Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec can't access webGUI

    Scheduled Pinned Locked Moved IPsec
    16 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xlameee
      last edited by

      Hello everyone

      I have a little problem. I setup IPSec from home to my warehouse I use any to any rule on IPSec interface for now, but I still have a problems here. I accessed one of my windows server remote desktop on the warehouse side and I opened my home pfsense webgui

      1 When I went to my warehouse I didn't have access to my home. nor I was be able to access like I did from home to RD server back to my home pfsense webgui. well I can live with that.
      2 Now I am at home and I can access everything but not the pfsense webGUI on my warehouse side

      any idea what I am doing wrong here

      Thank you

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Are you accessing the pfSense GUI using an address that is interesting to IPsec (Contained in a phase 2)?

        Please use complete inside IP addresses. Nobody but you knows what "warehouse" and "home" are. Thanks.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • X
          xlameee
          last edited by

          sorry

          this is my phase 2 at home

          tunnel LAN 192.168.10.0/24 ESP AES256-GCM (auto) SHA256
          tunnel LAN 192.168.40.0/24 ESP AES256-GCM (auto) SHA256
          tunnel LAN 192.168.50.0/24 ESP AES256-GCM (auto) SHA256

          my network at home is 192.168.1.0/24

          @Derelict:

          Are you accessing the pfSense GUI using an address that is interesting to IPsec (Contained in a phase 2)?

          Please use complete inside IP addresses. Nobody but you knows what "warehouse" and "home" are. Thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Great. What IP address are you sourcing from, and what IP address is the destination?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • X
              xlameee
              last edited by

              I am currently on 192.168.1.254 and I am trying to reach 192.168.10.1

              I can ping it I can also ssh to it but I can't access the WEBgui I did before and all the changes I've made on 192.168.10.1 is the time server and rule pass network alias of all my networks to LAN address NTP port so they can use those NTP servers "0.pfsense.pool.ntp.org" -> "0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"

              still my IPSec rule is any to any

              1 Reply Last reply Reply Quote 0
              • X
                xlameee
                last edited by

                I solved that problem just used used ssh with option 15 to restore it back to recent configuration, but I still can't access my home from here

                I am currently on 192.168.10.0/24 network and I am trying to access my home 192.168.1.0/24 network

                here is my phase 2 on my warehouse side

                tunnel LAN         192.168.1.0/24 ESP AES256-GCM (auto) SHA256
                tunnel WIFINET 192.168.1.0/24 ESP AES256-GCM (auto) SHA256
                tunnel ANET 192.168.1.0/24 ESP AES256-GCM (auto) SHA256

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Make sure the stuff at home will accept connections from foreign subnets. Check things like windows firewall there.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • X
                    xlameee
                    last edited by

                    I have no problem when ssh tunneling to any of my devices at home but the IPSec feels like 1 way tunnel

                    when I am at home I can access anything on my warehouse, but when I am here I can't access anything at home both sides are with any to any rules both sides have rule on wan to open IPSec port 500 from alias ( I created an alias because I will add more location later)
                    I have some simple rules on my firewall just basic like DNS, ICMP, HTTP, HTTPS port to have a basic internet access for now

                    any Idea what can I do to fix that.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Yes. Check the windows firewall on the devices at your home.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • X
                        xlameee
                        last edited by

                        The strange thing is that when from home remote desktop to one of my windows servers here at the warehouse and from there I open my firewall gui it is working but when I am here and remote desktop to the same server and tried to open the firewall gui at home it is not working. I am using the same laptop in both sides. Ok if any of my servers there have as you said some firewall settings to prevent me from accessing the subnets here at warehouse sides what about the pfsense how can I diagnose to see if the packets are even going trough pfsense.

                        thank you

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Diagnostics > Packet Capture

                          Diagnostics > States

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • X
                            xlameee
                            last edited by

                            Hello

                            I have an AIRVPN installed on my home pfsense box on LAN interface 192.168.1.0/24, but I am not sure if any of those settings can be the reason of my problem. I don't know what most of those rules are for, I just followed the Guide so I can get it up and running I shouldn't probably set this on the LAN I should used the OPT Interface for that but I am still learning so it wont take much more time to learn how to do it right.

                            Here are the Guide I had from AIRVPN

                            https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

                            Can you see that rule REJECT_LOCAL

                            Step 6-J: Seventh AirVPN_LAN Firewall Rule

                            I believe this rule may some how preventing me of accessing my home from warehouse side

                            Thank you

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              No because any policy routing or default gateway settings will not impact connections coming into the firewall over the VPN.

                              Did you check the firewall on the host you are trying to connect to?

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • X
                                xlameee
                                last edited by

                                YES I have few Ubuntu servers there and they don't have any firewall enabled and I still cannot connect trough IPSec. I have an COMCAST WIFI near me I connected and tried to ssh tunnel to all of my hosts at home and I had no problem doing that. When I get back on my network here and try to tunnel the same way I can't. I can't even ping the pfsense at home from pfsense at the warehouse side

                                Thank you

                                1 Reply Last reply Reply Quote 0
                                • X
                                  xlameee
                                  last edited by

                                  I thing I found something

                                  WAN udp (HOME WAN IP):500 -> (WAREHOUSE WAN IP):500 MULTIPLE:MULTIPLE 2.138 K / 2.138 K 237 KiB / 237 KiB

                                  this state is at home should I have similar at my warehouse location?

                                  1 Reply Last reply Reply Quote 0
                                  • X
                                    xlameee
                                    last edited by

                                    I just setup a 3rd side and I can't access my warehouse side with any application that some of my equipment need. Like POWER ALERT software for TRIPP LITE PDUs. when I use firefox to access any of my PDUs there is no problem, but when I use POWER ALERT to manage any of my pdus or remote desktop to access any of my warehouse windows servers I also can't make a connection I disabled the windows 10 firewall and my bitdefender firewall and windows server firewall to see if it is the firewall problem but it wasn't. this time I have state from 3rd location to the warehouse side and back. I attached the rules of my both sides I have to fix that because my work depend on it

                                    Thank you

                                    ipsec-bs.jpg
                                    ipsec-bs.jpg_thumb
                                    ipsec-eg.jpg
                                    ipsec-eg.jpg_thumb
                                    ipsec-rules-bs.jpg
                                    ipsec-rules-bs.jpg_thumb
                                    ipsec-rules-eg.jpg
                                    ipsec-rules-eg.jpg_thumb
                                    ipsec-wan-rule-bs.jpg
                                    ipsec-wan-rule-bs.jpg_thumb
                                    ipsec-wan-rule-eg.jpg
                                    ipsec-wan-rule-eg.jpg_thumb
                                    lan-rules-bs.jpg
                                    lan-rules-bs.jpg_thumb
                                    lan-rules-eg.jpg
                                    lan-rules-eg.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.