IPsec not working after change of HDA IP

[liamb]

I have been using the IPsec VPN app successfully for a few months, but particular known issue caused me to make a change to my HDA configuration, and now I can't get it all working nicely again.

Originally I had my HDA IP address set as 192.168.1.99. One of the locations that I regularly want to VPN in from also has the same IP address range, and therefore could not connect (similar to what was discussed here: http://forums.amahi.org/viewtopic.php?t=3316&f=3).

So, I ended up using the hda-change-gw command and changed my home network configuration so everything is now on 192.168.34.x. So far, so good (except the control panel on the Amahi website still shows the old IP address).

After that point, I had trouble trying to connect to the IPsec VPN, so I uninstalled/reinstalled the IPsec app and that allowed me to connect to the VPN, but network traffic doesn't seem to be actually routed through the VPN - I cannot connect to the HDA VNC server (connection refused), open /hda (Proxy Error), etc.

I love the single click installation of these apps, but there isn't any obvious way to look at any relevant settings/config files to check that simple things like the IP address of the HDA have been updated in the reinstall.

Any help would be greatly appreciated.

[bigfoot65]

Not sure if there is an easy solution here. The web site IP will not change. You would have to create a new HDA profile and enter the correct IP. That would also generate a new install code, thus requiring a new install.

I would say that since you changed the IP, there is a possibility that the VPN may not work. Have you been able to VPN to your HDA using a Windows or Linux client and OpenVPN?

There are some things that still need work and this is one area. We are aware, however with such a small all volunteer team, it is tough to get it all done. Our current focus is Fedora 16, but please feel free to file a feature request via bugs dot amahi dot org. Please be specific and provide details so when we get to it, we understand the requirement.

[liamb]

After a bit more playing around I got it!

The actual issue seems to be related to the 'split network' and 'split dns' functionality of the IPsec VPN app. Doing a bit more investigation I realised I could ping my HDA on 192.168.34.99 while connected to the VPN. Changing the VNC connection to connect to the actual IP address instead of 'hda' did the trick. Also, browsing to http://192.168.34.99/ worked.

I have now configured /etc/racoon/racoon.conf to bypass the split network and split dns, and it is all working again as it was (i.e. connecting VNC to 'hda' and browsing to http://hda/ works again.

For anyone else experiencing issues with the IPsec VPN app, might be worth trying routing all traffic through the VPN:

By default, the VPN will only route traffic destined for your home network via the VPN. General web traffic etc, will *not* be encrypted. To change this behaviour so that all network traffic from your client is routed via your VPN, edit /etc/racoon/racoon.conf and remove the lines beginning "split_network" and "split_dns". The restart racoon.

[bigfoot65]

Is this something worth adding to the wiki? Would like to capture solutions to common problems there so we can keep a central repository of documentation.

[liamb]

Is this something worth adding to the wiki? Would like to capture solutions to common problems there so we can keep a central repository of documentation.

I believe so, yes. The quote I used for re-routing all traffic via the VPN was from the OSX IPsec wiki page (https://wiki.amahi.org/index.php/IPSec_ ... S_X_Client), but it might be helpful to mention that it could be useful to make that configuration change if the user is experiencing problems on the main IPsec wiki page (https://wiki.amahi.org/index.php/IPsec_VPN).