HTTPS over VPN

Seaniboy

Hi

I have recently setup and pfsense firewall and all is going well except for one thing, i have a IPSec site to site VPN setup to a Cisco ASA and most of that works great other than when trying to access HTTPS sites it will just sit there then timeout?? All other protocols / ports seem to be fine.

I can access HTTPS coming from the ASA side fine and one thing i notice when trying to access HTTPS from the pfsense site i get alot of ICMP requests on the outside interface of the ASA but these just get denied as per the policy.

Anyone have any idea what may cause this?

jimp

Any kind of web proxy involved? Tried doing a packet capture on the IPsec interface (enc0) on pfSense from the console?

Can you telnet to port 443 on an https server on the other end of the VPN and actually get a connection?

If it just times out, then the most likely causes are:

Network policies on the other end are blocking the traffic
Somehow that specific traffic is not going over the tunnel

Seaniboy

Hi

Yes this is the odd think i can telnet to it no problem even when i do there though a browser i get a certificate warning but when i click continue it just sits there and eventually times out.

This happen to anything running HTTPS??

Seaniboy

Here is a capture -

17:07:50.589265 IP 192.168.0.42.56481 > 192.168.168.11.https: Flags ~~, seq 1935385710, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
17:07:50.633828 IP 192.168.168.11.https > 192.168.0.42.56481: Flags [S.], seq 3796794724, ack 1935385711, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 4], length 0
17:07:50.633960 IP 192.168.0.42.56481 > 192.168.168.11.https: Flags [.], ack 1, win 16560, length 0
17:07:50.634341 IP 192.168.0.42.56481 > 192.168.168.11.https: Flags [P.], ack 1, win 16560, length 104
17:07:50.677833 IP 192.168.168.11.https > 192.168.0.42.56481: Flags [.], ack 105, win 365, length 0
17:07:50.684452 IP 192.168.168.11.https > 192.168.0.42.56481: Flags [P.], ack 105, win 365, length 746
17:07:50.684491 IP 192.168.168.11.https > 192.168.0.42.56481: Flags [.], ack 105, win 365, length 0
17:07:50.686274 IP 192.168.0.42.56481 > 192.168.168.11.https: Flags [F.], seq 105, ack 747, win 16373, length 0
17:07:50.687405 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags ~~, seq 847394701, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
17:07:50.733924 IP 192.168.168.11.https > 192.168.0.42.56481: Flags [F.], seq 747, ack 106, win 365, length 0
17:07:50.734295 IP 192.168.0.42.56481 > 192.168.168.11.https: Flags [.], ack 748, win 16373, length 0
17:07:50.752696 IP 192.168.168.11.https > 192.168.0.42.56482: Flags [S.], seq 4144920032, ack 847394702, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 4], length 0
17:07:50.752880 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags [.], ack 1, win 16560, length 0
17:07:50.753372 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags [P.], ack 1, win 16560, length 104
17:07:50.806086 IP 192.168.168.11.https > 192.168.0.42.56482: Flags [.], ack 105, win 365, length 0
17:07:50.822726 IP 192.168.168.11.https > 192.168.0.42.56482: Flags [P.], ack 105, win 365, length 746
17:07:50.823694 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags [P.], ack 747, win 16373, length 205
17:07:50.898619 IP 192.168.168.11.https > 192.168.0.42.56482: Flags [P.], ack 310, win 432, length 59
17:07:50.908629 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags [F.], seq 310, ack 806, win 16358, length 0
17:07:50.909168 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags ~~, seq 2027597812, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
17:07:50.954397 IP 192.168.168.11.https > 192.168.0.42.56483: Flags [S.], seq 1164984320, ack 2027597813, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 4], length 0
17:07:50.954574 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags [.], ack 1, win 16560, length 0
17:07:50.954995 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags [P.], ack 1, win 16560, length 104
17:07:50.958442 IP 192.168.168.11.https > 192.168.0.42.56482: Flags [F.], seq 806, ack 311, win 432, length 0
17:07:50.959049 IP 192.168.0.42.56482 > 192.168.168.11.https: Flags [.], ack 807, win 16358, length 0
17:07:50.999845 IP 192.168.168.11.https > 192.168.0.42.56483: Flags [.], ack 105, win 365, length 0
17:07:51.005214 IP 192.168.168.11.https > 192.168.0.42.56483: Flags [P.], ack 105, win 365, length 746
17:07:51.006204 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags [P.], ack 747, win 16373, length 205
17:07:51.067828 IP 192.168.168.11.https > 192.168.0.42.56483: Flags [P.], ack 310, win 432, length 59
17:07:51.073971 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags [F.], seq 310, ack 806, win 16358, length 0
17:07:51.116774 IP 192.168.168.11.https > 192.168.0.42.56483: Flags [F.], seq 806, ack 311, win 432, length 0
17:07:51.117822 IP 192.168.0.42.56483 > 192.168.168.11.https: Flags [.], ack 807, win 16358, length 0

Any one have any ideas?~~~~~~

I had this issue, ended up being with the actual certificate. I used firefox, HTTPS worked fine. IE8 wouldn't allow me to download/install the certificate, while firefox right away allowed me to add it.

after adding the certificate, my pages no longer partially loaded / went slow.

Seaniboy

Seems i can access some HTTPS site but very very slow, the main thing i am trying to access is a Vsphere cluster but as the VPN is so slow just times out.

I have tried alot to try and get this working but in the end have just put the VPN on a £20 router for the minute back to the ASA and it now works fine!?