Em Sun, 21 Sep 2025 02:13:34 +0000, Lloyd <[email protected]> escreveu:
| Luis Mendes wrote: | | > Did as suggested, here's some output of the log moments after I tried | > to start the vpn. | > | > 192.168.1.12 -> internal ip of the corporate laptop | > | > 17.7.7.7 -> redacted external IP of OpenBSD router. | > | > | > There are some UDP port 500 connection tries, like: | > Sep 19 23:11:26.369581 rule 13/(match) block out on re0: 17.7.7.7 > | > | > 74.113.97.82: icmp: 17.7.7.7 udp port 500 unreachable | > | > The full log, as I'm unsure what more to look for. | > | Try running: | | # pfctl -s rules -R 13 | | and should give you your answer. | | I noticed your rules e.g.: | | pass out on re0 inet from 192.168.1.0 to any flags S/SA nat-to (re0) round-robin | | are missing a netmask on the IP. Shouldn't there be a "/24" or other on the end? | | Regards | Lloyd Hi Lloyd, Thank you for your help. I appreciate that you are teaching me how to fish, instead of giving me the fish! Based on the suggestion, I included the destination IP on the rules, so that now I have: pass in on re0 inet proto udp from any port = 500 to 192.168.1.12 pass in on re0 inet proto udp from any port = 4500 to 192.168.1.12 pass in on re0 inet proto esp from any to 192.168.1.12 pass in on re0 inet proto ah from any to 192.168.1.12 And it worked, I could connect the Forticlient. But, then, I tried to disable the rule regarding AH pass in on $ext_if inet proto ah from any to $corporate Then did the same for port 4500, then for 500. Did also two or three reboots to the corporate system. Did this to streamline those four rules to just the ones that are needed. What happens is that sometimes the Forticlient connects to the servers, sometimes it says that some server is unreachable, and I cannot figure out the logic of if, unless something is variable. For example, I connect the Forticlient, it establishes a connection. I stop it. Try to connect again, but no success. Wait several minutes, no success still. Wait some more and it connects. Do you have an idea about what is happening? PS. There are several undelivered emails from me to your proton email server. Luís
