Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC connected, works in one direction?

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 685 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobkoure
      last edited by

      My workplace has a branch office. I have pfSense 2.4.2 in both offices, IPSEC tunnel connected and works fine (main office to branch office, branch office to main).

      I've just setup pfsense 2.4.2 on a box at home. IPSEC tunnels from there to both offices. I can access both office lans from home, but can't access my home lan from either office.
      Settings on all 3 tunnels are the same, except WAN addresses and LAN networks are different.

      All 3 show as connected in status/ipsec (looking at pfSense in both offices and on my home pfSense).

      I don't see any obvious errors the system logs / ipsec.

      Any ideas?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Probably firewalls on the local devices at home (think windows firewall)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          bobkoure
          last edited by

          I've just migrated from Snapgear firewalls in all 3 places to pfSense. All was working then; device firewall settings are unchanged. Pretty sure it's not device firewall settings. I can't even ping the pfSense box I have at home - at least not with its LAN IP, I can pin via WAN, have a rule to accept ping requests.
          Now I have one tunnel that's bi-directional (between the 2 offices) and 2 that are uni (home-office and home-branch).
          So… I think something's wrong on the one I have at home or something different I've done with the tunnels.Phase 2s look right (double checked network ranges being routed)
          I'm in residential FIOS at home, no static IP available, so dynamic DNS (dyn.com). The other 2 are on static IPs, and use their IPs as identifiers. The one at home uses a distinguished name.
          Maybe tonight I'll switch so all use static IPs (even though the home one's not really static) and see if that sorts it. If it does, I've done something wrong with the IPSEC-to-dynamic IP connections, even though status/ipsec shows them as connected, and I don't see any substantial difference in the logs between the tunnels.
          I've got perfect forward secrecy off in all cases, BTW.
          Any ideas of other things to try?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I guess post some screen shots of a couple of the IPsec endpoint IPsec configs. P2s should be enough.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              bobkoure
              last edited by

              I snipped some screenshots.

              First, the tunnels on my home box

              main office

              branch office

              See anything obvious? Feel free to shame me mercilessly :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.