Can't access one site remotely over VPN



  • Hello All, I am new to the forum but not necessary to pfSense. I have recently ran into a weird situation that I need some professional help in finding the problem and fixing. I will post my connection info and then the problem below.

    CONNECTION: Sites ALPHA, BRAVO and CHARLIE.
    (All three sites have identical hardware and settings)
    ALPHA - 192.168.1.0/24
    BRAVO - 192.168.2.0/24
    CHARLIE - 192.168.3.0/24

    Phase 1
    Key Exchange version  |  V1
    Internet Protocol  |  IPv4
    Remote gateway  |  xxx.xxx.xxx.xxx
    Authentication method  |  Mutual PSK
    Negotiation mode  |  Aggressive
    My identifier  -  KeyID tag
    Peer identifier  -  KeyID tag
    Pre-Shared Key  |  XXxxXXxxXXxx
    Encryption algorithm  |  3DES
    Hash algorithm  |  SHA1
    DH key group  |  2(1024 bit)
    Lifetime  |  28800
    NAT Traversal  |  Force

    Phase 2
    Mode  |  Tunnel IPv4
    Local Network  |  Lan Subnet
    Remote Network  |  Network    |  Address: 192.168.X.0/24
    Protocol  |  ESP
    Encryption algorithms  |  AES 128 bits
    Hash algorithms  |  SHA1
    PFS key group  |  2 (1024 bit)
    Lifetime  |  3600

    PROBLEM: I have three sites connected via IPSec. I can ping and RDP into Servers in all three networks from each VPN separately. Sites ALPHA and BRAVO can remotely access the pfSense web GUI on all locations. Site CHARLIE can ONLY access its local GUI and not the other two locations. How can I adjust this so that site CHARLIE can access the web GUI of both sites ALPHA and BRAVO as well?

    I find it weird that I build one location from ground up and cloned the other two locations from the initial build. Site CHARLIE was the second one that I built. I can access all computers on the other subnets but just not the pfSense routers.



  • Anyone have any ideas?



  • Anyone out there?



  • Sounds some some routing/firewall issue.

    Why do you use 3DES? Don't you want some kind of security?

    3DES - weak
    SHA1 - weak
    DH 1024 - weak



  • I changed it to 3DES to see if the encryption was the issue.



  • Hi Bigsease, I don't think encryption settings is your problem here.

    I think it comes to routing or firewalling as laped said.

    What works for me? I usually login via ssh to the pfsense box and use tcpdump to check if the traffic shows up on the related interfaces.

    The simplest way is: tcpdump -i [em0, em1 or em2….] -nn host [the IP address of your PC, or server you want to access]
    It could be something like:
    tcpdump -i em0 -nn host 192.168.3.25
    Also, you could narrow it down to a combination host and port:
    tcpdump -i em0 -nn host 192.168.3.25 and port 443

    For security reasons, I would recommend you to encrypt using AES256 and hash using SHA256. Every decent Core i5 and the newest Core i3 processors have included AES-NI instruction set to accelerate processing.

    I hope that helps you!



  • I assume your firewall isn't blocking this? Does a packet capture show the incoming connection?


Log in to reply