[lug] openvpn & linksys router question

Bear Giles bgiles at coyotesong.com
Sun Jul 9 16:30:21 MDT 2006

David L. Anselmi wrote:

> Bear Giles wrote:
>> BTW, the vpn traffic is UDP packets with identical source and 
>> destination ports.
> Are you sure?  That would be one duplex socket.  But two simplex 
> sockets would work the same way (each box sends to 1194 from a random 
> port). But even if only 1194 is used for source and destination, the 
> Linksys probably NATs the outgoing packets and changes the source port.

Ethereal says that both ports are 1195.  I don't know that the linksys 
doesn't change the port, but I do know that I can ping from the 'home' 
side once the 'office' side has opened the door.

 > How do you know only the office can initiate?  (I believe you, just 
don't have a P-t-P setup to see for myself.)  Can you isolate the 
initiation so that it always happens on one side or the other (e.g., 
start one, wait for it to give up on initiating, then start the other)?

Yes, it definitely always fails when I first attempt to connect from 
'home', definitely always succeeds when I attempt to connect from 
'office'.  Once the latter has happened, I can initiate freely from home 
until the VPN session times out.  (The home-based traffic doesn't appear 
to be updating timers.)

> If this is an odd interaction between P-t-P and NAT it would be worth 
> Googling for and pointing out to Jim Yonan.  Maybe he can put in a 
> workaround, or at least update the docs (which seem sparse on P-t-P) 
> to say "don't do that".
> Dave

