Configure VPN Gateway
When I moved my edge router onto commercial hardware, replacing a custom-configured Linux box, I lost the ability to connect my whole network to the intranet through a VPN. Here's how I restored that connectivity.
Contents
Install VPN software on a "gateway" system on my network
I use the openconnect package to connect to the VPN. The configuration includes:
Create a systemctl script to start and stop the VPN connection
I created the /usr/local/bin/ibm-cisco-vpn script on the gateway machine to control openconnect and /usr/lib/systemd/system/ibm-cisco-vpn.service to define it to systemctl.
Modified the nameserver configuration on the gateway system
The gateway system is configured as the primary nameserver on my network. I added zone definitions to its configuration so that it can be used by my systems to resolve IBM intranet system names. To do this I included the /etc/named.forwarded.zones file by calling it out of the main /etc/named.conf.
Create a modified vpnc-script to disable modification of /etc/resolv.conf
I modified two variables in /etc/vpnc/ibm-cisco-vpn-script The script writes the IP addresses of the nameservers that were recommended by the VPN server so that these can be copied over into the nameserver configuration as forwarders.
Configure static routes on my default router that direct IBM traffic to the VPN gateway
I use a Belkin/Linksys LRT214 router at the enge of my network. The only facility for setting static routes is to use a forms-based UI to enter them one at a time. I wrote a setVPNStaticRoutes script that uses this interface to set all of the static routes that I need in one go.
Adjust the MTU on the network systems that will use this connection
The MTU of the VPN connection is 1355. With my other systems set to 1500, the connection does not function properly - pings work, but web pages don't fully render, Notes cannot replicate, etc. To fix this I used the "ip" command to change the MTU temporarily and the system network setting to make it permanent.
To set MTU on the fly - ip link set dev eth0 mtu 1300
Files
The software/ibm-cisco-vpn folder on fileserver contains all the files mentioned here.
