Router problems with VPN

[jbo5112]

For work I'm doing, I have to connect through a Juniper Networks VPN. They previously had everything misconfigured so the route table was constantly being set to send all your internet data through the vpn as a gateway, when the other end of the gateway didn't care about routing to anything other than their lan. They've migrated to a different version, with a client that says "Secure Application Manager Version 6.0.0.12.141". Now the internet works while signed in, but it works with very few of our systems. It doesn't do anything on a Windows XP x64 box, every linux box I've tried just says the OS/platform isn't supported (even on machines that were working with it), and the worst is that it won't work with some routers. We have some routers at the office that function just fine, along with my parent's cheap D-Link wi-fi router, but there's a cheap Netgear router that won't work with the VPN. My Gentoo box that doubles as a router at home doesn't work either. I have every single option enabled under Netfilter. Everything else routes just fine and the VPN will even sign in, but the VPN link is dead. I don't know where to begin debugging this.

Currently, my options are:
1) Fix my Gentoo router so I can use my well put together system and work quickly.
2) Remote desktop to a machine at work, then go to a different one on work's LAN that functions with the VPN, and interact with remote desktop running through two extra computers and connection speeds around 4kB/s
3) Spend too much time at the Office and don't get to see my wife or 4 month old daughter for a week or more.

*update* The routers at the office all function with the VPN. All the computers attached to the cheaper router don't work with the VPN themselves for one reason or another (mostly an unsuppported OS).

[Hu]

You say "the VPN link is dead." What do you mean by this? Are you unable to pass traffic over the VPN? Is traffic sent over the VPN unable to reach your system? Start with posting the output of ip route; ip addr. If you have some way of controlling remote machines, run emerge net-analyzer/tcpdump locally and use it to sniff traffic on the VPN interface while a remote machine pings your VPN IP address. That will identify whether the traffic from the peer is reaching you at all. If it is reaching you, then you may have a firewall problem and should post the output of iptables-save -c. If it is not reaching you, then the routing on the remote end is still wrong.

[jbo5112]

I haven't been able to send information to the remote computer and get a response back. I'm having trouble figuring out how to get the remote machine to try contacting me so I can check if the packets are getting lost in my router, but it doesn't seem too easy. The remote machine is in another state so there's no direct access, I only have 1 login (but I might be able to commandeer another late at night), and I can't find my VPN IP address anywhere on the computer running the VPN client. If it's any help, the remote LAN is using IP addresses of 172.18.0.0/16 (not entirely sure on the netmask). I'm not using most of my tap devices (and probably never will), but I left them configured in case I want them for vmware. I also know my routing should be made more secure, but that's further down on my to-do list and the few services running should be secure themselves. I've also tried running the VPN on another machine that dual-boots into Windows XP Home Edition, but the following info is from one of my virtual machines running Windows 2000.

route on computer running VPN client:

[jbo5112]

*update* The cheap office router works with the VPN too. It's just that none of the computers using it will connect to the VPN for one reason or another.

[Hu]

In your first post, your second option implied that you could control remote machines, albeit with very poor responsiveness. If so, you could use that to ping your VPN IP address to test connectivity.

However, before we get that far, it appears that the VPN client is not configuring your interfaces correctly. I expect that the VPN server is issuing addresses of 172.x.x.x, but no such address appears anywhere on any of your interfaces. Can you enable or increase the verbosity of the VPN client's logging? It may be experiencing some error that causes it to leave your system in a partially configured state. You could try to emerge dev-util/strace and use it to monitor the system calls made by the VPN client. Run it as strace -f -tt -o vpn.strace -v -p pid-of-VPN-client. Once strace is attached, direct the VPN client to connect. If it insists on automatically connecting when you start it, then you should attach strace to a shell and have the shell start the VPN client. The strace output may be quite verbose. It may also contain authentication secrets, so it may be unsuitable to post publicly. Search it for any indication that a system call has failed. If you find any such failures, try to understand the reason for the failure. The errors should be safe to post here.

[jbo5112]

Just when I was watching tcpdumps and finding the VPN to be sending all the traffic through the https website I use to sign in, it magically starts working. First http access opened up, now remote desktop has started working. Maybe their engineers were running a bunch of patches tonight and fixed something broken on their end, or Time Warner fixed something in their standard Road Runner package that was working for business class customers. Maybe early Monday morning is the only time when the networks are clear enough for my connections to not time out. We had the VPN people extend the length of our session earlier this week, but remote desktop wasn't working an hour ago. Sorry to be of a bother, but their VPN sure has been frustrating.

Without the proprietary application from Juniper Networks, would there be a way to get my router to handle the VPN connection for all attached computers? It would be nice if I didn't need a for XP Pro x64 for development and a different one for running remote desktop.

[Hu]

That depends, but probably you can make it work. In theory, it should be as simple as configuring the Gentoo machine to route traffic from the LAN to the VPN, and MASQUERADE the traffic at the same time so that the VPN server does not get confused by connections coming from LAN IP addresses. After that is set up, then the systems on the LAN should see the VPN as just another network. You might run into problems if the IT department is using the same IP addresses as your LAN, since then your LAN systems would connect to each other instead of going over the VPN.