Mailing List Archive: vpnc: devel

stuck

Index | Next | Previous | View Threaded

mikejd42 at yahoo

Nov 6, 2009, 6:26 AM

Post #1 of 24 (4853 views)
Permalink

stuck

Working on OpenSolaris I have been able to compile, install and configure vpnc 0.5.3 without problems. When I connect all loks good but I am unable to send any data through the tunnel. I have set --debug 99 and looked through the entire log but nothing jumps out as a error. My pcf file called for TcpTunnelingPort=10000 so I have attempted to set this with config option --natt-mode cisco-udp but am still unable to communicate through the tunnel. My tun interface configures with a pointtopoint ip address and route do get added with the dest = to the tun IP address.

Help please, I need to get this working.

Thanks
mike

dwmw2 at infradead

Nov 6, 2009, 6:49 AM

Post #2 of 24 (4771 views)
Permalink

Re: stuck [In reply to]

On Fri, 2009-11-06 at 06:26 -0800, mike demarco wrote:
> Working on OpenSolaris I have been able to compile, install and
> configure vpnc 0.5.3 without problems. When I connect all loks good
> but I am unable to send any data through the tunnel. I have set
> --debug 99 and looked through the entire log but nothing jumps out as
> a error. My pcf file called for TcpTunnelingPort=10000 so I have
> attempted to set this with config option --natt-mode cisco-udp but am
> still unable to communicate through the tunnel. My tun interface
> configures with a pointtopoint ip address and route do get added with
> the dest = to the tun IP address.
>
> Help please, I need to get this working.

I ported OpenConnect to Solaris a few days ago, and had similar
problems. If you tcpdump on the tun0 interface, do you see any outgoing
packets?

If not, I suspect your problem is the same as mine -- the packets aren't
even making it to vpnc/openconnect.

The problem is the way that vpnc-script is setting up the interface and
routes. I have committed a fix to my vpnc-scripts repository at
http://git.infradead.org/users/dwmw2/vpnc-scripts.git
git://git.infradead.org/users/dwmw2/vpnc-scripts.git

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 7:39 AM

Post #3 of 24 (4812 views)
Permalink

Re: stuck [In reply to]

Dave:
Thanks for getting back to me. tcpdump does show outgoing packets for DNS traffic but nothing coming in:

listening on tun0, link-type EN10MB (Ethernet), capture size 96 bytes
10:36:09.291059 IP 172.31.10.5.60836 > mizar.corp.seic.com.domain: 13296+ TXT? _nfsv4idmapdomain.corp.seic.com. (49)
10:36:09.564173 IP 172.31.10.5.35648 > mizar.corp.seic.com.domain: 51391+ AAAA? seieadb05gz.corp.seic.com. (43)
10:36:10.291226 IP 172.31.10.5.56574 > mizar.corp.seic.com.domain: 29065+ PTR? 1.30.40.10.in-addr.arpa. (41)
10:36:10.292152 IP 172.31.10.5.42991 > mizar.corp.seic.com.domain: 29066+ A? mizar.corp.seic.com. (37)
10:36:11.291244 IP 172.31.10.5.42991 > polaris.corp.seic.com.domain: 29066+ A? mizar.corp.seic.com. (37)
10:36:11.292503 IP 172.31.10.5.48360 > mizar.corp.seic.com.domain: 29067+ PTR? 5.10.31.172.in-addr.arpa. (42)
10:36:12.291581 IP 172.31.10.5.48360 > polaris.corp.seic.com.domain: 29067+ PTR? 5.10.31.172.in-addr.arpa. (42)
10:36:12.348237 IP 172.31.10.5.36123 > mizar.corp.seic.com.domain: 39532+ PTR? 5.10.31.172.in-addr.arpa. (42)
10:36:14.291900 IP 172.31.10.5.65174 > mizar.corp.seic.com.domain: 13297+ TXT? _nfsv4idmapdomain.seic.com. (44)
10:36:14.565782 IP 172.31.10.5.33867 > mizar.corp.seic.com.domain: 51392+ AAAA? seieadb05gz.seic.com. (38)
10:36:17.349849 IP 172.31.10.5.45545 > mizar.corp.seic.com.domain: 29068+ PTR? 1.30.80.10.in-addr.arpa. (41)
10:36:17.350315 IP 172.31.10.5.40192 > mizar.corp.seic.com.domain: 29069+ A? polaris.corp.seic.com. (39)
10:36:18.349390 IP 172.31.10.5.40192 > polaris.corp.seic.com.domain: 29069+ A? polaris.corp.seic.com. (39)
10:36:19.293018 IP 172.31.10.5.40402 > mizar.corp.seic.com.domain: 13298+ TXT? _nfsv4idmapdomain. (35)
10:36:19.568506 IP 172.31.10.5.58625 > mizar.corp.seic.com.domain: 51393+ AAAA? seieadb05gz. (29)
10:36:24.293924 IP 172.31.10.5.44746 > polaris.corp.seic.com.domain: 13298+ TXT? _nfsv4idmapdomain. (35)
10:36:24.569292 IP 172.31.10.5.36147 > polaris.corp.seic.com.domain: 51393+ AAAA? seieadb05gz. (29)
10:36:30.293993 IP 172.31.10.5.36794 > mizar.corp.seic.com.domain: 13298+ TXT? _nfsv4idmapdomain. (35)
10:36:30.569404 IP 172.31.10.5.40966 > mizar.corp.seic.com.domain: 51394+ A? seieadb05gz.corp.seic.com. (43)

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 9:49:43 AM
Subject: Re: [vpnc-devel] stuck

On Fri, 2009-11-06 at 06:26 -0800, mike demarco wrote:
> Working on OpenSolaris I have been able to compile, install and
> configure vpnc 0.5.3 without problems. When I connect all loks good
> but I am unable to send any data through the tunnel. I have set
> --debug 99 and looked through the entire log but nothing jumps out as
> a error. My pcf file called for TcpTunnelingPort=10000 so I have
> attempted to set this with config option --natt-mode cisco-udp but am
> still unable to communicate through the tunnel. My tun interface
> configures with a pointtopoint ip address and route do get added with
> the dest = to the tun IP address.
>
> Help please, I need to get this working.

I ported OpenConnect to Solaris a few days ago, and had similar
problems. If you tcpdump on the tun0 interface, do you see any outgoing
packets?

If not, I suspect your problem is the same as mine -- the packets aren't
even making it to vpnc/openconnect.

The problem is the way that vpnc-script is setting up the interface and
routes. I have committed a fix to my vpnc-scripts repository at
http://git.infradead.org/users/dwmw2/vpnc-scripts.git
git://git.infradead.org/users/dwmw2/vpnc-scripts.git

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 7:44 AM

Post #4 of 24 (4795 views)
Permalink

Re: stuck [In reply to]

oops there is two way traffic:

10:44:10.111327 IP 172.31.10.5.64855 > mizar.corp.seic.com.domain: 6293+ PTR? 9.80.9.10.in-addr.arpa. (40)
10:44:10.113156 IP mizar.corp.seic.com.domain > 172.31.10.5.64855: 6293* 1/0/0 PTR[|domain]
10:44:10.114244 IP 172.31.10.5.44832 > mizar.corp.seic.com.domain: 6294+ PTR? 30.30.9.10.in-addr.arpa. (41)
10:44:11.503823 IP mizar.corp.seic.com.domain > 172.31.10.5.41301: 51441 NXDomain* 0/1/0 (124)
10:44:11.503972 IP mizar.corp.seic.com.domain > 172.31.10.5.34391: 39554 NXDomain* 0/1/0 (122)
10:44:11.613952 IP mizar.corp.seic.com.domain > 172.31.10.5.43044: 50332 NXDomain* 0/1/0 (121)
10:44:13.111438 IP 172.31.10.5.43844 > mizar.corp.seic.com.domain: 50333+ PTR? 82.100.9.10.in-addr.arpa. (42)
10:44:13.113458 IP mizar.corp.seic.com.domain > 172.31.10.5.43844: 50333* 1/0/0 PTR[|domain]
10:44:13.114545 IP 172.31.10.5.48453 > mizar.corp.seic.com.domain: 50334+ PTR? 3.30.9.10.in-addr.arpa. (40)
10:44:14.614096 IP mizar.corp.seic.com.domain > 172.31.10.5.44832: 6294 NXDomain* 0/1/0 (122)
10:44:16.111432 IP 172.31.10.5.55823 > mizar.corp.seic.com.domain: 6295+ PTR? 2.100.9.10.in-addr.arpa. (41)
10:44:17.613887 IP mizar.corp.seic.com.domain > 172.31.10.5.48453: 50334 NXDomain* 0/1/0 (121)
10:44:19.111463 IP 172.31.10.5.41451 > mizar.corp.seic.com.domain: 50335+ PTR? 1.30.50.10.in-addr.arpa. (41)
10:44:19.113395 IP mizar.corp.seic.com.domain > 172.31.10.5.41451: 50335* 1/0/0 PTR[|domain]
10:44:19.114520 IP 172.31.10.5.33960 > mizar.corp.seic.com.domain: 50336+ PTR? 217.9.18.172.in-addr.arpa. (43)
10:44:19.115996 IP mizar.corp.seic.com.domain > 172.31.10.5.33960: 50336* 1/0/0 (80)
10:44:19.117075 IP 172.31.10.5.61068 > mizar.corp.seic.com.domain: 50337+ PTR? 94.100.9.10.in-addr.arpa. (42)
10:44:19.118516 IP mizar.corp.seic.com.domain > 172.31.10.5.61068: 50337* 1/0/0 PTR[|domain]
10:44:19.119609 IP 172.31.10.5.35734 > mizar.corp.seic.com.domain: 50338+ PTR? 34.30.9.10.in-addr.arpa. (41)
10:44:20.613667 IP mizar.corp.seic.com.domain > 172.31.10.5.55823: 6295 NXDomain* 0/1/0 (122)
10:44:22.111388 IP 172.31.10.5.46506 > mizar.corp.seic.com.domain: 6296+ PTR? 54.80.9.10.in-addr.arpa. (41)
10:44:22.112982 IP mizar.corp.seic.com.domain > 172.31.10.5.46506: 6296* 1/0/0 PTR[|domain]
10:44:22.114091 IP 172.31.10.5.56782 > mizar.corp.seic.com.domain: 6297+ PTR? 187.100.9.10.in-addr.arpa. (43)
10:44:22.115876 IP mizar.corp.seic.com.domain > 172.31.10.5.56782: 6297* 1/0/0 (78)
10:44:22.116894 IP 172.31.10.5.62402 > mizar.corp.seic.com.domain: 6298+ PTR? 2.80.9.10.in-addr.arpa. (40)
10:44:22.118716 IP mizar.corp.seic.com.domain > 172.31.10.5.62402: 6298* 1/0/0 PTR[|domain]
10:44:22.119717 IP 172.31.10.5.37920 > mizar.corp.seic.com.domain: 6299+ PTR? 70.48.152.10.in-addr.arpa. (43)
10:44:23.613813 IP mizar.corp.seic.com.domain > 172.31.10.5.35734: 50338 NXDomain* 0/1/0 (122)
10:44:25.111620 IP 172.31.10.5.39801 > mizar.corp.seic.com.domain: 50339+ PTR? 15.197.142.68.in-addr.arpa. (44)
10:44:25.119682 IP mizar.corp.seic.com.domain > 172.31.10.5.39801: 50339 1/0/0 (85)
10:44:25.120879 IP 172.31.10.5.35615 > mizar.corp.seic.com.domain: 50340+ PTR? 37.40.9.10.in-addr.arpa. (41)
10:44:26.614886 IP mizar.corp.seic.com.domain > 172.31.10.5.37920: 6299 NXDomain* 0/1/0 (124)
10:44:27.626797 IP 172.31.10.5.57811 > mizar.corp.seic.com.domain: 29079+ PTR? 25.100.9.10.in-addr.arpa. (42)
10:44:28.625872 IP 172.31.10.5.57811 > polaris.corp.seic.com.domain: 29079+ PTR? 25.100.9.10.in-addr.arpa. (42)
10:44:28.625889 IP 172.31.10.5.57811 > mizar.corp.seic.com.domain: 29079+ PTR? 25.100.9.10.in-addr.arpa. (42)
10:44:28.625917 IP 172.31.10.5.57811 > polaris.corp.seic.com.domain: 29079+ PTR? 25.100.9.10.in-addr.arpa. (42)
10:44:29.614883 IP mizar.corp.seic.com.domain > 172.31.10.5.35615: 50340 NXDomain* 0/1/0 (122)
10:44:30.626459 IP 172.31.10.5.49244 > mizar.corp.seic.com.domain: 51744+ PTR? 25.100.9.10.in-addr.arpa. (42)
10:44:30.627449 IP 172.31.10.5.60430 > mizar.corp.seic.com.domain: 6300+ PTR? 32.40.9.10.in-addr.arpa. (41)
10:44:31.111533 IP 172.31.10.5.39016 > mizar.corp.seic.com.domain: 50341+[|domain]
10:44:31.187201 IP mizar.corp.seic.com.domain > 172.31.10.5.39016: 50341 NXDomain*-[|domain]
10:44:31.187272 IP 172.31.10.5.47610 > mizar.corp.seic.com.domain: 50342+[|domain]
10:44:31.269776 IP mizar.corp.seic.com.domain > 172.31.10.5.

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 9:49:43 AM
Subject: Re: [vpnc-devel] stuck

On Fri, 2009-11-06 at 06:26 -0800, mike demarco wrote:
> Working on OpenSolaris I have been able to compile, install and
> configure vpnc 0.5.3 without problems. When I connect all loks good
> but I am unable to send any data through the tunnel. I have set
> --debug 99 and looked through the entire log but nothing jumps out as
> a error. My pcf file called for TcpTunnelingPort=10000 so I have
> attempted to set this with config option --natt-mode cisco-udp but am
> still unable to communicate through the tunnel. My tun interface
> configures with a pointtopoint ip address and route do get added with
> the dest = to the tun IP address.
>
> Help please, I need to get this working.

I ported OpenConnect to Solaris a few days ago, and had similar
problems. If you tcpdump on the tun0 interface, do you see any outgoing
packets?

If not, I suspect your problem is the same as mine -- the packets aren't
even making it to vpnc/openconnect.

The problem is the way that vpnc-script is setting up the interface and
routes. I have committed a fix to my vpnc-scripts repository at
http://git.infradead.org/users/dwmw2/vpnc-scripts.git
git://git.infradead.org/users/dwmw2/vpnc-scripts.git

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 6, 2009, 7:59 AM

Post #5 of 24 (4781 views)
Permalink

Re: stuck [In reply to]

On Fri, 2009-11-06 at 07:44 -0800, mike demarco wrote:
> oops there is two way traffic:

OK, so now you can send data out through the tunnel -- and you seem to
be getting responses to your DNS queries.

Is everything working now? If not, what's still wrong?

(Using the '-n' argument to tcpdump is probably helpful; it'll stop it
from trying to do DNS lookups.)

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 8:16 AM

Post #6 of 24 (4771 views)
Permalink

Re: stuck [In reply to]

dns seems to work but I can not talt to my servers on a given subnet

tcpdump is showing this when attempting to ssh to the server

11:14:29.128614 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK], length 0
11:14:32.510032 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK], length 0
11:14:39.280044 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK], length 0

with nothing coming back

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 10:59:57 AM
Subject: Re: [vpnc-devel] stuck

On Fri, 2009-11-06 at 07:44 -0800, mike demarco wrote:
> oops there is two way traffic:

OK, so now you can send data out through the tunnel -- and you seem to
be getting responses to your DNS queries.

Is everything working now? If not, what's still wrong?

(Using the '-n' argument to tcpdump is probably helpful; it'll stop it
from trying to do DNS lookups.)

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 6, 2009, 8:20 AM

Post #7 of 24 (4772 views)
Permalink

Re: stuck [In reply to]

On Fri, 2009-11-06 at 08:16 -0800, mike demarco wrote:
> dns seems to work but I can not talt to my servers on a given subnet
>
> tcpdump is showing this when attempting to ssh to the server
>
> 11:14:29.128614 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
> 11:14:32.510032 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
> 11:14:39.280044 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
>
> with nothing coming back
>

Log into the server some other way and run tcpdump there. Are you seeing
the incoming SYN packets? Can you ping it?

Run 'mtr' in both directions. How far does the traffic get?

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 9:12 AM

Post #8 of 24 (4786 views)
Permalink

Re: stuck [In reply to]

Well I can't traceroute due to the fact that they block it.

from the remote host I am able to ssh to my vpnc client and login without any problem but I am unable to do so the other way around. The vpnc client just hangs when attempting to ssh .

I can't see any packets on the remote host coming in from the vpn client.

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 11:20:13 AM
Subject: Re: [vpnc-devel] stuck

On Fri, 2009-11-06 at 08:16 -0800, mike demarco wrote:
> dns seems to work but I can not talt to my servers on a given subnet
>
> tcpdump is showing this when attempting to ssh to the server
>
> 11:14:29.128614 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
> 11:14:32.510032 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
> 11:14:39.280044 IP 172.31.10.5.43311 > seieadb05.ssh: Flags [S], seq
> 3344499049, win 49392, options [mss 1372,nop,wscale 0,nop,nop,sackOK],
> length 0
>
> with nothing coming back
>

Log into the server some other way and run tcpdump there. Are you seeing
the incoming SYN packets? Can you ping it?

Run 'mtr' in both directions. How far does the traffic get?

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 6, 2009, 9:43 AM

Post #9 of 24 (4783 views)
Permalink

Re: stuck [In reply to]

On Fri, 2009-11-06 at 09:12 -0800, mike demarco wrote:
> Well I can't traceroute due to the fact that they block it.
>
> from the remote host I am able to ssh to my vpnc client and login
> without any problem but I am unable to do so the other way around. The
> vpnc client just hangs when attempting to ssh .
>
> I can't see any packets on the remote host coming in from the vpn
> client.

Sounds like an incompetently setup firewall; probably not a vpnc
problem. Bidirectional communication _is_ working between these two
hosts.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 10:25 AM

Post #10 of 24 (4770 views)
Permalink

Re: stuck [In reply to]

Yea but I had the network guys setup a sniffer and they don't see any traffic coming off my host.

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 12:43:52 PM
Subject: Re: [vpnc-devel] stuck

On Fri, 2009-11-06 at 09:12 -0800, mike demarco wrote:
> Well I can't traceroute due to the fact that they block it.
>
> from the remote host I am able to ssh to my vpnc client and login
> without any problem but I am unable to do so the other way around. The
> vpnc client just hangs when attempting to ssh .
>
> I can't see any packets on the remote host coming in from the vpn
> client.

Sounds like an incompetently setup firewall; probably not a vpnc
problem. Bidirectional communication _is_ working between these two
hosts.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

massar at unix-ag

Nov 6, 2009, 10:55 AM

Post #11 of 24 (4769 views)
Permalink

Re: stuck [In reply to]

hi,

On Fri, Nov 06, 2009 at 06:26:09AM -0800, mike demarco wrote:
> Working on OpenSolaris I have been able to compile, install and configure
> vpnc 0.5.3 without problems. When I connect all loks good but I am unable
> to send any data through the tunnel. I have set --debug 99 and looked
> through the entire log but nothing jumps out as a error. My pcf file
> called for TcpTunnelingPort=10000 so I have attempted to set this with
> config option --natt-mode cisco-udp but am still unable to communicate
> through the tunnel. My tun interface configures with a pointtopoint ip
> address and route do get added with the dest = to the tun IP address.

iirc, a problem with solaris versions newer than 8 (or 9?) is that
IP-ESP is handled in-kernel. This results in vpnc never getting the
return-traffic. Try running vpnc with --natt-mode force-natt.
Btw: afaik "TcpTunnelingPort=10000" is just a default, and appears in
most config files even when tcp-tunneling is not used. (and
tcp-tunneling is still unsupported, because the framing is not known)

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 11:55 AM

Post #12 of 24 (4774 views)
Permalink

Re: stuck [In reply to]

Maurice:
Changed my startup to:
/usr/local/sbin/vpnc --natt-mode force-natt GTCVPN-Internal.cia

still cant talk out. DNS works so I am wondering if this is a tcp problem?

________________________________
From: Maurice Massar <massar [at] unix-ag>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 1:55:03 PM
Subject: Re: [vpnc-devel] stuck

hi,

On Fri, Nov 06, 2009 at 06:26:09AM -0800, mike demarco wrote:
> Working on OpenSolaris I have been able to compile, install and configure
> vpnc 0.5.3 without problems. When I connect all loks good but I am unable
> to send any data through the tunnel. I have set --debug 99 and looked
> through the entire log but nothing jumps out as a error. My pcf file
> called for TcpTunnelingPort=10000 so I have attempted to set this with
> config option --natt-mode cisco-udp but am still unable to communicate
> through the tunnel. My tun interface configures with a pointtopoint ip
> address and route do get added with the dest = to the tun IP address.

iirc, a problem with solaris versions newer than 8 (or 9?) is that
IP-ESP is handled in-kernel. This results in vpnc never getting the
return-traffic. Try running vpnc with --natt-mode force-natt.
Btw: afaik "TcpTunnelingPort=10000" is just a default, and appears in
most config files even when tcp-tunneling is not used. (and
tcp-tunneling is still unsupported, because the framing is not known)

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

massar at unix-ag

Nov 6, 2009, 12:13 PM

Post #13 of 24 (4778 views)
Permalink

Re: stuck [In reply to]

hi,

On Fri, Nov 06, 2009 at 11:55:30AM -0800, mike demarco wrote:
> Maurice:
> Changed my startup to:
> /usr/local/sbin/vpnc --natt-mode force-natt GTCVPN-Internal.cia
>
> still cant talk out. DNS works so I am wondering if this is a tcp problem?

hmm.... have you checked which encapsulation ciscos client is using?
ie, if ESP, NAT-T, UDP or TCP?

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 12:21 PM

Post #14 of 24 (4773 views)
Permalink

Re: stuck [In reply to]

is it somewhere in the debug output?

The people that handle the concentrator are Windows only folks and won't lift a finger to help unix.

I can not even get a dns lookup from force-natt.

________________________________
From: Maurice Massar <massar [at] unix-ag>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 3:13:05 PM
Subject: Re: [vpnc-devel] stuck

hi,

On Fri, Nov 06, 2009 at 11:55:30AM -0800, mike demarco wrote:
> Maurice:
> Changed my startup to:
> /usr/local/sbin/vpnc --natt-mode force-natt GTCVPN-Internal.cia
>
> still cant talk out. DNS works so I am wondering if this is a tcp problem?

hmm.... have you checked which encapsulation ciscos client is using?
ie, if ESP, NAT-T, UDP or TCP?

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 12:26 PM

Post #15 of 24 (4774 views)
Permalink

Re: stuck [In reply to]

if I do a force-natt I only get a connection to the vpn concentrator on port 500 but
if I do a cisco-udp I get a connection on port 500 and a connection on port 10000.

Can two connections be confusing? when going to cisco-udp on port 10000 why would the port 500 connection establish also?

10.9.50.9.500 10.65.10.8.500 Connected
10.9.50.9.10000 10.65.10.8.10000 Connected

________________________________
From: Maurice Massar <massar [at] unix-ag>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 3:13:05 PM
Subject: Re: [vpnc-devel] stuck

hi,

On Fri, Nov 06, 2009 at 11:55:30AM -0800, mike demarco wrote:
> Maurice:
> Changed my startup to:
> /usr/local/sbin/vpnc --natt-mode force-natt GTCVPN-Internal.cia
>
> still cant talk out. DNS works so I am wondering if this is a tcp problem?

hmm.... have you checked which encapsulation ciscos client is using?
ie, if ESP, NAT-T, UDP or TCP?

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 6, 2009, 12:29 PM

Post #16 of 24 (4771 views)
Permalink

Re: stuck [In reply to]

________________________________
From: Maurice Massar <massar [at] unix-ag>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 3:13:05 PM
Subject: Re: [vpnc-devel] stuck

hi,

On Fri, Nov 06, 2009 at 11:55:30AM -0800, mike demarco wrote:
> Maurice:
> Changed my startup to:
> /usr/local/sbin/vpnc --natt-mode force-natt GTCVPN-Internal.cia
>
> still cant talk out. DNS works so I am wondering if this is a tcp problem?

hmm.... have you checked which encapsulation ciscos client is using?
ie, if ESP, NAT-T, UDP or TCP?

They say TCP,

cu
Maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

massar at unix-ag

Nov 6, 2009, 12:59 PM

Post #17 of 24 (4770 views)
Permalink

Re: stuck [In reply to]

hi,

On Fri, Nov 06, 2009 at 12:26:23PM -0800, mike demarco wrote:
> if I do a force-natt I only get a connection to the vpn concentrator on port 500 but
> if I do a cisco-udp I get a connection on port 500 and a connection on port 10000.
>
> Can two connections be confusing? when going to cisco-udp on port 10000 why would the port 500 connection establish also?
>
> 10.9.50.9.500 10.65.10.8.500 Connected
> 10.9.50.9.10000 10.65.10.8.10000 Connected

IKE + ESP uses 2 connections: udp port 500 for IKE, IP ESP for data
in NAT-T mode, the "connection" is first established on udp 500, and
after detecting the NAT-Device, IKE+ESP packets are encapsuleted in
udp 4500 datagrams. With cisco-udp, IKE remains as is (udp 500) and
only ESP gets encapsulated (usually udp 10000). So far, everything
started with packets on udp 500. Only cisco-tcp encapsulation starts
directly with a tcp-connection to port 10000 which carries IKE and ESP.
iirc.

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 10, 2009, 4:51 AM

Post #18 of 24 (4732 views)
Permalink

Re: stuck [In reply to]

Well I found out what the problem is! "Clean Access" is preventing me from talking on the tunnel.
Unless someone knows of a way to answer back in solaris, I'm screwed!

________________________________
From: Maurice Massar <massar [at] unix-ag>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 6, 2009 3:59:34 PM
Subject: Re: [vpnc-devel] stuck

hi,

On Fri, Nov 06, 2009 at 12:26:23PM -0800, mike demarco wrote:
> if I do a force-natt I only get a connection to the vpn concentrator on port 500 but
> if I do a cisco-udp I get a connection on port 500 and a connection on port 10000.
>
> Can two connections be confusing? when going to cisco-udp on port 10000 why would the port 500 connection establish also?
>
> 10.9.50.9.500 10.65.10.8.500 Connected
> 10.9.50.9.10000 10.65.10.8.10000 Connected

IKE + ESP uses 2 connections: udp port 500 for IKE, IP ESP for data
in NAT-T mode, the "connection" is first established on udp 500, and
after detecting the NAT-Device, IKE+ESP packets are encapsuleted in
udp 4500 datagrams. With cisco-udp, IKE remains as is (udp 500) and
only ESP gets encapsulated (usually udp 10000). So far, everything
started with packets on udp 500. Only cisco-tcp encapsulation starts
directly with a tcp-connection to port 10000 which carries IKE and ESP.
iirc.

cu
maurice
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 10, 2009, 5:00 AM

Post #19 of 24 (4734 views)
Permalink

Re: stuck [In reply to]

On Tue, 2009-11-10 at 04:51 -0800, mike demarco wrote:
> Well I found out what the problem is! "Clean Access" is preventing me
> from talking on the tunnel.
> Unless someone knows of a way to answer back in solaris, I'm screwed!

Didn't I tell you it was a broken firewall?

According to wikipedia, a lot of Clean Access installations allow
non-Windows users to authenticate using a web interface -- is that
possible for you?

Failing that, it probably shouldn't be hard to work out what the Windows
crap is doing and reproduce that under Solaris.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 10, 2009, 7:32 AM

Post #20 of 24 (4733 views)
Permalink

Re: stuck [In reply to]

Yep, sure acted like a firewall block. I believe the web interface access has been disabled as it opened to many security holes. I have read about several people attempting to run the CCS agent using wine but they all say it did not work.

Last night I thought I might be able to use Windows on virtualbox to create the tunnel and set windows up as a forwarder that I could then route to the vbox nic and windows would forward into the tunnel. This failed as soon as I created the windows bridge the vpn tunnel shut down.

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Tue, November 10, 2009 8:00:54 AM
Subject: Re: [vpnc-devel] stuck

On Tue, 2009-11-10 at 04:51 -0800, mike demarco wrote:
> Well I found out what the problem is! "Clean Access" is preventing me
> from talking on the tunnel.
> Unless someone knows of a way to answer back in solaris, I'm screwed!

Didn't I tell you it was a broken firewall?

According to wikipedia, a lot of Clean Access installations allow
non-Windows users to authenticate using a web interface -- is that
possible for you?

Failing that, it probably shouldn't be hard to work out what the Windows
crap is doing and reproduce that under Solaris.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 10, 2009, 8:01 AM

Post #21 of 24 (4728 views)
Permalink

Re: stuck [In reply to]

On Tue, 2009-11-10 at 07:32 -0800, mike demarco wrote:
>
> Yep, sure acted like a firewall block. I believe the web interface
> access has been disabled as it opened to many security holes. I have
> read about several people attempting to run the CCS agent using wine
> but they all say it did not work.
>
> Last night I thought I might be able to use Windows on virtualbox to
> create the tunnel and set windows up as a forwarder that I could then
> route to the vbox nic and windows would forward into the tunnel. This
> failed as soon as I created the windows bridge the vpn tunnel shut
> down.

You ought to be able to do that and sniff the traffic -- or otherwise
work out what it's doing. Then knock up something which works from
Solaris to do the same thing, so you don't need Windows in the future.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 10, 2009, 8:32 AM

Post #22 of 24 (4737 views)
Permalink

Re: stuck [In reply to]

Clean access runs under a ssl tunnel so I can't see over the network what it is doing. I spent my life on solaris and stay as far away from windows as I can so my skill set under windows is too lacking. Under Solaris I could truss of dtrace the process to gleam out the information needed but I would not know where to begin under windoz.

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Tue, November 10, 2009 11:01:16 AM
Subject: Re: [vpnc-devel] stuck

On Tue, 2009-11-10 at 07:32 -0800, mike demarco wrote:
>
> Yep, sure acted like a firewall block. I believe the web interface
> access has been disabled as it opened to many security holes. I have
> read about several people attempting to run the CCS agent using wine
> but they all say it did not work.
>
> Last night I thought I might be able to use Windows on virtualbox to
> create the tunnel and set windows up as a forwarder that I could then
> route to the vbox nic and windows would forward into the tunnel. This
> failed as soon as I created the windows bridge the vpn tunnel shut
> down.

You ought to be able to do that and sniff the traffic -- or otherwise
work out what it's doing. Then knock up something which works from
Solaris to do the same thing, so you don't need Windows in the future.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

mikejd42 at yahoo

Nov 11, 2009, 7:49 AM

Post #23 of 24 (4686 views)
Permalink

Re: stuck [In reply to]

Dave:
I did some smooth talkin and got them to let me come in through a web authentication. My problem is that it wants a valid mac address and the tun0 interface comes up with 0:0:0:0:0:0 mac address. Is there a way to force mac?

________________________________
From: David Woodhouse <dwmw2 [at] infradead>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Tue, November 10, 2009 11:01:16 AM
Subject: Re: [vpnc-devel] stuck

On Tue, 2009-11-10 at 07:32 -0800, mike demarco wrote:
>
> Yep, sure acted like a firewall block. I believe the web interface
> access has been disabled as it opened to many security holes. I have
> read about several people attempting to run the CCS agent using wine
> but they all say it did not work.
>
> Last night I thought I might be able to use Windows on virtualbox to
> create the tunnel and set windows up as a forwarder that I could then
> route to the vbox nic and windows would forward into the tunnel. This
> failed as soon as I created the windows bridge the vpn tunnel shut
> down.

You ought to be able to do that and sniff the traffic -- or otherwise
work out what it's doing. Then knock up something which works from
Solaris to do the same thing, so you don't need Windows in the future.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Nov 11, 2009, 8:58 AM

Post #24 of 24 (4687 views)
Permalink

Re: stuck [In reply to]

Hi Mike,

on Linux you cannot change mac address on tun interfaces, but tap ones
get created with valid random mac.
Try "--ifmode tap" on command line or "Interface mode tap" in the config file.

Hope it works also under OpenSolaris

Best Regards
Antonio Borneo

On Wed, Nov 11, 2009 at 11:49 PM, mike demarco <mikejd42 [at] yahoo> wrote:
> Dave:
> I did some smooth talkin and got them to let me come in through a web
> authentication. My problem is that it wants a valid mac address and the tun0
> interface comes up with 0:0:0:0:0:0 mac address. Is there a way to force
> mac?
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads