Domain Controller Inaccessible and GPUpdate Unavailable through IPSec Tunnel
We have an IPSec tunnel working perfectly to ping our domain controller. We can attach to the network drives by UNC path or by IP address. I am not able to attach a computer to the domain or run a gpupdate from any of the tunnel connected machines. I have the primary DNS set to the IP address of the domain controller. I have also set the primary IP to be the gateway address (PFSense address) hoping that the routing through the firewall would solve the issue. No luck.
When trying to attach to the domain I get an error "An active domain controller could not be found," and gpupdate returns "Windows could not obtain the name of an active domain controller."
Any ideas on how to get this working?
There are two ways I'd approach this. The quicker way is to look for clues in the firewall log on both ends of the IPSec tunnel. If that doesn't yield anything, then go through the process, step by step, of what has to happen for a workstation to update group policies and try to determine where the break is.
For the first method, make sure pfSense is logging traffic handled by all firewall rules. You'll probably want to turn this off when done because it can get voluminous (unless you have a syslog server that stores them for you, in which case, log away). Also make sure you are logging on both pfSense boxes in either end of the tunnel.
Have the affected workstation run a gpupdate. After it fails, check the firewall log in pfSense at both ends of the tunnel. Look for traffic to or from the DC's IP address being blocked. The log can be found is Status -> System Logs -> Firewall. You can Ctrl+F search the page for the DC's ip address to find what you're looking for pretty quickly.
This will tell you if a firewall rule is blocking the traffic.
Now, failing that, you'll need to do a more in depth look into the problem.
Without seeing your environment it's hard to say, but most AD related problems can be traced to DNS resolution problems of some kind. One cause of that is firewall rules blocking traffic, which the first step should eliminate as an issue.
Try running nslookup <domain.com> from command prompt on the affected workstation. If you do not get back your DC's IP address, then you have a DNS resolution issue. There are several causes of DNS issues. Check the affected workstation's DNS Server addresses, and then make sure each of those DNS servers are answering DNS requests. Use nslookup <domain.com> <ip address of DNS server> to test each one. One problem I've seen is if you have your DC as primary DNS server and then your ISP's public DNS server as a fallback, you can get in a situation where name resolution to internet sites will work but resolution to internal hosts won't. If your primary DNS server (your DC in this case) is not answering DNS queries from your workstation, for whatever reason, then the ISP's DNS server might be queried instead; the ISP's server won't be able to resolve internal host names. This would break communication between your workstations and DCs through an IPSec tunnel. In this case you'd want to determine why the DC is not answering DNS requests. This can be firewall issues in pfSense, it can also be Windows Server Firewall issues on the DC as well.
This is a good starting point. Verify that DNS resolution works as expected and correct the issue if it doesn't.