Brand new way to be locked out :)



  • Hello,

    I wanted to share my find with you.
    I have found a way to be locked out of the web gui and the ssh not already listed here :
    https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI

    I was trying to make my vpn tunnel works and wanted to see if it would change anything to go to VPN: IPsec: Edit Phase 2 and to change the mode from Tunnel IPV4 to Transport.
    I actually changed a lot of things :p
    I got disconnected from the web gui, was unable to come back and to open an ssh connection from the Wan.
    Flushing the firewall rules did nothing.
    Killing the racoon process did nothing either.
    As an ipsec (and BSD) noob, i managed to gain access with elinks on the LAN and selected Disable this phase2 entry.

    If anyone has an idea of what could I have done on the CLI to regain access i'm interested.


  • Rebel Alliance Developer Netgate

    If the Phase 1 was between the WAN IP of the firewall and the IP address you were coming from, then transport mode would have tried to encrypt all traffic between those two addresses, which sounds like what was happening.

    Had the tunnel connected, you may not have even noticed a problem.

    Not sure I'd consider that a scenario to go on the page, since it would work from any other public address.



  • @jimp:

    If the Phase 1 was between the WAN IP of the firewall and the IP address you were coming from

    Yes, good guess, I didn't think of it while trying to regain access.
    It might be a good idea to (at least) add a line somewhere about "changing ip address".
    It would too resolve "5 Locked Out by Too Many Failed Login Attempts"