Hi all, I have a firewall running OpenBSD 4.1-STABLE with pptp-1.7.1 to access a corporate VPN from a Windows XP machine on the internal LAN. The VPN uses dial on demand. Running ping on the Windows machine to access the corporate server (192.168.0.143) does connect the VPN but the pings timeout. After some time, it varies from a few seconds to a minute or so the pings suddenly start working. Meanwhile I can ping the same server directly from the firewall over the VPN without any problem.
Running tcpdump on ste1 and tun0 shows the following while pinging from the XP machine when pings are not responding: ste1 - 16:50:12.591916 192.168.11.11 > 192.168.0.143: icmp: echo request tun0 - 16:50:12.591994 192.168.3.1 > 192.168.0.143: icmp: echo request While pings are still failing from XP pinging the same server from the firewall shows: tun0 - 16:50:34.424287 192.168.3.202 > 192.168.0.143: icmp: echo request tun0 - 16:50:34.483484 192.168.0.143 > 192.168.3.202: icmp: echo reply When the XP machine is finally able to ping the server I get: ste1 - 16:50:51.508714 192.168.11.11 > 192.168.0.143: icmp: echo request tun0 - 16:50:51.508787 192.168.3.202 > 192.168.0.143: icmp: echo request tun0 - 16:50:51.560419 192.168.0.143 > 192.168.3.202: icmp: echo reply ste1 - 16:50:51.560463 192.168.0.143 > 192.168.11.11: icmp: echo reply The address on tun0 changes from 192.168.3.1 when pings fail to 192.168.3.202 when they work. It looks like ($vpn_if) is taking too long to change to the new address (192.168.3.202) from the one in ifaddr (192.168.3.1). How do I get the VPN to connect and be usable immediately from the Windows XP machine without this delay? TIA Paul ------------------------------------------------------------------------ pf.conf ------- ext_if="vr0" lan_if="ste1" vpn_if="tun0" set skip on lo nat on $ext_if from $lan_if:network to any -> $ext_if nat on $vpn_if from $lan_if:network to any -> ($vpn_if) block in quick inet6 all block out quick inet6 all block in log all block out log all pass in quick on $lan_if inet from $lan_if:network to any flags S/SA pass out quick on $ext_if inet from $ext_if to any flags S/SA modulate state pass out quick on $vpn_if inet to any flags S/SA modulate state ------------------------------------------------------------------------ ppp.conf -------- default: set log Phase Chat LCP IPCP CCP tun command vpn: set device "!/usr/local/sbin/pptp --nolaunchpppd xx.xx.xx.xx" set authname xxxxxxxx set authkey xxxxxxxx set mppe 128 stateless set ifaddr 192.168.3.1/0 192.168.3.2/0 255.255.255.0 0.0.0.0 add 192.168.0.0 255.255.255.0 192.168.3.2 add 192.168.3.0 255.255.255.0 192.168.3.2 ------------------------------------------------------------------------ (spamassassinexception)
