Mailing List Archive: vpnc: devel

How To: vpnc-nortel on Mac OS X

Index | Next | Previous | View Threaded

freek at macfreek

Nov 19, 2009, 11:56 AM

Post #1 of 18 (5003 views)
Permalink

How To: vpnc-nortel on Mac OS X

A big thanks to Swapnil Pandit and Antonio Borneo for describing on this
list how to get vpnc-nortel to work on the Mac.

Since it is not yet trivial for novice users, I describe it in a HowTo:

Requirements:
1. Mac OS 10.6 (does not compile on 10.5)
2. libgcrypt
3. tuntap interface

ad 2. If you use MacPorts, you can install libgcrypt with:
sudo port install libgcrypt

ad 3. You can create tun/tap interfaces with
http://tuntaposx.sourceforge.net/download.xhtml

Now download the correct version along with three patches:

svn co -r414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
cd vpnc-nortel
wget -O patch-20090822.diff \
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20090822/eaf50de9/attachment.bin
wget -O vpnc-script-mac \
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20091017/a63f103b/attachment.obj

Download the last patch in a similar fashion (it is attached to this
e-mail) and call it patch-20091104.diff:

wget -O patch-20091104.diff <URL-of-the-attachment-to-this-email>

Apply the patches:

patch -p0 < patch-20090822.diff
patch -p0 < patch-20091104.diff

Compile:

make

Copy the scripts to the correct places:

sudo cp vpnc-script-mac /etc/vpnc/vpnc-script
sudo chmod a+x /etc/vpnc/vpnc-script

Edit /etc/vpnc/default.conf

For example:
Vendor nortel
kernel ipsec
IPSec gateway 192.0.2.8
IPSec ID <your-groupuser>
IPSec secret <your-grouppassword>
Xauth username <your-personal-username>
Xauth password <your-personal-password>

Finally, run the VPN client:

./vpnc

Attachments:

patch-20091104.diff (1.23 KB)

legege at legege

Nov 25, 2009, 8:41 PM

Post #2 of 18 (4861 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Could you have forgot this in your patch?
in kernel_ipsec.c: addr->sa_len = sizeof (struct sockaddr)

--
Georges-Etienne Legendre, Eng.

On 2009-11-19, at 2:56 PM, Freek Dijkstra wrote:

> A big thanks to Swapnil Pandit and Antonio Borneo for describing on this
> list how to get vpnc-nortel to work on the Mac.
>
> Since it is not yet trivial for novice users, I describe it in a HowTo:
>
> Requirements:
> 1. Mac OS 10.6 (does not compile on 10.5)
> 2. libgcrypt
> 3. tuntap interface
>
> ad 2. If you use MacPorts, you can install libgcrypt with:
> sudo port install libgcrypt
>
> ad 3. You can create tun/tap interfaces with
> http://tuntaposx.sourceforge.net/download.xhtml
>
> Now download the correct version along with three patches:
>
> svn co -r414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
> cd vpnc-nortel
> wget -O patch-20090822.diff \
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20090822/eaf50de9/attachment.bin
> wget -O vpnc-script-mac \
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20091017/a63f103b/attachment.obj
>
> Download the last patch in a similar fashion (it is attached to this
> e-mail) and call it patch-20091104.diff:
>
> wget -O patch-20091104.diff <URL-of-the-attachment-to-this-email>
>
> Apply the patches:
>
> patch -p0 < patch-20090822.diff
> patch -p0 < patch-20091104.diff
>
> Compile:
>
> make
>
> Copy the scripts to the correct places:
>
> sudo cp vpnc-script-mac /etc/vpnc/vpnc-script
> sudo chmod a+x /etc/vpnc/vpnc-script
>
> Edit /etc/vpnc/default.conf
>
> For example:
> Vendor nortel
> kernel ipsec
> IPSec gateway 192.0.2.8
> IPSec ID <your-groupuser>
> IPSec secret <your-grouppassword>
> Xauth username <your-personal-username>
> Xauth password <your-personal-password>
>
> Finally, run the VPN client:
>
> ./vpnc
> Index: kernel_ipsec.c
> ===================================================================
> --- kernel_ipsec.c (patch-20090822.diff)
> +++ kernel_ipsec.c (Mac patch)
> @@ -57,7 +57,7 @@
> do { \
> memset((sain), 0, sizeof(struct sockaddr_in)); \
> (sain)->sin_family = AF_INET; \
> - /*(sain)->sin_len = sizeof(struct sockaddr_in);*/ \
> + (sain)->sin_len = sizeof(struct sockaddr_in); \
> (sain)->sin_port = htons(0); \
> memcpy(&((sain)->sin_addr), (addr), sizeof(struct in_addr)); \
> } while(0)
> Index: vpnc-script-mac
> ===================================================================
> --- vpnc-script-mac (Script by Swapnil Pandit)
> +++ vpnc-script-mac (patch)
> @@ -21,7 +21,7 @@
> Interface=`get_data State:/Network/Global/IPv4 PrimaryInterface`
> Service=`get_data State:/Network/Global/IPv4 PrimaryService`
> DefaultGW=`get_data State:/Network/Global/IPv4 Router`
> -DNS=`get_array_data State:/Network/Service/${Service}/DNS ServerAddresses`
> +DNS=`get_array_data Setup:/Network/Service/${Service}/DNS ServerAddresses`
>
> set_default_route() {
> route delete default
> @@ -150,7 +150,7 @@
> show)
> ;;
> *)
> - echo "usgae: connect|disconnect|pre-init"
> + echo "usage: connect|disconnect|pre-init"
> exit 1
> ;;
> esac
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Nov 25, 2009, 9:40 PM

Post #3 of 18 (4892 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

I'm able to successfully connect. However, I'm not able to connect to any host; it's probably a routing issue. I don't see any route that does to tun0, is that normal?

When I connect, I see some thing similar to:
Enter password for xxx [at] vp:

add host 200.200.200.40: gateway 192.168.1.1
delete net default
add net default: gateway 192.168.1.1

Any idea?
--
Georges-Etienne Legendre, Eng.

On 2009-11-25, at 11:41 PM, Georges-Etienne Legendre wrote:

> Could you have forgot this in your patch?
> in kernel_ipsec.c: addr->sa_len = sizeof (struct sockaddr)
>
> --
> Georges-Etienne Legendre, Eng.
>
>
>
> On 2009-11-19, at 2:56 PM, Freek Dijkstra wrote:
>
>> A big thanks to Swapnil Pandit and Antonio Borneo for describing on this
>> list how to get vpnc-nortel to work on the Mac.
>>
>> Since it is not yet trivial for novice users, I describe it in a HowTo:
>>
>> Requirements:
>> 1. Mac OS 10.6 (does not compile on 10.5)
>> 2. libgcrypt
>> 3. tuntap interface
>>
>> ad 2. If you use MacPorts, you can install libgcrypt with:
>> sudo port install libgcrypt
>>
>> ad 3. You can create tun/tap interfaces with
>> http://tuntaposx.sourceforge.net/download.xhtml
>>
>> Now download the correct version along with three patches:
>>
>> svn co -r414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
>> cd vpnc-nortel
>> wget -O patch-20090822.diff \
>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20090822/eaf50de9/attachment.bin
>> wget -O vpnc-script-mac \
>> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20091017/a63f103b/attachment.obj
>>
>> Download the last patch in a similar fashion (it is attached to this
>> e-mail) and call it patch-20091104.diff:
>>
>> wget -O patch-20091104.diff <URL-of-the-attachment-to-this-email>
>>
>> Apply the patches:
>>
>> patch -p0 < patch-20090822.diff
>> patch -p0 < patch-20091104.diff
>>
>> Compile:
>>
>> make
>>
>> Copy the scripts to the correct places:
>>
>> sudo cp vpnc-script-mac /etc/vpnc/vpnc-script
>> sudo chmod a+x /etc/vpnc/vpnc-script
>>
>> Edit /etc/vpnc/default.conf
>>
>> For example:
>> Vendor nortel
>> kernel ipsec
>> IPSec gateway 192.0.2.8
>> IPSec ID <your-groupuser>
>> IPSec secret <your-grouppassword>
>> Xauth username <your-personal-username>
>> Xauth password <your-personal-password>
>>
>> Finally, run the VPN client:
>>
>> ./vpnc
>> Index: kernel_ipsec.c
>> ===================================================================
>> --- kernel_ipsec.c (patch-20090822.diff)
>> +++ kernel_ipsec.c (Mac patch)
>> @@ -57,7 +57,7 @@
>> do { \
>> memset((sain), 0, sizeof(struct sockaddr_in)); \
>> (sain)->sin_family = AF_INET; \
>> - /*(sain)->sin_len = sizeof(struct sockaddr_in);*/ \
>> + (sain)->sin_len = sizeof(struct sockaddr_in); \
>> (sain)->sin_port = htons(0); \
>> memcpy(&((sain)->sin_addr), (addr), sizeof(struct in_addr)); \
>> } while(0)
>> Index: vpnc-script-mac
>> ===================================================================
>> --- vpnc-script-mac (Script by Swapnil Pandit)
>> +++ vpnc-script-mac (patch)
>> @@ -21,7 +21,7 @@
>> Interface=`get_data State:/Network/Global/IPv4 PrimaryInterface`
>> Service=`get_data State:/Network/Global/IPv4 PrimaryService`
>> DefaultGW=`get_data State:/Network/Global/IPv4 Router`
>> -DNS=`get_array_data State:/Network/Service/${Service}/DNS ServerAddresses`
>> +DNS=`get_array_data Setup:/Network/Service/${Service}/DNS ServerAddresses`
>>
>> set_default_route() {
>> route delete default
>> @@ -150,7 +150,7 @@
>> show)
>> ;;
>> *)
>> - echo "usgae: connect|disconnect|pre-init"
>> + echo "usage: connect|disconnect|pre-init"
>> exit 1
>> ;;
>> esac
>> _______________________________________________
>> vpnc-devel mailing list
>> vpnc-devel [at] unix-ag
>> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
>> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Nov 26, 2009, 1:36 PM

Post #4 of 18 (4867 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Georges-Etienne Legendre wrote:
> Could you have forgot this in your patch?
> in kernel_ipsec.c: addr->sa_len = sizeof (struct sockaddr)

Thank you, thank you, thank you, thank you!

Indeed, it was not in there, and it was the reason I could not connect.
I fixed it and just successfully connected to a Nortel VPN network, and
was able to connect to hosts in that network.

I'll attach the updated patch files with this email, and update the
howto after this mail.

Georges, feel free to contact me off-list, and see if I can help you (I
owe you one). If that works, we can summarize the results to the list.

Regards,
Freek Dijkstra

Attachments:

patch-20091126.diff (33.9 KB)

vpnc-script-mac (3.65 KB)

freek at macfreek

Nov 26, 2009, 1:44 PM

Post #5 of 18 (4881 views)
Permalink

How To: vpnc-nortel on Mac OS X [In reply to]

A big thanks to Swapnil Pandit, Antonio Borneo for describing on this
list how to get vpnc-nortel to work on the Mac.

Since it is not yet trivial for novice users, I describe it in a HowTo:

Requirements:
1. Mac OS 10.6 (does not compile on 10.5)
2. libgcrypt
3. tuntap interface

ad 2. If you use MacPorts, you can install libgcrypt with:
sudo port install libgcrypt

ad 3. You can create tun/tap interfaces with
http://tuntaposx.sourceforge.net/download.xhtml

Now download the correct version along with three patches:

svn co -r414 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel
cd vpnc-nortel
wget -O patch-20091126.diff \
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20091126/f6d9ec09/attachment.txt
wget -O vpnc-script-mac \
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20091126/f6d9ec09/attachment-0001.txt

Apply the patch:

patch -p0 < patch-20091126.diff

Compile:

make

Copy the scripts to the correct places:

sudo cp vpnc-script-mac /etc/vpnc/vpnc-script
sudo chmod a+x /etc/vpnc/vpnc-script

Edit /etc/vpnc/default.conf

For example:

Vendor nortel
kernel ipsec
IPSec gateway 192.0.2.8
Local Port 501
IKE Authmode gpassword
IKE DH group dh1
Enable Single DES
IPSec ID <your-groupuser>
IPSec secret <your-grouppassword>
Xauth username <your-personal-username>
Xauth password <your-personal-password>

Finally, run the VPN client:

./vpnc

DISCLAIMER: I have been able to connect to a Nortel VPN this way, but
have not extensively tested the Mac script. Please watch this list for
updates. Hopefully all of this will soon be committed to the repository.

Regards,
Freek Dijkstra
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Nov 26, 2009, 2:18 PM

Post #6 of 18 (4856 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Georges-Etienne Legendre wrote:
> I'm able to successfully connect. However, I'm not able to connect to any host; it's probably a routing issue. I don't see any route that does to tun0, is that normal?
>
> When I connect, I see some thing similar to:
> Enter password for xxx [at] vp:
>
> add host 200.200.200.40: gateway 192.168.1.1
> delete net default
> add net default: gateway 192.168.1.1
>
> Any idea?

Hi Georges,

There still seems to be a bug in setting the routing tables. That might
be related.

If I run vpnc, I get this message:

add host 192.0.2.10: gateway 10.100.1.33
add net 192.168.64.0: gateway 255.255.240.0
d.add: too few arguments
VPNC started in background (pid: 32434)...

(I'll ignore the d.add error for now)

The above is correct, but does NOT match what I see in my routing table:

~% netstat -rnl -f inet
Routing tables

Internet:
Destination Gateway Flags Netif
default 10.100.1.33 UGSc en0
127.0.0.0/8 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
10.100.1.32/28 link#4 UCS en0
192.168.64.0/24 255.255.240.0 UGSc en0 *
192.0.2.10 10.100.1.33 UGHS en0 *
169.254.0.0/16 link#4 UCS en0

Where * are entries added after I run vpnc.

In the above, I replaced:
10.100.1.32/28 -- my home network
10.100.1.33 -- my gateway
192.0.2.10 -- the VPN server
192.168.64.0/20 -- the VPN network

Clearly, 192.168.64.0/24 gw 255.255.240.0 is wrong and should be
something like 192.168.64.0/20. I can connect to hosts in
192.168.64.0/24, but not in 192.168.65.0/24 (in 192.168.64.0/20 but
outside 192.168.64.0/24).

Again, contact me off-list for unedited info (I did modify the IP
addresses from public to private or documentation ranges).

Regards,
Freek
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Nov 26, 2009, 8:45 PM

Post #7 of 18 (4862 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

On Fri, Nov 27, 2009 at 5:44 AM, Freek Dijkstra <freek [at] macfreek> wrote:
> A big thanks to Swapnil Pandit, Antonio Borneo for describing on this
> list how to get vpnc-nortel to work on the Mac.

Freek, Georges-Etienne,
thanks for you contribution. Since I don't have any Mac experience nor
HW, my contribution is limited.

I'm surprised you have to use a new script! I was expecting the
default one was already working on Mac, at least for Cisco case.
Can you provide it as patch to default script?

Regarding your patch at "sa_len" and "sin_len".
Both fields are not available in Linux. Your code will not compile out
of Mac (maybe it will on other BSD-like).
I suggest you to put system dependencies in sysdep.h, taking code form
existing GPL projects like
http://web.mit.edu/kolya/.f/root/net.mit.edu/sipb.mit.edu/project/ruby-lang/src/linux/ruby-1.9.1-rc1/ext/socket/sockport.h

First of all in sysdep.h, together with HAVE_SA_LEN, you have to
define the macro HAVE_SIN_LEN.
Later on, in same file:
#ifdef HAVE_SA_LEN
# define SA_LEN(sa) (sa)->sa_len
# define SET_SA_LEN(sa, len) (sa)->sa_len = (len)
#else
# ifdef INET6
# define SA_LEN(sa) \
(((sa)->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) \
: sizeof(struct sockaddr))
# else
/* by tradition, sizeof(struct sockaddr) covers most of the sockaddrs */
# define SA_LEN(sa) (sizeof(struct sockaddr))
# endif
# define SET_SA_LEN(sa, len) (len)
#endif

#ifdef HAVE_SIN_LEN
# define SIN_LEN(si) (si)->sin_len
# define SET_SIN_LEN(si,len) (si)->sin_len = (len)
#else
# define SIN_LEN(si) sizeof(struct sockaddr_in)
# define SET_SIN_LEN(si,len) (len)
#endif

With such macro definition, in kernel_ipsec.c you can avoid #ifdef and
write directly
- (sain)->sin_len = sizeof(struct sockaddr_in);
+ SET_SIN_LEN(sain, sizeof(struct sockaddr_in));
...
- #ifdef HAVE_SA_LEN
- addr->sa_len = sizeof(struct sockaddr);
- #endif
+ SET_SA_LEN(addr, sizeof(struct sockaddr));

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Nov 27, 2009, 4:12 AM

Post #8 of 18 (4862 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Antonio Borneo wrote:

> Freek, Georges-Etienne,
> thanks for you contribution. Since I don't have any Mac experience nor
> HW, my contribution is limited.
>
> I'm surprised you have to use a new script! I was expecting the
> default one was already working on Mac, at least for Cisco case.
> Can you provide it as patch to default script?

Hi Antonio,

Thanks for your reply. I'll have a look if the default script will work
on a Mac. Since it POSIX compatible, let's hope so. The mac script by
Swapnil uses the Mac-specific SystemConfiguration framework. I agree
that if the POSIX version works, that's better because Apple has the
habit of changing the underlying system configuration one every few OS-es.

I'll have a look at the code too, but don't expect too much result. It
is a LONG time ago I touched C code. Your pointers to macros are very
helpful though.

Just a quick question: are the routing tables modified by the script or
by call to the socket library from the C code as well?

Regards,
Freek
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

borneo.antonio at gmail

Nov 27, 2009, 4:24 AM

Post #9 of 18 (4844 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

On Fri, Nov 27, 2009 at 8:12 PM, Freek Dijkstra <freek [at] macfreek> wrote:
> Just a quick question: are the routing tables modified by the script or
> by call to the socket library from the C code as well?

Freek,
routing table is fully handled by the script.

Best Regards,
Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 27, 2009, 4:46 AM

Post #10 of 18 (4851 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

On Fri, 2009-11-27 at 12:45 +0800, Antonio Borneo wrote:
> I'm surprised you have to use a new script! I was expecting the
> default one was already working on Mac, at least for Cisco case.
> Can you provide it as patch to default script?

Or perhaps as a patch to the updated script at
http://git.infradead.org/users/dwmw2/vpnc-scripts.git which already
supports more platforms than the one in vpnc svn.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Nov 27, 2009, 6:15 PM

Post #11 of 18 (4873 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

> I'm surprised you have to use a new script! I was expecting the
> default one was already working on Mac, at least for Cisco case.
> Can you provide it as patch to default script?
>

Even with the default script it doesn't work. I'm wondering if it's really at the routing level. Let me explain what I have:

In my examples, I replaced:
192.168.1.0/24 -- my home network
192.168.1.1 -- my gateway
192.168.1.91 -- my host IP
10.200.200.20 -- the VPN server
10.10.0.0/20 -- the VPN network
10.10.0.213 -- the VPN assigned IP
0:1x:fx:dx:9x:1x -- MAC address

Please refer to situation #1, #2 and #3 below for routing tables, ifconfig, ...

Is there someone that can help? I've also used tcpdump on tun0, but there is no intercepted packet. However, I see ESP packets going to the VPN server (which make me wonder that it's not a routing problem), nothing is coming back: IP 192.168.1.91 > 10.200.200.20: ESP(spi=0xc40e5cc3,seq=0xd), length 116
Even a ping to my VPN address is not working, something that works Windows.

======= Situation #1: on Windows, this obviously work =======

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.0.213 10.10.0.213 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.91 11
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
10.10.0.0 255.255.240.0 10.10.0.213 10.10.0.213 30
10.10.0.213 255.255.255.255 127.0.0.1 127.0.0.1 30
10.10.255.255 255.255.255.255 10.10.0.213 10.10.0.213 30
192.168.1.0 255.255.255.0 192.168.1.91 192.168.1.91 10
192.168.1.0 255.255.255.0 10.10.0.213 10.10.0.213 1
192.168.1.91 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.91 192.168.1.91 10
10.200.200.20 255.255.255.255 192.168.1.1 192.168.1.91 1
224.0.0.0 240.0.0.0 192.168.1.91 192.168.1.91 10
224.0.0.0 240.0.0.0 10.10.0.213 10.10.0.213 1
255.255.255.255 255.255.255.255 10.10.0.213 10.10.0.213 1
255.255.255.255 255.255.255.255 10.10.0.213 3 1
255.255.255.255 255.255.255.255 192.168.1.91 192.168.1.91 1
Default Gateway: 10.10.0.213

====== Situation #2: On Mac OS X, with the vpnc-script r414; not working ======

To mee, it looks really similar to the one I get on Windows. But it doesn't work.

Destination Gateway Flags Refs Use Netif Expire
default 10.10.0.213 UGSc 0 0 tun0
default tun0 UCSI 4 0 tun0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
10.10.0.213 10.10.0.213 UH 1 0 tun0
10.10.0.213/32 tun0 UCS 0 0 tun0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 2 0 en0
192.168.1.91 127.0.0.1 UHS 0 0 lo0
10.200.200.20 192.168.1.1 UGHS 2 1 en0

** ifconfig for en0 and tun0 **

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:1x:fx:dx:9x:1x
media: autoselect (100baseTX <full-duplex,flow-control>) status: active
supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
tun0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1412
inet 10.10.0.213 --> 10.10.0.213 netmask 0xfffff000
open (pid 482)

====== Situation #3: On Mac OS X, with the vpnc-script-mac; not working ======

Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 2 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
10.10/20 link#4 UC 2 0 en0
10.10.0.213 0:1x:fx:dx:9x:1x UHLWI 0 1 lo0
10.10.15.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 4 0 en0
192.168.1.91 127.0.0.1 UHS 0 0 lo0
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
10.200.200.20 192.168.1.1 UGHS 2 1 en0

** ifconfig for en0 and tun0 **

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.10.0.213 netmask 0xfffff000 broadcast 10.10.15.255
inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:1x:fx:dx:9x:1x
media: autoselect (100baseTX <full-duplex,flow-control>) status: active
supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
open (pid 606)

--
Georges-Etienne Legendre, Eng.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Nov 27, 2009, 6:16 PM

Post #12 of 18 (4848 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

> If I run vpnc, I get this message:
>
> add host 192.0.2.10: gateway 10.100.1.33
> add net 192.168.64.0: gateway 255.255.240.0
> d.add: too few arguments

I already investigated this error, it's because the variable ${CISCO_DEF_DOMAIN} is empty. This is for DNS settings, I commented out all DNS for now. Of course, that didn't solve the problem.

--
Georges-Etienne Legendre, Eng.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

jengelh at medozas

Nov 28, 2009, 12:35 AM

Post #13 of 18 (4841 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

On Saturday 2009-11-28 03:15, Georges-Etienne Legendre wrote:

>> I'm surprised you have to use a new script! I was expecting the
>> default one was already working on Mac, at least for Cisco case.
>> Can you provide it as patch to default script?
>>
>
>Even with the default script it doesn't work. I'm wondering if it's
>really at the routing level. Let me explain what I have:
>
>====== Situation #2: On Mac OS X, with the vpnc-script r414; not working ======

If there was a version where it was working before, I suggest to bisect.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Nov 28, 2009, 2:31 PM

Post #14 of 18 (4830 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Freek Dijkstra wrote:

> I'll have a look if the default script will work on a Mac.

Good news: It works for me without modifications.

So my VPN tunnel works just *perfect* right now, thanks a lot!

I'll reply to Georges problem separately. A possible distinction is that
I don't change my default gateway or DNS; only traffic directly destined
for the VPN is routed there through the tunnel. This might be an
uncommon setup (I presume it only works if the host names in the VPN
network can be resolved by DNS outside of the VPN network; that is the
case for me; our VPN uses public IP addresses).

Regards,
Freek

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Nov 28, 2009, 2:52 PM

Post #15 of 18 (4829 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Hi Georges,

Some random thoughts I had while reading your routing tables.

Georges-Etienne Legendre wrote:

> ======= Situation #1: on Windows, this obviously work =======
>
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 10.10.0.213 10.10.0.213 1
> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.91 11

I very much dislike two "default" routes, but with the metric, at least
I know the first one if preferred. So am I right that with windows *all*
your traffic is going over the VPN link?

> 10.10.0.0 255.255.240.0 10.10.0.213 10.10.0.213 30
[...]
> 10.10.255.255 255.255.255.255 10.10.0.213 10.10.0.213 30

Curious (but harmless) entry; why would Window make a separate entry for
the broadcast address (the one for 10.10.0.0 would cover this already).

> ====== Situation #2: On Mac OS X, with the vpnc-script r414; not working ======
>
> To mee, it looks really similar to the one I get on Windows. But it doesn't work.
>
> Destination Gateway Flags Refs Use Netif Expire
> default 10.10.0.213 UGSc 0 0 tun0
> default tun0 UCSI 4 0 tun0

Again, I very much dislike two default gatways. You may want to manually
remove one of them. In this case, I also don't understand what the
second one means.

If you want *all* traffic to use your VPN network (including traffic
with destination outside of your VPN network):

> default 10.10.0.213 UGSc 0 0 tun0

If you want traffic destined to outside of your VPN network to continue
using the regular Internet as-is:

> default 192.168.1.1 UGSc 0 0 en0

> 127 127.0.0.1 UCS 0 0 lo0
> 127.0.0.1 127.0.0.1 UH 0 0 lo0
> 10.10.0.213 10.10.0.213 UH 1 0 tun0
> 10.10.0.213/32 tun0 UCS 0 0 tun0
> 169.254 link#4 UCS 0 0 en0
> 192.168.1 link#4 UCS 2 0 en0
> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
> 10.200.200.20 192.168.1.1 UGHS 2 1 en0

This routing table will clearly not work. There is no entry for your VPN
network, 10.10.0.0/20.

> tun0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1412
> inet 10.10.0.213 --> 10.10.0.213 netmask 0xfffff000
> open (pid 482)

Seems OK, even though the two IP address are the same (apparently the
one on the left is the IP assigned to your tun0 interface; the IP on the
right is the IP assigned to the VPN gateway inside the VPN network. For
my PPTP tunnel I set up with Mac OS X, it is a different IP. For my
vpnc-nortel tunnel it is the same IP.

> ====== Situation #3: On Mac OS X, with the vpnc-script-mac; not working ======
>
> Destination Gateway Flags Refs Use Netif Expire
> default 192.168.1.1 UGSc 2 0 en0
> 127 127.0.0.1 UCS 0 0 lo0
> 127.0.0.1 127.0.0.1 UH 0 0 lo0
> 10.10.0/20 link#4 UC 2 0 en0
> 10.10.0.213 0:1x:fx:dx:9x:1x UHLWI 0 1 lo0
> 10.10.15.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
> 169.254 link#4 UCS 0 0 en0
> 192.168.1 link#4 UCS 4 0 en0
> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
> 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
> 10.200.200.20 192.168.1.1 UGHS 2 1 en0
>
> ** ifconfig for en0 and tun0 **
>
> en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet 10.10.0.213 netmask 0xfffff000 broadcast 10.10.15.255
> inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
> ether 00:1x:fx:dx:9x:1x
> media: autoselect (100baseTX <full-duplex,flow-control>) status: active
> supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
> tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> open (pid 606)

Here your IP is assigned to en0 instead of to tun0. This will not work.

I recommend you to try with the regular (non Mac) vpnc script and add or
modify the routing table manually.

Given how my routing table looks, I would expect your to look like this:

> Destination Gateway Flags Refs Use Netif Expire
> default 192.168.1.1 UGSc 2 0 en0
> 127 127.0.0.1 UCS 0 0 lo0
> 127.0.0.1 127.0.0.1 UH 0 0 lo0
> 192.168.1 link#4 UCS 2 0 en0
> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
> 192.168.1 link#4 UCS 4 0 en0
> 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
> 10.10.0.213 10.10.0.213 UH 1 0 tun0
> 10.10.0/20 10.10.0.213 UGSc 2 0 tun0
> 10.200.200.20 192.168.1.1 UGHS 2 1 en0
> 169.254 link#4 UCS 0 0 en0

I would expect your ifconfig to look exactly like it does for your
scenario #2:

> en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
> ether 00:1x:fx:dx:9x:1x
> media: autoselect (100baseTX <full-duplex,flow-control>) status: active
> supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
> tun0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1412
> inet 10.10.0.213 --> 10.10.0.213 netmask 0xfffff000
> open (pid 482)

However, before you start modifying your routing table, you first must
answer:

* Should only traffic destined to your VPN network use the tunnel, or
* Should *all* traffic use the tunnel, even if it's destination is
outside of the VPN network?

The above table is only for the first scenario.

If you need help with the correct "route" commands to manually create
the above routing table, let me know!

Regards,
Freek

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

legege at legege

Nov 29, 2009, 6:52 PM

Post #16 of 18 (4808 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Freek,

I tried on Linux, and the vpnc-nortel r414 no longer work with my VPN gateway. It definitely used to work, I'll investigate.

--
Georges-Etienne Legendre, Eng.

On 2009-11-28, at 5:52 PM, Freek Dijkstra wrote:

> Hi Georges,
>
> Some random thoughts I had while reading your routing tables.
>
> Georges-Etienne Legendre wrote:
>
>> ======= Situation #1: on Windows, this obviously work =======
>>
>> Network Destination Netmask Gateway Interface Metric
>> 0.0.0.0 0.0.0.0 10.10.0.213 10.10.0.213 1
>> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.91 11
>
> I very much dislike two "default" routes, but with the metric, at least
> I know the first one if preferred. So am I right that with windows *all*
> your traffic is going over the VPN link?
>
>> 10.10.0.0 255.255.240.0 10.10.0.213 10.10.0.213 30
> [...]
>> 10.10.255.255 255.255.255.255 10.10.0.213 10.10.0.213 30
>
> Curious (but harmless) entry; why would Window make a separate entry for
> the broadcast address (the one for 10.10.0.0 would cover this already).
>
>
>> ====== Situation #2: On Mac OS X, with the vpnc-script r414; not working ======
>>
>> To mee, it looks really similar to the one I get on Windows. But it doesn't work.
>>
>> Destination Gateway Flags Refs Use Netif Expire
>> default 10.10.0.213 UGSc 0 0 tun0
>> default tun0 UCSI 4 0 tun0
>
> Again, I very much dislike two default gatways. You may want to manually
> remove one of them. In this case, I also don't understand what the
> second one means.
>
> If you want *all* traffic to use your VPN network (including traffic
> with destination outside of your VPN network):
>
>> default 10.10.0.213 UGSc 0 0 tun0
>
> If you want traffic destined to outside of your VPN network to continue
> using the regular Internet as-is:
>
>> default 192.168.1.1 UGSc 0 0 en0
>
>
>
>
>> 127 127.0.0.1 UCS 0 0 lo0
>> 127.0.0.1 127.0.0.1 UH 0 0 lo0
>> 10.10.0.213 10.10.0.213 UH 1 0 tun0
>> 10.10.0.213/32 tun0 UCS 0 0 tun0
>> 169.254 link#4 UCS 0 0 en0
>> 192.168.1 link#4 UCS 2 0 en0
>> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
>> 10.200.200.20 192.168.1.1 UGHS 2 1 en0
>
> This routing table will clearly not work. There is no entry for your VPN
> network, 10.10.0.0/20.
>
>> tun0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1412
>> inet 10.10.0.213 --> 10.10.0.213 netmask 0xfffff000
>> open (pid 482)
>
> Seems OK, even though the two IP address are the same (apparently the
> one on the left is the IP assigned to your tun0 interface; the IP on the
> right is the IP assigned to the VPN gateway inside the VPN network. For
> my PPTP tunnel I set up with Mac OS X, it is a different IP. For my
> vpnc-nortel tunnel it is the same IP.
>
>
>> ====== Situation #3: On Mac OS X, with the vpnc-script-mac; not working ======
>>
>> Destination Gateway Flags Refs Use Netif Expire
>> default 192.168.1.1 UGSc 2 0 en0
>> 127 127.0.0.1 UCS 0 0 lo0
>> 127.0.0.1 127.0.0.1 UH 0 0 lo0
>> 10.10.0/20 link#4 UC 2 0 en0
>> 10.10.0.213 0:1x:fx:dx:9x:1x UHLWI 0 1 lo0
>> 10.10.15.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
>> 169.254 link#4 UCS 0 0 en0
>> 192.168.1 link#4 UCS 4 0 en0
>> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
>> 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
>> 10.200.200.20 192.168.1.1 UGHS 2 1 en0
>>
>> ** ifconfig for en0 and tun0 **
>>
>> en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>> inet 10.10.0.213 netmask 0xfffff000 broadcast 10.10.15.255
>> inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
>> ether 00:1x:fx:dx:9x:1x
>> media: autoselect (100baseTX <full-duplex,flow-control>) status: active
>> supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
>> tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> open (pid 606)
>
> Here your IP is assigned to en0 instead of to tun0. This will not work.
>
> I recommend you to try with the regular (non Mac) vpnc script and add or
> modify the routing table manually.
>
>
> Given how my routing table looks, I would expect your to look like this:
>
>> Destination Gateway Flags Refs Use Netif Expire
>> default 192.168.1.1 UGSc 2 0 en0
>> 127 127.0.0.1 UCS 0 0 lo0
>> 127.0.0.1 127.0.0.1 UH 0 0 lo0
>> 192.168.1 link#4 UCS 2 0 en0
>> 192.168.1.91 127.0.0.1 UHS 0 0 lo0
>> 192.168.1 link#4 UCS 4 0 en0
>> 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0
>> 10.10.0.213 10.10.0.213 UH 1 0 tun0
>> 10.10.0/20 10.10.0.213 UGSc 2 0 tun0
>> 10.200.200.20 192.168.1.1 UGHS 2 1 en0
>> 169.254 link#4 UCS 0 0 en0
>
> I would expect your ifconfig to look exactly like it does for your
> scenario #2:
>
>> en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>> inet 192.168.1.91 netmask 0xffffff00 broadcast 192.168.1.255
>> ether 00:1x:fx:dx:9x:1x
>> media: autoselect (100baseTX <full-duplex,flow-control>) status: active
>> supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full
>> tun0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1412
>> inet 10.10.0.213 --> 10.10.0.213 netmask 0xfffff000
>> open (pid 482)
>
>
> However, before you start modifying your routing table, you first must
> answer:
>
> * Should only traffic destined to your VPN network use the tunnel, or
> * Should *all* traffic use the tunnel, even if it's destination is
> outside of the VPN network?
>
> The above table is only for the first scenario.
>
> If you need help with the correct "route" commands to manually create
> the above routing table, let me know!
>
> Regards,
> Freek
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

freek at macfreek

Dec 6, 2009, 5:10 PM

Post #17 of 18 (4647 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Antonio, others,

Thanks for all the work.

I just combined all feedback in a single patch file.
- it is a patch against r449, the lastest
- it contains all the IPsec code
- it contains minor fixes for the printf warnings
- it contains better feedback in case the tun/tap kernel extension
is not installed ("interface does not exist" instead of
"no such file")
- it contains the SA_LEN and SIN_LEN macros as suggested by Antonio.

I tested this patch on the following platforms:
- Linux (Debian) on powerpc G4 (32 bit)
- Mac OS 10.5 on powerpc G4 (32 bit)
- Mac OS 10.5 on Intel (32 bit)
- Mac OS 10.6 on Intel (64 bit)

In all cases, I could make a working VPN connection.

Please test and verify the following change I made (while moving from
r414 ro r449): did I correctly move the call of kernel_ipsec_shutdown()
from vpnc_main_loop() to close_tunnel()? I think so, but please check.

If it works, could you please apply this patch to the subversion repository?

Thanks,
Freek

Attachments:

patch-20091206.diff (36.4 KB)

freek at macfreek

Dec 6, 2009, 5:18 PM

Post #18 of 18 (4644 views)
Permalink

Re: How To: vpnc-nortel on Mac OS X [In reply to]

Freek Dijkstra wrote:

> I tested this patch on the following platforms:
> - Linux (Debian) on powerpc G4 (32 bit)
> - Mac OS 10.5 on powerpc G4 (32 bit)
> - Mac OS 10.5 on Intel (32 bit)
> - Mac OS 10.6 on Intel (64 bit)
>
> In all cases, I could make a working VPN connection.

Bummer, correct that.

I was indeed able to create the connection with the vpnc-script from
r414, but the r449 vpnc-script no longer works. I'll have another look
later.

Freek

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads