Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
default Network Manager vpnc monopolizes routing
nimar.arora at oracle
Nov 14, 2012, 10:22 AM
Post #1 of 7 (5877 views)
Permalink
Hi,

I installed vpnc and the NetworkManager applet for vpnc and configured
them using the default settings as far as possible. The vpnc command
line client allows me to connect to the VPN host as well as other sites
simultaneously. However, if I connect using NetworkManager it only
allows me to connect to the VPN host and all other routing requests seem
to go through this, and get rejected.

I would like to know how to change my NetworkManager VPN configuration
to behave similarly to the command line client.

My vpnc configuration in /etc/vpnc/<host>.conf

IPSec gateway <host>
IPSec ID ...
IPSec secret ...
Xauth username ...

I run this using sudo vpnc <host> and then if I ping www.yahoo.com there
is no problem:

PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_seq=1
ttl=49 time=185 ms
...

In the NetworkManager VPN applet for <host> I entered exactly the same
information:
Gateway: <host>
Group Name: ..
User Password: [Always Ask]
Group password: .. [saved]
User name: ...
Doman: [blank]
Encryption method: Secure (default)
NAT traversal NAT-T when available (default)

I didn't change anything on the IPv4 Settings tab which shows
Method: Automatic (VPN)

After connecting using the NetworkManager if I ping www.yahoo.com I get:

PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
From <some-address-in-VPN host domain> (...) icmp_seq=2 Packet filtered

I'm running on CentOS 6.3 with the following packages:

NetworkManager-vpnc.x86_64 : NetworkManager VPN plugin for vpnc
vpnc.x86_64 : IPSec VPN client compatible with Cisco equipment

uname -a:
Linux worklap 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC
2012 x86_64 x86_64 x86_64 GNU/Linux

I'd appreciate any help.

-- Nim'r

_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: default Network Manager vpnc monopolizes routing [ In reply to ]
mkienenb at gmail
Nov 14, 2012, 10:38 AM
Post #2 of 7 (5801 views)
Permalink
Have you tried changing the settings under the IPv4 (or 6) Routes section?

When I used to run vpnc from the command-line, I had to write my own
scripts to set up the complex routing needed, so I suspect that, by
default, vpnc will configure all routes through your VPN connection.
Network Manager gives you more options.

On Wed, Nov 14, 2012 at 1:22 PM, Nimar Arora <nimar.arora@oracle.com> wrote:
> Hi,
>
> I installed vpnc and the NetworkManager applet for vpnc and configured them
> using the default settings as far as possible. The vpnc command line client
> allows me to connect to the VPN host as well as other sites simultaneously.
> However, if I connect using NetworkManager it only allows me to connect to
> the VPN host and all other routing requests seem to go through this, and get
> rejected.
>
> I would like to know how to change my NetworkManager VPN configuration to
> behave similarly to the command line client.
>
> My vpnc configuration in /etc/vpnc/<host>.conf
>
> IPSec gateway <host>
> IPSec ID ...
> IPSec secret ...
> Xauth username ...
>
> I run this using sudo vpnc <host> and then if I ping www.yahoo.com there is
> no problem:
>
> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
> 64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_seq=1 ttl=49
> time=185 ms
> ...
>
> In the NetworkManager VPN applet for <host> I entered exactly the same
> information:
> Gateway: <host>
> Group Name: ..
> User Password: [Always Ask]
> Group password: .. [saved]
> User name: ...
> Doman: [blank]
> Encryption method: Secure (default)
> NAT traversal NAT-T when available (default)
>
> I didn't change anything on the IPv4 Settings tab which shows
> Method: Automatic (VPN)
>
> After connecting using the NetworkManager if I ping www.yahoo.com I get:
>
> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
> From <some-address-in-VPN host domain> (...) icmp_seq=2 Packet filtered
>
> I'm running on CentOS 6.3 with the following packages:
>
> NetworkManager-vpnc.x86_64 : NetworkManager VPN plugin for vpnc
> vpnc.x86_64 : IPSec VPN client compatible with Cisco equipment
>
> uname -a:
> Linux worklap 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012
> x86_64 x86_64 x86_64 GNU/Linux
>
> I'd appreciate any help.
>
> -- Nim'r
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: default Network Manager vpnc monopolizes routing [ In reply to ]
borneo.antonio at gmail
Nov 14, 2012, 3:32 PM
Post #3 of 7 (5781 views)
Permalink
Hi Mike,

your VPN server does not provide a "split network" configuration to the client.
I expect it just sets default routing to the VPN tunnel.
You have to use your own script to modify routing tables and access internet.
So your script overwrites server "suggestion" for routing.

In the case of Nimar, instead, the VPN server already sends to VPN
client all the information to split the network.
vpnc handles the information and passes them to vpnc-script.
No need to add additional scripts of information.

I don't know Network Manager, but my understanding is that it replaces
completely the script vpnc-script.
Probably Network Manager does not handle properly the split-network
configuration.

Best Regards,
Antonio Borneo

On Thu, Nov 15, 2012 at 2:38 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:
> Have you tried changing the settings under the IPv4 (or 6) Routes section?
>
> When I used to run vpnc from the command-line, I had to write my own
> scripts to set up the complex routing needed, so I suspect that, by
> default, vpnc will configure all routes through your VPN connection.
> Network Manager gives you more options.
>
> On Wed, Nov 14, 2012 at 1:22 PM, Nimar Arora <nimar.arora@oracle.com> wrote:
>> Hi,
>>
>> I installed vpnc and the NetworkManager applet for vpnc and configured them
>> using the default settings as far as possible. The vpnc command line client
>> allows me to connect to the VPN host as well as other sites simultaneously.
>> However, if I connect using NetworkManager it only allows me to connect to
>> the VPN host and all other routing requests seem to go through this, and get
>> rejected.
>>
>> I would like to know how to change my NetworkManager VPN configuration to
>> behave similarly to the command line client.
>>
>> My vpnc configuration in /etc/vpnc/<host>.conf
>>
>> IPSec gateway <host>
>> IPSec ID ...
>> IPSec secret ...
>> Xauth username ...
>>
>> I run this using sudo vpnc <host> and then if I ping www.yahoo.com there is
>> no problem:
>>
>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
>> 64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_seq=1 ttl=49
>> time=185 ms
>> ...
>>
>> In the NetworkManager VPN applet for <host> I entered exactly the same
>> information:
>> Gateway: <host>
>> Group Name: ..
>> User Password: [Always Ask]
>> Group password: .. [saved]
>> User name: ...
>> Doman: [blank]
>> Encryption method: Secure (default)
>> NAT traversal NAT-T when available (default)
>>
>> I didn't change anything on the IPv4 Settings tab which shows
>> Method: Automatic (VPN)
>>
>> After connecting using the NetworkManager if I ping www.yahoo.com I get:
>>
>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
>> From <some-address-in-VPN host domain> (...) icmp_seq=2 Packet filtered
>>
>> I'm running on CentOS 6.3 with the following packages:
>>
>> NetworkManager-vpnc.x86_64 : NetworkManager VPN plugin for vpnc
>> vpnc.x86_64 : IPSec VPN client compatible with Cisco equipment
>>
>> uname -a:
>> Linux worklap 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012
>> x86_64 x86_64 x86_64 GNU/Linux
>>
>> I'd appreciate any help.
>>
>> -- Nim'r
>>
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: default Network Manager vpnc monopolizes routing [ In reply to ]
nimar.arora at oracle
Nov 14, 2012, 4:10 PM
Post #4 of 7 (5784 views)
Permalink
Well, it seems like I needed to do more tinkering before reporting a
problem :-)

I found that by checking on "IPv4 Settings" -> "Routes" --> "Use this
connection only for resources on its network" I got the desired "split
network" behaviour.

-- Nim'r

On 11/14/2012 03:32 PM, Antonio Borneo wrote:
> Hi Mike,
>
> your VPN server does not provide a "split network" configuration to the client.
> I expect it just sets default routing to the VPN tunnel.
> You have to use your own script to modify routing tables and access internet.
> So your script overwrites server "suggestion" for routing.
>
> In the case of Nimar, instead, the VPN server already sends to VPN
> client all the information to split the network.
> vpnc handles the information and passes them to vpnc-script.
> No need to add additional scripts of information.
>
> I don't know Network Manager, but my understanding is that it replaces
> completely the script vpnc-script.
> Probably Network Manager does not handle properly the split-network
> configuration.
>
> Best Regards,
> Antonio Borneo
>
> On Thu, Nov 15, 2012 at 2:38 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:
>> Have you tried changing the settings under the IPv4 (or 6) Routes section?
>>
>> When I used to run vpnc from the command-line, I had to write my own
>> scripts to set up the complex routing needed, so I suspect that, by
>> default, vpnc will configure all routes through your VPN connection.
>> Network Manager gives you more options.
>>
>> On Wed, Nov 14, 2012 at 1:22 PM, Nimar Arora <nimar.arora@oracle.com> wrote:
>>> Hi,
>>>
>>> I installed vpnc and the NetworkManager applet for vpnc and configured them
>>> using the default settings as far as possible. The vpnc command line client
>>> allows me to connect to the VPN host as well as other sites simultaneously.
>>> However, if I connect using NetworkManager it only allows me to connect to
>>> the VPN host and all other routing requests seem to go through this, and get
>>> rejected.
>>>
>>> I would like to know how to change my NetworkManager VPN configuration to
>>> behave similarly to the command line client.
>>>
>>> My vpnc configuration in /etc/vpnc/<host>.conf
>>>
>>> IPSec gateway <host>
>>> IPSec ID ...
>>> IPSec secret ...
>>> Xauth username ...
>>>
>>> I run this using sudo vpnc <host> and then if I ping www.yahoo.com there is
>>> no problem:
>>>
>>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
>>> 64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_seq=1 ttl=49
>>> time=185 ms
>>> ...
>>>
>>> In the NetworkManager VPN applet for <host> I entered exactly the same
>>> information:
>>> Gateway: <host>
>>> Group Name: ..
>>> User Password: [Always Ask]
>>> Group password: .. [saved]
>>> User name: ...
>>> Doman: [blank]
>>> Encryption method: Secure (default)
>>> NAT traversal NAT-T when available (default)
>>>
>>> I didn't change anything on the IPv4 Settings tab which shows
>>> Method: Automatic (VPN)
>>>
>>> After connecting using the NetworkManager if I ping www.yahoo.com I get:
>>>
>>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
>>> From <some-address-in-VPN host domain> (...) icmp_seq=2 Packet filtered
>>>
>>> I'm running on CentOS 6.3 with the following packages:
>>>
>>> NetworkManager-vpnc.x86_64 : NetworkManager VPN plugin for vpnc
>>> vpnc.x86_64 : IPSec VPN client compatible with Cisco equipment
>>>
>>> uname -a:
>>> Linux worklap 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012
>>> x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> I'd appreciate any help.
>>>
>>> -- Nim'r
>>>

_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: default Network Manager vpnc monopolizes routing [ In reply to ]
dcbw at redhat
Nov 15, 2012, 7:53 AM
Post #5 of 7 (5797 views)
Permalink
On Wed, 2012-11-14 at 16:10 -0800, Nimar Arora wrote:
> Well, it seems like I needed to do more tinkering before reporting a
> problem :-)
>
> I found that by checking on "IPv4 Settings" -> "Routes" --> "Use this
> connection only for resources on its network" I got the desired "split
> network" behaviour.

Yes, that's how the split networking stuff is enabled. Split networking
has *always* been an option with NM-vpnc, potentially overriding
whatever the concentrator configuration specifies so that you can access
local network resources even if the concentrator attempts to deny that.
Unfortunately, there's no good way to tell whether the VPN does or does
not route all traffic.

For example, long ago the Red Hat VPN routed all traffic and defaulted
to disabling local subnet access, which was the original impetus for
this behavior because it was really, really annoying. Now the Red Hat
VPN does split networking, and does *not* route all traffic. But
there's no good way to detect this and do the right thing by default,
but let it be overridden by user preference. Unless we're missing
something?

Dan

> -- Nim'r
>
> On 11/14/2012 03:32 PM, Antonio Borneo wrote:
> > Hi Mike,
> >
> > your VPN server does not provide a "split network" configuration to the client.
> > I expect it just sets default routing to the VPN tunnel.
> > You have to use your own script to modify routing tables and access internet.
> > So your script overwrites server "suggestion" for routing.
> >
> > In the case of Nimar, instead, the VPN server already sends to VPN
> > client all the information to split the network.
> > vpnc handles the information and passes them to vpnc-script.
> > No need to add additional scripts of information.
> >
> > I don't know Network Manager, but my understanding is that it replaces
> > completely the script vpnc-script.
> > Probably Network Manager does not handle properly the split-network
> > configuration.
> >
> > Best Regards,
> > Antonio Borneo
> >
> > On Thu, Nov 15, 2012 at 2:38 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:
> >> Have you tried changing the settings under the IPv4 (or 6) Routes section?
> >>
> >> When I used to run vpnc from the command-line, I had to write my own
> >> scripts to set up the complex routing needed, so I suspect that, by
> >> default, vpnc will configure all routes through your VPN connection.
> >> Network Manager gives you more options.
> >>
> >> On Wed, Nov 14, 2012 at 1:22 PM, Nimar Arora <nimar.arora@oracle.com> wrote:
> >>> Hi,
> >>>
> >>> I installed vpnc and the NetworkManager applet for vpnc and configured them
> >>> using the default settings as far as possible. The vpnc command line client
> >>> allows me to connect to the VPN host as well as other sites simultaneously.
> >>> However, if I connect using NetworkManager it only allows me to connect to
> >>> the VPN host and all other routing requests seem to go through this, and get
> >>> rejected.
> >>>
> >>> I would like to know how to change my NetworkManager VPN configuration to
> >>> behave similarly to the command line client.
> >>>
> >>> My vpnc configuration in /etc/vpnc/<host>.conf
> >>>
> >>> IPSec gateway <host>
> >>> IPSec ID ...
> >>> IPSec secret ...
> >>> Xauth username ...
> >>>
> >>> I run this using sudo vpnc <host> and then if I ping www.yahoo.com there is
> >>> no problem:
> >>>
> >>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
> >>> 64 bytes from ir1.fp.vip.ird.yahoo.com (87.248.112.181): icmp_seq=1 ttl=49
> >>> time=185 ms
> >>> ...
> >>>
> >>> In the NetworkManager VPN applet for <host> I entered exactly the same
> >>> information:
> >>> Gateway: <host>
> >>> Group Name: ..
> >>> User Password: [Always Ask]
> >>> Group password: .. [saved]
> >>> User name: ...
> >>> Doman: [blank]
> >>> Encryption method: Secure (default)
> >>> NAT traversal NAT-T when available (default)
> >>>
> >>> I didn't change anything on the IPv4 Settings tab which shows
> >>> Method: Automatic (VPN)
> >>>
> >>> After connecting using the NetworkManager if I ping www.yahoo.com I get:
> >>>
> >>> PING ds-eu-fp3.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
> >>> From <some-address-in-VPN host domain> (...) icmp_seq=2 Packet filtered
> >>>
> >>> I'm running on CentOS 6.3 with the following packages:
> >>>
> >>> NetworkManager-vpnc.x86_64 : NetworkManager VPN plugin for vpnc
> >>> vpnc.x86_64 : IPSec VPN client compatible with Cisco equipment
> >>>
> >>> uname -a:
> >>> Linux worklap 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012
> >>> x86_64 x86_64 x86_64 GNU/Linux
> >>>
> >>> I'd appreciate any help.
> >>>
> >>> -- Nim'r
> >>>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel@unix-ag.uni-kl.de
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/


_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: default Network Manager vpnc monopolizes routing [ In reply to ]
dwmw2 at infradead
Nov 16, 2012, 2:36 AM
Post #6 of 7 (5777 views)
Permalink
On Thu, 2012-11-15 at 09:53 -0600, Dan Williams wrote:
> For example, long ago the Red Hat VPN routed all traffic and defaulted
> to disabling local subnet access, which was the original impetus for
> this behavior because it was really, really annoying. Now the Red Hat
> VPN does split networking, and does *not* route all traffic. But
> there's no good way to detect this and do the right thing by default,
> but let it be overridden by user preference. Unless we're missing
> something?

The vpnc-script seems to assume split tunnelling if *any* split include
configuration is given, and full tunnelling if there are none. Is that
not appropriate?

--
dwmw2

Attached Files:

Re: default Network Manager vpnc monopolizes routing [ In reply to ]
dcbw at redhat
Nov 16, 2012, 8:21 AM
Post #7 of 7 (5785 views)
Permalink
On Fri, 2012-11-16 at 10:36 +0000, David Woodhouse wrote:
> On Thu, 2012-11-15 at 09:53 -0600, Dan Williams wrote:
> > For example, long ago the Red Hat VPN routed all traffic and defaulted
> > to disabling local subnet access, which was the original impetus for
> > this behavior because it was really, really annoying. Now the Red Hat
> > VPN does split networking, and does *not* route all traffic. But
> > there's no good way to detect this and do the right thing by default,
> > but let it be overridden by user preference. Unless we're missing
> > something?
>
> The vpnc-script seems to assume split tunnelling if *any* split include
> configuration is given, and full tunnelling if there are none. Is that
> not appropriate?

You know, it probably would be. The tricky part is to see if we could
make this behavior change and not break existing installs. For example,
assume a concentrator that *can* route all traffic, but for which the
administrator has configured split routing.

Now if somebody has *not* checked the never-default box in
nm-connection-editor, currently the VPN will get the default route, and
all this user's traffic now goes through the VPN. So we make this
change, and now NM does split routing on the this VPN. Now the user
goes to a coffee shop, and thinks that all their traffic is encrypted,
when in reality it's not.

How common this situation is, I don't know. But that's what I worry
about. I don't mind changes that make things more encrypted, but ones
that have the potential to make stuff less encrypted need more
discussion.

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal