Difference between revisions of "Configure VPN Gateway"

From Nearline Storage
Jump to navigation Jump to search
(Created page with "When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the IBM intranet through a VPN...")
 
(No difference)

Revision as of 21:53, 4 December 2014

When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the IBM intranet through a VPN. Here's how I restored that connectivity.

Install VPN software on a "gateway" system on my network

I use the openconnect package to connect to the IBM Cisco VPN service. The configuration includes:

Create a systemctl script to start and stop the VPN connection

I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl.

Modified the nameserver configuration on the gateway system

The gateway system is configured as the primary nameserver on my network. I added zone definitions to its configuration so that it can be used by my systems to resolve IBM intranet system names. To do this I included the /etc/named.forwarded.zones file by calling it out of the main /etc/named.conf.

Create a modified vpnc-script to disable modification of /etc/resolv.conf

I modified two variables in /etc/vpnc/ibm-cisco-vpn-script

Configure static routes on my default router that direct IBM traffic to the VPN gateway

I use a Belkin/Linksys LRT214 router at the enge of my network. The only facility for setting static routes is to use a forms-based UI to enter them one at a time. I wrote a setVPNStaticRoutes script that uses this interface to set all of the static routes that I need in one go.

Adjust the MTU on the network systems that will use this connection

The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network setting to make it permanent.

To display the properties of all interfaces - ip link list
To set the MTU - ip link set dev eth0 mtu 1300