MIS Systems Thread, SIMS Learning Gateway AD Provisioning - OpenVPN in Technical; Hi guys,
We've been having some problem getting our OpenVPN connection to the hosted SLG systems to work - I ...
3rd June 2013, 09:41 PM #1
SIMS Learning Gateway AD Provisioning - OpenVPN
We've been having some problem getting our OpenVPN connection to the hosted SLG systems to work - I get a 'TLS negotiation error' or words to that effect. I believe that boils down to the fact that cannot contact the remote server (on port 1194).
Capita say it's something to do with our firewall/ISP filtering - we're with LGfL 2.0, and they assure me that the relevant port is open for the appropriate source and destination IPs.
My question is this: has anyone else had this problem, and what did it turn out to be? Am I on the right track with the firewall, or is there anything else I should be trying?
3rd June 2013, 10:46 PM #2
We've got three things set to ensure our HSLG works...
Persistent routes set upon our sims server to ensure any OpenVPN communications pass though the correct network. Proxy bypass rule setup for two addresses and ports opened on the LEA firewall.
Have you got all three?
3rd June 2013, 11:17 PM #3
There's no proxy config involved (LGfL proxy is transparent), the LEA say the ports are open, although I'm getting them to double-check that tomorrow. As for a persistent route, as the SIMS server is only on one network, I doubt that will change anything. However, I'm not feeling 100% today, so please correct me if I'm talking piffle.
Thanks for replying, btw!
4th June 2013, 10:11 AM #4
Ask LGFL if they're using packet acceleration or if they're swapped out any firewall gear recently. We had an issue last year (?) where the packet acceleration on a Checkpoint device at the LA/RBC was fragmenting the UDP keep-alives that OpenVPN uses after the initial handshaking.
The symptoms for us were VPN up, twiddle thumbs, VPN down, twiddle thumbs, VPN up and so on. It turns out the device at the LA/RBC shipped with packet acceleration turned on by default.
5th June 2013, 11:48 AM #5
Working now - had to get LGfL to use 'Capita-InTouch' rule on our firewall as opposed to just allowing traffic to one destination IP.
By Oops_my_bad in forum MIS Systems
Last Post: 6th January 2014, 09:30 PM
By le4ne in forum MIS Systems
Last Post: 24th November 2011, 07:07 PM
By vikpaw in forum MIS Systems
Last Post: 2nd February 2011, 05:15 PM
By ctbjs in forum MIS Systems
Last Post: 24th January 2011, 11:44 AM
By browolf in forum MIS Systems
Last Post: 26th November 2008, 07:11 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)