|
Post by jaquer on Jul 13, 2015 17:10:33 GMT
I think this is essentially the same as trying to do hairpin NAT/port reflection (i.e., not possible with SmallWall), but I figured I'd ask people smarter than me.
I've successfully setup the L2TP VPN and can connect to it from both my Android phone and my laptop.
Now I'm trying to setup always on VPN on my Android phone. One of the requisites for that is specifying the server address by IP, not hostname. I suppose it's because the nameserver is not available while making the connection.
This presents a problem when I get home, and the phone connects to the WiFi network. At that point, it tries to connect to recreate the L2TP tunnel to the WAN address, and obviously fails.
I've also tried specifying two server IPs on the Andriond configuration (WAN, then LAN) without success.
I appreciate any help or insight.
|
|
|
Post by Lee Sharp on Jul 13, 2015 17:51:11 GMT
Actually, I do not think that is why it is failing. I believe it is failing because it is trying to connect to a subnet from a subnet it is on in the same range. Is your VPN IP Address range within your LAN? If so, it will fail since it is "routing" to itself.
|
|
|
Post by jaquer on Jul 13, 2015 18:33:26 GMT
Oh, it'd be awesome if that's the case. This is where my lack of networking knowledge is gonna start showing, but here are my details: LAN IP: 192.168.128.1/24 DHCP Subnet: 192.168.128.0 Subnet mask: 255.255.255.0 DHCP range: 192.168.128.101-192.168.128.149 L2TP Server address: 192.168.128.46 L2TP Remote address range: 192.168.128.48/28 I tried to keep everything together to make it easier to manage. What changes would you recommend here? Thank you so much for your time. edit: I should've looked at the logs too, uh? This is what's going on when I connect, with my external IP edited to be "aaa.bbb.ccc.ddd": sprunge.us/KZXE
|
|
|
Post by Lee Sharp on Jul 13, 2015 23:48:06 GMT
Try with the L2TP subnet at 192.168.129.46 and 192.168.129.48/28 and see if it works. I like having it on the "local subnet" myself, but if your WiFi is there as well, you may have to do this. Alternatively, sit your WiFi on an unused firewall port, and keep it separate from your LAN. Allows captive portal without having to bother on the desktops, and keeps my visitors from seeing my shared directories...
|
|
|
Post by jaquer on Jul 14, 2015 2:01:02 GMT
Try with the L2TP subnet at 192.168.129.46 and 192.168.129.48/28 and see if it works. I like having it on the "local subnet" myself, but if your WiFi is there as well, you may have to do this. No luck. Can't connect to it when connected to the local network already. No worries, I can just connect it by hand, just thought it be cool to be able "set it and forget it". Alternatively, sit your WiFi on an unused firewall port, and keep it separate from your LAN. Allows captive portal without having to bother on the desktops, and keeps my visitors from seeing my shared directories... I used to do exactly this, but sometimes I do want access to local resources from WiFi. I know I can whitelist certain clients and give them different IPs, etc, but at this point in my life, I'm trying to simplify things.
|
|
|
Post by Lee Sharp on Jul 14, 2015 3:25:25 GMT
Hmmm... It may be an IPSEC limitation. I will look into it.
|
|