Topic: VPN client behind SME 7.4

[mophilly]

Mac OS X 10.5 workstation; SME on a P4 class machine. The workstation has two nics; one is "inside" the sme gateway, the other is "outside". The "outside" nic is configured with a public IP address and is connected to a cable modem.

When using the "outside" nic, I can connect via VPN to other systems using the built-in vpn client, a cisco client and a juniper networks client. When I attempt any of these using the "inside" nic, the connections fail with a LCP time out error. I apologize for paraphrasing the error message; I am not at the machine right now.

Does SME support outbound vpn tunnel using PPTP?

If yes, what should I be looking at to enable and/or clear the way?

[CharlieBrady]

Does SME support outbound vpn tunnel using PPTP?

Yes.

If yes, what should I be looking at to enable and/or clear the way?

Stop 'straddling' the firewall with your workstation, and use it as a normal client (i.e. one NIC).

[mophilly]

Stop 'straddling' the firewall with your workstation, and use it as a normal client (i.e. one NIC).

I did not say I was straddling the firewall. While not wholly unreasonable, your assumption is incorrect.

I use each as a standalone client, to wit: there are two operating systems installed on the machine. These are not run as vm's but only one at a time.

One is used entirely for secure, clearance required, work using the outside nic. The sole exception is that I also use this system to test remote access to SME installs at client sites, which are not at all related to the first use.

The second operating system is used "inside" the SME workgroup here and it is the one having trouble connecting and maintaining connections to vpn gateways outside our little office. I would like to be able to use it for remote access to SME sites.

I have eliminated the OS configs as the culprit by setting up and testing each nic appropriately inside and outside SME. As part of this, I have tried three vpn clients from different vendors pointed to both low and high end vpn gateways. Each fails to connect. Take SME out of the loop and it works.

I do have inbound VPN clients for the little office installation.

Charlie, if you say SME correctly handles outbound VPN, I believe you.

What might be causing outbound VPN connects to fail?

[CharlieBrady]

I do have inbound VPN clients for the little office installation.
...
What might be causing outbound VPN connects to fail?

There are quiet a few possible reasons. I think the most likely one is that a GRE packet from the VPN server is arriving SME WAN interface before your VPN client has sent one through the SME server. Because you have inbound VPN clients, the iptables firewall is configured to allow inbound GRE. If your MAC client is setting up a PPTP connection to an external server, the external server and the MAC client will start to send each other GRE packets. The GRE packets contain LCP negotiation traffic. If a GRE packet from MAC client to remote PPTP server is the first to pass through SME server, all is good. When the server to MAC client packet arrives, it will be forwarded to the MAC client. If the remote server to MAC client packet arrives first, SME server will not know to forward it to the MAC client, so will try to process it. Because there is no process waiting for that packet, it will be rejected - an ICMP packet will be sent back to the remote VPN server.

To test this theory, disable inbound PPTP, and try again. Or just do packet capture and see exactly what is happening.

[mophilly]

Thank you for the info and suggestions. I will do so and see what light shines into my dark corner  of the universe.

[mophilly]

I am happy to report that all is working now. It will come as no surprise to some, and possibly relief to others, that the problem did not involve SME at all. Here is the resolution in case it helps someone with a similar question.

At the top of this thread I mention two nic configs: one behind SME and one that is not. The latter connected to the remote system but the former did not. The problem was the NAT configuration was the same for both SME installs. In one office the NAT gateway address was, say, 192.168.181.1, which was precisely what the remote system was using. I do not know the details of what happens but it boils down something akin to an IP address conflict. That is, since both VPN deamons were using the same IP address, the connection from inside SME would fail.

The solution was to configure different sub nets for each system. For example, one config 192.168.100.1 and the other 192.168.200.1. The address range is not particularly important. Rather, that they are different is the significant point.

A basic mistake for certain, but an easy one to set right.