weird openfortivpn issue

[juniper]

I have two computers: machine 1 (laptop) and machine 2 (desktop).

Both are running gentoo.
Both have the same version of openfortivpn
Both have the same version of ppp
Both have the same version of ssh
AFAIK, all relevant config files are the same (/etc/ppp/options and /etc/openfortivpn/config).

I need this vpn to ssh to computers. The trouble is that it works from machine 1 but not from machine 2. The output in machine 2 is not useful. openfortvpn -v says the tunnel is up and running. the trouble is that ssh is never able to talk to the relevant computers.

Here are the differences that I can see with the computers.

1) While both are running modern kernels, the one that works is running gentoo-kernel-bin, while the one that doesn't is running gentoo-sources.
2) The one that works is connecting to the internet via wifi. The one that doesn't is wired.
3) ssh definitely works on the machine that's having trouble (I am able to ssh from machine 2 to machine 1).

Annoying. Any help would be appreciated.

[mvaterlaus]

Hi juniper,
do you use the same username / login for both machines? Do you use them at the same time? Do you have the same IP Address assigned on both machines?

We do also use Forti SSL VPN in our company. The VPN is very restricted, so with my IP i can only connect to my workstation at work. So it could be a firewalling issue.


Greetings
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch

[Hu]

I suggest you start with the standard network diagnostics:

• For each machine, what happens when you ping a peer on the far side of the VPN?
• When you try to connect to the sshd on the far side of the VPN, exactly what is the failure mode? Timeout? Connection refused immediately via TCP RST? TCP handshake completes, but no data is transferred?
• When the bad client tries to connect, what does the server see? Does the TCP SYN reach the server? Does the server sshd know you tried, and log that you failed?
• For each machine, can you get any non-ssh TCP service from the remote end, such as reading a status page from an http server?

[juniper]

[Hu]

Your responses suggest to me that no traffic traverses the remote VPN gateway. The remaining question then would be whether the traffic arrives at the remote VPN gateway, and is dropped there, or never arrives at all. Have you confirmed that the bad client machine sends traffic over the VPN interface to the remote gateway? Have you checked the remote VPN gateway's firewall configuration for whether it allows the traffic?

[juniper]

Hi all,

I never resolved this problem.

again, two machines with identical setups for openfortivpn.

I didn't see a question above.

@mvaterlaus: yes, I use the same username on both machines. Because of your question, I created a new user on the machine that's not working and tried to login with that user. No dice. Also I can't use openfortivpn twice from two separate computers. The host will disconnect the one that connected first. Anyway, that isn't the problem because the one that won't connect won't connect even if it is the only one trying to connect.

@Hu: I am not sure how to check this because I don't have root privileges on the host machine. However, it is a linux machine. But your question suggests maybe you misunderstood me. One of my machines can connect just fine. So I don't think it is a problem on the host end (or, more precisely, the problem isn't that no machine can connect. It may be discriminating between machines).

One other piece of data: I was thinking that difference 2) above (one is on wifi while the other is wired) might be the critical difference. no dice. I changed the setting on the machine that works to use a wired connections and it still works.

[mvaterlaus]

How do you start openfortivpn? Can you start it manually, with verbose output enabled?

[Hu]