IPSEC connected, works in one direction?

  • My workplace has a branch office. I have pfSense 2.4.2 in both offices, IPSEC tunnel connected and works fine (main office to branch office, branch office to main).

    I've just setup pfsense 2.4.2 on a box at home. IPSEC tunnels from there to both offices. I can access both office lans from home, but can't access my home lan from either office.
    Settings on all 3 tunnels are the same, except WAN addresses and LAN networks are different.

    All 3 show as connected in status/ipsec (looking at pfSense in both offices and on my home pfSense).

    I don't see any obvious errors the system logs / ipsec.

    Any ideas?


  • LAYER 8 Netgate

    Probably firewalls on the local devices at home (think windows firewall)

  • I've just migrated from Snapgear firewalls in all 3 places to pfSense. All was working then; device firewall settings are unchanged. Pretty sure it's not device firewall settings. I can't even ping the pfSense box I have at home - at least not with its LAN IP, I can pin via WAN, have a rule to accept ping requests.
    Now I have one tunnel that's bi-directional (between the 2 offices) and 2 that are uni (home-office and home-branch).
    So… I think something's wrong on the one I have at home or something different I've done with the tunnels.Phase 2s look right (double checked network ranges being routed)
    I'm in residential FIOS at home, no static IP available, so dynamic DNS (dyn.com). The other 2 are on static IPs, and use their IPs as identifiers. The one at home uses a distinguished name.
    Maybe tonight I'll switch so all use static IPs (even though the home one's not really static) and see if that sorts it. If it does, I've done something wrong with the IPSEC-to-dynamic IP connections, even though status/ipsec shows them as connected, and I don't see any substantial difference in the logs between the tunnels.
    I've got perfect forward secrecy off in all cases, BTW.
    Any ideas of other things to try?

  • LAYER 8 Netgate

    I guess post some screen shots of a couple of the IPsec endpoint IPsec configs. P2s should be enough.

  • I snipped some screenshots.

    First, the tunnels on my home box

    main office

    branch office

    See anything obvious? Feel free to shame me mercilessly :-)

Log in to reply