The Blog of Harald

So the first time I fired up the VPN client, the rules on the firewall allowed the ISAKMP negotiation, but not the ESP data. I fixed that and tried again. This time, the firewall no longer rejects packets, but doesn’t pass them through, either. Debugging ensues. Debugging is made extra challenging by the fact that the VPN client disallows split tunnelling, thus killing the SSH session to the firewall each time it is started. Lots of running tcpdump in the background is required.

Eventually I gave up and ate supper.

I tried again after supper. The VPN comes up perfectly; the spiffy intranet portal appears. Apparently something previously cached has been un-cached. However, the connection only lasts about 5 minutes, then dies. Debugging does not follow; it’s time to play Euchre.

The next evening arrives. I fire up tcpdumps and a script to monitor /proc/net/ip_conntrack, under the assumption that connection tracking isn’t working properly (leading to the 5 minute timeout). I start the VPN client. Everything works; no session timeouts, no firewall issues. Hours of rapturous intranet browsing follows. I also play with using SSH through the VPN, out the corporate firewall, and back to the home firewall :-).

While I’m happy that everything’s working, I could live without the whole “attempt to debug problems that later mysteriously vanish” thing…