On 2007/07/20 17:39, Paul Collis wrote: > I have a firewall running OpenBSD 4.1-STABLE with pptp-1.7.1 to access a > corporate VPN from a Windows XP machine on the internal LAN. The VPN uses > dial on demand. Running ping on the Windows machine to access the corporate > server (192.168.0.143) does connect the VPN but the pings timeout. After > some time, it varies from a few seconds to a minute or so the pings suddenly > start working. Meanwhile I can ping the same server directly from the > firewall over the VPN without any problem.
The address is picked up when state is created; this will be used until it times-out, so a single run of 'ping' will usually match the existing state. You could drop the state timeout values for ICMP (at least for the pings you use to establish the connection), you would do this in the 'pass' rule that permits these packets, not in the nat rule. You may also need to use a larger delay between ping packets. (or, just ignore the ping output :-)
