VPN problem

Torsten Kersandt torsten at cnc-london.net
Sun Sep 11 15:28:16 UTC 2011 

> Why do you have a tun0 interface on the NAT box? That's a virtual tunnel
> interface, not a physical interface.

Because the tun0 interface IS my ext_if. My ISP modem is in bridge mode and 
FBSD box gets the public IP via pppoe.


> 
> I thought the client (!= the NAT box) is the VPN endpoint. Not all
> encapsulation is done there, the NAT box is somehow involved in this?
> 
> Daniel

My home GW is my NAT box, and it is involved. It wasn't suppoesed to
interfere 
but it it is.


1) Here is the map:

My home workstation (FBSD amd64)
        |
        V
My home GW (FBSD i386 NATting to a public IP on ppp/tun0)
        |
        V
ISP ADSL modem in bridge mode
        |
        V
    INTERNET
        |
        V
My work GW (FBSD amd64 w/MPD VPN server)
        |
        V
    My work LAN


2) What I am attempting that's not working (but used to work!)

Establish a VPM from My home workstation TO My work GW


3) What works every single time

Establishing a VPN from My home GW AS A CLIENT to My work GW, using an exact

copy of mpd.conf from My home workstation.

The fact that I can do it flawlessly from the GW itself but NOT from the My 
home LAN (or My work LAN for that matter), in my lame opinion, points
straight 
at NAT.

4) Points of notice

- My home GW is NOT a VPN server waiting for connections.

- 2) MAY work in 1 out of 10 attempts. I don't know how to better explain
this
     but it is as if I have to hit "a lucky timing spot". Sometimes, if I
have 
     an open ssh session from My home workstation to My work GW, that "seems
     to help" establish the VPN connection, but again, sometimes it doesn't
     "help"at all.

- People on My work LAN are having the same kind of problem I'm having, to
  establish VPN tunnels to outside sites. The common point is that we're all
  behind FBSD gateways with pf.

The condition that "sometimes it works, sometimes it doesn't" made me find 
this:

http://readlist.com/lists/openbsd.org/misc/12/63348.html
 
I don't know if it applies to my case but after days searching, it was the 
closest thing I could find.


Thanks again.

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

Hi Mario
Would it not be much easier to use VPN over SSL as with OpenVPN
VPN as such has too many protocol dependencies.
Having a VPN server for the standard windows user to dial in and use local
resources is fine, but 
Bridging two networks OpenVPN is much easier and reliable for me here and in
full use

Regards
Torsten

More information about the freebsd-pf mailing list