I have a site-to-site IPsec VPN set up and computers at head office can't access the router GUI at the remote site. The page starts to load including the title (EdgeOS) and gray gradient background but that's it.
- I can ping / SSH into the remote router
- I can access the remote router GUI over the internet outside of the VPN (if I open port 443 at the remote site)
- I can access a webserver at the remote site (a UniFi video server) using HTTPS just fine
Finally I noticed the packets coming from the remote router to my head office machine were being dropped by the WAN_IN firewall on my head office router. They are hitting the default "drop invalid state" rule:
Sep 7 21:30:16 router kernel: [WAN_IN-8-D]IN=eth1 OUT=eth0 MAC=44:d9:e7:07:cb:6e:00:00:5e:00:01:72:08:00 src=192.168.2.1 DST=192.168.1.60 LEN=1438 TOS=0x00 PREC=0x00 TTL=63 ID=45153 DF PROTO=TCP SPT=443 DPT=59379 WINDOW=591 RES=0x00 ACK URGP=0
I tried rearranging my firewall rules so the rule accepting remote site traffic would catch these packets before the "drop invalid" rule. Then nothing comes up in the log (I have all the firewall drop rules including default logged right now) but the page still does not load.
Any ideas? I thought it might be an MTU issue but I tried setting mss-clamping to 1400 and then 1350 with no luck.
