• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Remote PFSENSE to local PFSENSE thru ipsec cannot access LDAP for Authentication

Scheduled Pinned Locked Moved IPsec
2 Posts 2 Posters 642 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gokallit
    last edited by Apr 5, 2020, 4:27 PM

    I have a remote pfsense (Houston) connected to local pfsense (Austin) using ipsec and everything works wonderfully. The Houston office computers are joined to a Windows domain that is in Austin and they authenticate thru the ipsec tunnel to the Austin domain controller. This has been working for over a year now and there are no servers in the Houston office, just a router.

    The staff in Houston need to use openvpn to connect to the Houston office, authenticate to the Austin domain controller then RDP to their Houston computers from their homes.

    Problem: The "Active Directory Authentication Server" in the Houston Pfsense router cannot seem to find the domain controller Austin even though the local computers can. When I click the "Select a Container" in the authentication containers section it fails.

    Again, both offices can access each other without any issues thru the ipsec tunnel.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Apr 6, 2020, 3:25 PM

      If this is in IPsec tunnel mode, then you'll need a route setup like https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html to nudge the firewall to use the LAN as the source address when sending traffic through IPsec from the firewall itself.

      VTI mode IPsec would work much better, but the traffic would be sourced from the VTI interface address so you'd need to account for that in the firewall rules/other config on the remote end.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received