Netgate SG-1000 microFirewall

Author Topic: IPSEC connected, works in one direction?  (Read 146 times)

0 Members and 1 Guest are viewing this topic.

Offline bobkoure

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
IPSEC connected, works in one direction?
« on: January 17, 2018, 04:09:42 pm »
My workplace has a branch office. I have pfSense 2.4.2 in both offices, IPSEC tunnel connected and works fine (main office to branch office, branch office to main).

I've just setup pfsense 2.4.2 on a box at home. IPSEC tunnels from there to both offices. I can access both office lans from home, but can't access my home lan from either office.
Settings on all 3 tunnels are the same, except WAN addresses and LAN networks are different.

All 3 show as connected in status/ipsec (looking at pfSense in both offices and on my home pfSense).

I don't see any obvious errors the system logs / ipsec.

Any ideas?

Thanks!


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9812
  • Karma: +1107/-311
    • View Profile
Re: IPSEC connected, works in one direction?
« Reply #1 on: January 17, 2018, 04:30:32 pm »
Probably firewalls on the local devices at home (think windows firewall)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline bobkoure

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: IPSEC connected, works in one direction?
« Reply #2 on: January 18, 2018, 10:46:11 am »
I've just migrated from Snapgear firewalls in all 3 places to pfSense. All was working then; device firewall settings are unchanged. Pretty sure it's not device firewall settings. I can't even ping the pfSense box I have at home - at least not with its LAN IP, I can pin via WAN, have a rule to accept ping requests.
Now I have one tunnel that's bi-directional (between the 2 offices) and 2 that are uni (home-office and home-branch).
So... I think something's wrong on the one I have at home or something different I've done with the tunnels.Phase 2s look right (double checked network ranges being routed)
I'm in residential FIOS at home, no static IP available, so dynamic DNS (dyn.com). The other 2 are on static IPs, and use their IPs as identifiers. The one at home uses a distinguished name.
Maybe tonight I'll switch so all use static IPs (even though the home one's not really static) and see if that sorts it. If it does, I've done something wrong with the IPSEC-to-dynamic IP connections, even though status/ipsec shows them as connected, and I don't see any substantial difference in the logs between the tunnels.
I've got perfect forward secrecy off in all cases, BTW.
Any ideas of other things to try?


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9812
  • Karma: +1107/-311
    • View Profile
Re: IPSEC connected, works in one direction?
« Reply #3 on: January 18, 2018, 01:41:40 pm »
I guess post some screen shots of a couple of the IPsec endpoint IPsec configs. P2s should be enough.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline bobkoure

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: IPSEC connected, works in one direction?
« Reply #4 on: January 18, 2018, 05:50:34 pm »
I snipped some screenshots.

First, the tunnels on my home box


main office


branch office


See anything obvious? Feel free to shame me mercilessly :-)