> I've a corporate laptop that uses Forticlient to establish a VPN > connection to corporate resources. > When working at home, when this corporate laptop is connected through the ISP > router, there's no problem connecting to the VPN server. > Now, I'm setting up my own OpenBSD 7.7 amd64 router/firewall. > > Using simple NAT rules, other systems can connect fine to the Internet, also > the corporate > laptop can connect fine for everything except the VPN resources. > When I try to connect the VPN, Forticlient 2.7.8.1140 returns: > "a network error prevented updates from being downloaded".
So, if the VPN isn't forming, then the amount of traffic should be really small, so if you know which IP the vpn server has it should be trivial to tcpdump that traffic on the firewall to see what traffic it does try to send. # tcpdump -n -i <external-interface-name> dst <ip-or-hostname-of-vpn-server> and then start the client. Perhaps it is as Lloyd said, doing ipsec in which case nat is kind of special, at least for ipsec implementations that want IKE source ports to be udp-500 since behind nat that might be hard to guarantee, but it would definitely show on the tcpdump if it does only talk tcp on port 443/10443 for "ssl-vpn" or if it in fact is talking ipsec in which case it would be sending udp to port 500 on the remote ip. Lloyds hint on logging in PF and seeing which rule (if any) blocks the traffic is not a bad idea either. ( https://man.openbsd.org/pflogd and https://www.openbsd.org/faq/pf/logging.html for more info on that) -- May the most significant bit of your life be positive.
