp.org" -> "0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"

    still my IPSec rule is any to any



  • I solved that problem just used used ssh with option 15 to restore it back to recent configuration, but I still can't access my home from here

    I am currently on 192.168.10.0/24 network and I am trying to access my home 192.168.1.0/24 network

    here is my phase 2 on my warehouse side

    tunnel LAN         192.168.1.0/24 ESP AES256-GCM (auto) SHA256
    tunnel WIFINET 192.168.1.0/24 ESP AES256-GCM (auto) SHA256
    tunnel ANET 192.168.1.0/24 ESP AES256-GCM (auto) SHA256


  • Netgate

    Make sure the stuff at home will accept connections from foreign subnets. Check things like windows firewall there.



  • I have no problem when ssh tunneling to any of my devices at home but the IPSec feels like 1 way tunnel

    when I am at home I can access anything on my warehouse, but when I am here I can't access anything at home both sides are with any to any rules both sides have rule on wan to open IPSec port 500 from alias ( I created an alias because I will add more location later)
    I have some simple rules on my firewall just basic like DNS, ICMP, HTTP, HTTPS port to have a basic internet access for now

    any Idea what can I do to fix that.


  • Netgate

    Yes. Check the windows firewall on the devices at your home.



  • The strange thing is that when from home remote desktop to one of my windows servers here at the warehouse and from there I open my firewall gui it is working but when I am here and remote desktop to the same server and tried to open the firewall gui at home it is not working. I am using the same laptop in both sides. Ok if any of my servers there have as you said some firewall settings to prevent me from accessing the subnets here at warehouse sides what about the pfsense how can I diagnose to see if the packets are even going trough pfsense.

    thank you


  • Netgate

    Diagnostics > Packet Capture

    Diagnostics > States



  • Hello

    I have an AIRVPN installed on my home pfsense box on LAN interface 192.168.1.0/24, but I am not sure if any of those settings can be the reason of my problem. I don't know what most of those rules are for, I just followed the Guide so I can get it up and running I shouldn't probably set this on the LAN I should used the OPT Interface for that but I am still learning so it wont take much more time to learn how to do it right.

    Here are the Guide I had from AIRVPN

    https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

    Can you see that rule REJECT_LOCAL

    Step 6-J: Seventh AirVPN_LAN Firewall Rule

    I believe this rule may some how preventing me of accessing my home from warehouse side

    Thank you


  • Netgate

    No because any policy routing or default gateway settings will not impact connections coming into the firewall over the VPN.

    Did you check the firewall on the host you are trying to connect to?



  • YES I have few Ubuntu servers there and they don't have any firewall enabled and I still cannot connect trough IPSec. I have an COMCAST WIFI near me I connected and tried to ssh tunnel to all of my hosts at home and I had no problem doing that. When I get back on my network here and try to tunnel the same way I can't. I can't even ping the pfsense at home from pfsense at the warehouse side

    Thank you



  • I thing I found something

    WAN udp (HOME WAN IP):500 -> (WAREHOUSE WAN IP):500 MULTIPLE:MULTIPLE 2.138 K / 2.138 K 237 KiB / 237 KiB

    this state is at home should I have similar at my warehouse location?



  • I just setup a 3rd side and I can't access my warehouse side with any application that some of my equipment need. Like POWER ALERT software for TRIPP LITE PDUs. when I use firefox to access any of my PDUs there is no problem, but when I use POWER ALERT to manage any of my pdus or remote desktop to access any of my warehouse windows servers I also can't make a connection I disabled the windows 10 firewall and my bitdefender firewall and windows server firewall to see if it is the firewall problem but it wasn't. this time I have state from 3rd location to the warehouse side and back. I attached the rules of my both sides I have to fix that because my work depend on it

    Thank you