Talking about VPNs in the last message made me realise a bunch of work I’ve done over the last month trying to set up a net-to-net IPSec VPN to my sister’s place using IPCop. End result (so far, as I won’t let it rest) is that it’s not working and I’m stuffed if I can work out why.
There’s a very good chance that it’ll turn out to be something fundamentally broken about some part of our overall infrastructure (more than likely at my end, as some of the older and dodgier kit is here). Anyway, at her end is a reject old Toshiba laptop with a couple of NICs that serves as the router firewall at her end (and does a really good job). At my end is a VMware guest with a virtual NIC bridged to both the internal net and the DMZ. Both ends have public IPs — mine is an address out of my subnet, hers is thanks to a nifty feature in her ADSL modem that passes the IP from the ISP connection through to an attached device.
I went through all sorts of grief before I gave her setup a public IP. Regardless of whet the RFCs and HOWTOs say, when her setup was behind NAT there was no VPN link. Now that they can talk clear through to each other, each end thinks that the link is up which implies SA — but no packets flow, because her end reports that it can’t reach some WAG IP address that’s come from who-knows-where as my end of the link.
Reboots of both ends, deletes and re-adds of the VPN definitions, you name it, I’ve tried it. The problem is exacerbated by the classic need to be at both ends of the link at the same time to try and determine the fault (when I set up her machine I had it attached here using a public IP from my subnet, and all worked peachy — which gave me the confidence that all would be okay ‘on the day’, and also reinforces the fact that something in the wider infrastructure is at fault).
I’ve given the thing away for a little while. The exercise was not a complete loss, as my nephews are safely on the Web thanks to an advanced UPL filter module for IPCop (and stern instructions from their Mum and Uncle) and they’re enjoying playing Age Of Empires against each other over the LAN. I want to join in but! 🙂
Crossed Wires 