Accessing Web Gui over IPSEC

Gob · Aug 29, 2012, 4:17 PM

Hi

I've done this hundreds of times in the past without thinking about it but now my brain hurts.

I have just set up a couple of pfSense 2.0.1 boxes (on DELL R210 servers) for a customer.
We have an IPSEC tunnel between each of them and to us. The tunnels work fine and full communication between sites works OK. However, when I log into the pfSense WebGui on a remote site over the IPSEC tunnel, I get the logon page but after entering the username and password it reports 'Username or Password incorrect'.

I've checked the usual CAPs lock etc.
Tried different browsers and different computers.
Firewall rule is in place on the remote pfSense allowing traffic over IPSEC

Logging on to the same WebGui from a machine on the local LAN works perfectly.
These are clean installs with a basic configuration. There are no NAT or firewall rules added other than default LAN/WAN rules.

The only thing I can think of that might be different to the other hundreds of installs we have done is that this is the amd64 version of pfSense rather than the i386 version.

Any suggestions on a fix?

thanks
Gordon

Lee Sharp · Aug 30, 2012, 1:55 AM

Uncheck blocking private IPs and see if it gets better.

Gob · Aug 30, 2012, 9:20 AM

I've tried that but I'm afraid it still doesn't work.

jimp · Aug 30, 2012, 1:02 PM

Are you sure you're hitting the firewall you think you're hitting?

If you couldn't reach the GUI at all I might suspect that an IPsec issue might be at play, but if you hit the GUI and get a denied login, that makes me think you're actually getting directed to one of the other firewalls somehow. Have you tried logging into that firewall with the credentials for one of the others?

Also if it's pfSense all around, you may find that OpenVPN is more stable/easy to work with in the long run, but that wouldn't be related to this issue.

Gob · Aug 30, 2012, 1:46 PM

OK, I'm Dumb!
The remote site's lan subnet is 192.168.1.0/24 and I could access all devices on that network. Remote PF sense LAN is 192.168.1.1

Months ago, on my local pfSense I set up a test network for the client with the same subnet and assigned 192.168.1.1 to a spare nic on my pf sense. I then promptly forgot I had done that!
So I was actually trying to log into my own firewall.

Interesting though that 192.168.1.1 was hitting my firewall but all other requests to 192.168.1.0/24 go over the ipsec tunnel to the remote site, even though the subnet is configured on the local firewall.

Sorry for wasting your time guys.