Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Sep 2011 11:17:38 -0300
From:      Mario Lobo <lobo@bsd.com.br>
To:        Daniel Hartmeier <daniel@benzedrine.cx>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: VPN  problem
Message-ID:  <201109111117.38461.lobo@bsd.com.br>
In-Reply-To: <20110911045732.GC29437@insomnia.benzedrine.cx>
References:  <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sunday 11 September 2011 01:57:32 you wrote:
> Why do you have a tun0 interface on the NAT box? That's a virtual tunnel
> interface, not a physical interface.

Because the tun0 interface IS my ext_if. My ISP modem is in bridge mode and 
FBSD box gets the public IP via pppoe.


> 
> I thought the client (!= the NAT box) is the VPN endpoint. Not all
> encapsulation is done there, the NAT box is somehow involved in this?
> 
> Daniel

My home GW is my NAT box, and it is involved. It wasn't suppoesed to interfere 
but it it is.


1) Here is the map:

My home workstation (FBSD amd64)
        |
        V
My home GW (FBSD i386 NATting to a public IP on ppp/tun0)
        |
        V
ISP ADSL modem in bridge mode
        |
        V
    INTERNET
        |
        V
My work GW (FBSD amd64 w/MPD VPN server)
        |
        V
    My work LAN


2) What I am attempting that's not working (but used to work!)

Establish a VPM from My home workstation TO My work GW


3) What works every single time

Establishing a VPN from My home GW AS A CLIENT to My work GW, using an exact 
copy of mpd.conf from My home workstation.

The fact that I can do it flawlessly from the GW itself but NOT from the My 
home LAN (or My work LAN for that matter), in my lame opinion, points straight 
at NAT.

4) Points of notice

- My home GW is NOT a VPN server waiting for connections.

- 2) MAY work in 1 out of 10 attempts. I don't know how to better explain this
     but it is as if I have to hit "a lucky timing spot". Sometimes, if I have 
     an open ssh session from My home workstation to My work GW, that "seems
     to help" establish the VPN connection, but again, sometimes it doesn't
     "help"at all.

- People on My work LAN are having the same kind of problem I'm having, to
  establish VPN tunnels to outside sites. The common point is that we're all
  behind FBSD gateways with pf.

The condition that "sometimes it works, sometimes it doesn't" made me find 
this:

http://readlist.com/lists/openbsd.org/misc/12/63348.html
 
I don't know if it applies to my case but after days searching, it was the 
closest thing I could find.


Thanks again.

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109111117.38461.lobo>