From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 14:18:11 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8A85106566B for ; Sun, 11 Sep 2011 14:18:11 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f179.google.com (mail-gx0-f179.google.com [209.85.161.179]) by mx1.freebsd.org (Postfix) with ESMTP id A97418FC08 for ; Sun, 11 Sep 2011 14:18:11 +0000 (UTC) Received: by gxk1 with SMTP id 1so2964911gxk.10 for ; Sun, 11 Sep 2011 07:18:11 -0700 (PDT) Received: by 10.236.72.169 with SMTP id t29mr21364905yhd.110.1315750690951; Sun, 11 Sep 2011 07:18:10 -0700 (PDT) Received: from papi.localnet ([177.17.68.103]) by mx.google.com with ESMTPS id 24sm11016446ano.10.2011.09.11.07.18.08 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Sep 2011 07:18:09 -0700 (PDT) From: Mario Lobo To: Daniel Hartmeier Date: Sun, 11 Sep 2011 11:17:38 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx> In-Reply-To: <20110911045732.GC29437@insomnia.benzedrine.cx> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109111117.38461.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 14:18:12 -0000 On Sunday 11 September 2011 01:57:32 you wrote: > Why do you have a tun0 interface on the NAT box? That's a virtual tunnel > interface, not a physical interface. Because the tun0 interface IS my ext_if. My ISP modem is in bridge mode and FBSD box gets the public IP via pppoe. > > I thought the client (!= the NAT box) is the VPN endpoint. Not all > encapsulation is done there, the NAT box is somehow involved in this? > > Daniel My home GW is my NAT box, and it is involved. It wasn't suppoesed to interfere but it it is. 1) Here is the map: My home workstation (FBSD amd64) | V My home GW (FBSD i386 NATting to a public IP on ppp/tun0) | V ISP ADSL modem in bridge mode | V INTERNET | V My work GW (FBSD amd64 w/MPD VPN server) | V My work LAN 2) What I am attempting that's not working (but used to work!) Establish a VPM from My home workstation TO My work GW 3) What works every single time Establishing a VPN from My home GW AS A CLIENT to My work GW, using an exact copy of mpd.conf from My home workstation. The fact that I can do it flawlessly from the GW itself but NOT from the My home LAN (or My work LAN for that matter), in my lame opinion, points straight at NAT. 4) Points of notice - My home GW is NOT a VPN server waiting for connections. - 2) MAY work in 1 out of 10 attempts. I don't know how to better explain this but it is as if I have to hit "a lucky timing spot". Sometimes, if I have an open ssh session from My home workstation to My work GW, that "seems to help" establish the VPN connection, but again, sometimes it doesn't "help"at all. - People on My work LAN are having the same kind of problem I'm having, to establish VPN tunnels to outside sites. The common point is that we're all behind FBSD gateways with pf. The condition that "sometimes it works, sometimes it doesn't" made me find this: http://readlist.com/lists/openbsd.org/misc/12/63348.html I don't know if it applies to my case but after days searching, it was the closest thing I could find. Thanks again. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)