Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

vpnc connection hangs on fedora 12

  

 
First page Previous page 1 2 Next page Last page  View All vpnc devel RSS feed   Index | Next | Previous | View Threaded


jengelh at medozas

Nov 24, 2009, 1:19 AM

Post #26 of 32 (1775 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
On Tuesday 2009-11-24 03:27, Lonni J Friedman wrote:
>>>When my home router arps for 192.168.1.107 (the address of my wireless
>>>adapter), I suspect that this dual route prevents the arp response from
>>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>>sure why).
>>
>> If the chosen interface has the NOARP flag set (`ip a`),
>> there will be no arps sent. That is a valid case, btw.
>
>I'm a bit confused. Are you saying that a potential workaround for
>this problem is to disable ARPs?

No. NOARP is set because in some cases because it makes no sense. ARP
is needed for some L2 protocols, such as Ethernet (and perhaps a few
other historic ones). With non-Ethernet tunnel types you will never
be doing any Ethernet addressing. Draw it up:

<Eth><IPv4><IPv4><TCP><data>.

Note that the <Eth> hdr is for the outer packet only.

>On which interface should I be doing that:
>0) the eth0 interface inside the OS that is establishing the VPN connection
>1) the tun0 interface inside the OS that is establishing the VPN
>connection (that vpnc sets up)
>2) somewhere else
>
>For the record, eth0 on my system has a 10.0.0.x IP address. The tun0
>interface usually ends up with a 10.2.x.x IP address.

You may not have any two interfaces having the same prefix/len
if you want to remain trouble-free.
(This statement of course being simplified.)
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


netllama at gmail

Nov 24, 2009, 6:03 PM

Post #27 of 32 (1694 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
I've attached tcpdump output from immediately after the connection to
the VPN appears to die.

Here's what 'route -n' shows before I connect to the VPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0


and immediately after connecting to the VPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.217.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
216.228.112.12 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
172.16.229.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tun0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0

It looked like the conflicting route was for the 10.0.2.2 gateway, so
I tried deleting this one:
216.228.112.12 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0

but that didn't help. I guess I'm either experiencing a completely
different problem, or perhaps I'm just not doing the right thing.

On Mon, Nov 23, 2009 at 8:51 PM, C V <rayvittal-lists [at] yahoo> wrote:
> To see if the problem (and solution) is the same as I experienced, it is
> useful to run tcpdump on eth0
> -> tcpdump -i eth0 arp
> If you see your router asking for your eth0 mac but with no response then
> this could be the same problem.
>
> If so, it is likely that the VPN server has installed another route to
> 10.0.0.x which is overriding the one for you home LAN.
> The solution is to delete the route added by the VPN server. Routes can be
> listed using 'ip route'
>
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Sent: Mon, November 23, 2009 6:27:44 PM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> On Sun, Nov 22, 2009 at 10:22 PM, Jan Engelhardt <jengelh [at] medozas> wrote:
>>
>> On Monday 2009-11-23 03:40, C V wrote:
>>
>>>In my case it appears to be a route confusion issue. My home LAN is
>>>192.168.1.0/24 and so is my work LAN.
>>
>> Aha! That is naturally never going to work -- irrespective of vpnc.
>>
>>>So after the VPN is established, I
>>>have 2 routes:
>>>192.168.1.0/24 dev tap0  scope link  [ this is the work LAN ]
>>>192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.107
>>>metric 2 [this is the home LAN]
>>>
>>>When my home router arps for 192.168.1.107 (the address of my wireless
>>>adapter), I suspect that this dual route prevents the arp response from
>>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>>sure why).
>>
>> If the chosen interface has the NOARP flag set (`ip a`),
>> there will be no arps sent. That is a valid case, btw.
>>
>
> I'm a bit confused.  Are you saying that a potential workaround for
> this problem is to disable ARPs?  On which interface should I be doing
> that:
> 0) the eth0 interface inside the OS that is establishing the VPN connection
> 1) the tun0 interface inside the OS that is establishing the VPN
> connection (that vpnc sets up)
> 2) somewhere else
>
> For the record, eth0 on my system has a 10.0.0.x IP address.  The tun0
> interface usually ends up with a 10.2.x.x IP address.
>
> thanks
Attachments: tcpdump.out.gz (3.17 KB)


rayvittal-lists at yahoo

Nov 24, 2009, 7:17 PM

Post #28 of 32 (1692 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
The conflicting route is
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0

This conflicts with
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

So delete the first route. unless you need to access machines in your workplace in that range. In which case you might have to change your home lan to 192.168.1.0/24






________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Tue, November 24, 2009 6:03:29 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

I've attached tcpdump output from immediately after the connection to
the VPN appears to die.

Here's what 'route -n' shows before I connect to the VPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0


and immediately after connecting to the VPN:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.217.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
216.228.112.12 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
172.16.229.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tun0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0

It looked like the conflicting route was for the 10.0.2.2 gateway, so
I tried deleting this one:
216.228.112.12 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0

but that didn't help. I guess I'm either experiencing a completely
different problem, or perhaps I'm just not doing the right thing.

On Mon, Nov 23, 2009 at 8:51 PM, C V <rayvittal-lists [at] yahoo> wrote:
> To see if the problem (and solution) is the same as I experienced, it is
> useful to run tcpdump on eth0
> -> tcpdump -i eth0 arp
> If you see your router asking for your eth0 mac but with no response then
> this could be the same problem.
>
> If so, it is likely that the VPN server has installed another route to
> 10.0.0.x which is overriding the one for you home LAN.
> The solution is to delete the route added by the VPN server. Routes can be
> listed using 'ip route'
>
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Sent: Mon, November 23, 2009 6:27:44 PM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> On Sun, Nov 22, 2009 at 10:22 PM, Jan Engelhardt <jengelh [at] medozas> wrote:
>>
>> On Monday 2009-11-23 03:40, C V wrote:
>>
>>>In my case it appears to be a route confusion issue. My home LAN is
>>>192.168.1.0/24 and so is my work LAN.
>>
>> Aha! That is naturally never going to work -- irrespective of vpnc.
>>
>>>So after the VPN is established, I
>>>have 2 routes:
>>>192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
>>>192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107
>>>metric 2 [this is the home LAN]
>>>
>>>When my home router arps for 192.168.1.107 (the address of my wireless
>>>adapter), I suspect that this dual route prevents the arp response from
>>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>>sure why).
>>
>> If the chosen interface has the NOARP flag set (`ip a`),
>> there will be no arps sent. That is a valid case, btw.
>>
>
> I'm a bit confused. Are you saying that a potential workaround for
> this problem is to disable ARPs? On which interface should I be doing
> that:
> 0) the eth0 interface inside the OS that is establishing the VPN connection
> 1) the tun0 interface inside the OS that is establishing the VPN
> connection (that vpnc sets up)
> 2) somewhere else
>
> For the record, eth0 on my system has a 10.0.0.x IP address. The tun0
> interface usually ends up with a 10.2.x.x IP address.
>
> thanks


netllama at gmail

Nov 25, 2009, 6:44 AM

Post #29 of 32 (1692 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
Thanks. Unfortunately, when I attempt to delete the 10.0.0.0 tun0
route, it fails to work:
# route del 10.0.0.0
SIOCDELRT: No such process

Similarly:
# ip route del 10.0.0.0
RTNETLINK answers: No such process


On Tue, Nov 24, 2009 at 7:17 PM, C V <rayvittal-lists [at] yahoo> wrote:
> The conflicting route is
> 10.0.0.0        0.0.0.0        255.0.0.0      U    0      0        0 tun0
>
> This conflicts with
> 10.0.2.0        0.0.0.0        255.255.255.0  U    0      0        0 eth0
>
> So delete the first route. unless you need to access machines in your
> workplace in that range. In which case you might have to change your home
> lan to 192.168.1.0/24
>
>
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Sent: Tue, November 24, 2009 6:03:29 PM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> I've attached tcpdump output from immediately after the connection to
> the VPN appears to die.
>
> Here's what 'route -n' shows before I connect to the VPN:
> Kernel IP routing table
> Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
> 10.0.2.0        0.0.0.0        255.255.255.0  U    0      0        0 eth0
> 169.254.0.0    0.0.0.0        255.255.0.0    U    1002  0        0 eth0
> 0.0.0.0        10.0.2.2        0.0.0.0        UG    0      0        0 eth0
>
>
> and immediately after connecting to the VPN:
> Kernel IP routing table
> Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
> 172.16.217.26  0.0.0.0        255.255.255.255 UH    0      0        0 tun0
> 216.228.112.12  10.0.2.2        255.255.255.255 UGH  0      0        0 eth0
> 172.16.229.26  0.0.0.0        255.255.255.255 UH    0      0        0 tun0
> 10.0.2.0        0.0.0.0        255.255.255.0  U    0      0        0 eth0
> 169.254.0.0    0.0.0.0        255.255.0.0    U    1002  0        0 eth0
> 172.16.0.0      0.0.0.0        255.240.0.0    U    0      0        0 tun0
> 10.0.0.0        0.0.0.0        255.0.0.0      U    0      0        0 tun0
> 0.0.0.0        10.0.2.2        0.0.0.0        UG    0      0        0 eth0
>
> It looked like the conflicting route was for the 10.0.2.2 gateway, so
> I tried deleting this one:
> 216.228.112.12  10.0.2.2        255.255.255.255 UGH  0      0        0 eth0
>
> but that didn't help.  I guess I'm either experiencing a completely
> different problem, or perhaps I'm just not doing the right thing.
>
> On Mon, Nov 23, 2009 at 8:51 PM, C V <rayvittal-lists [at] yahoo> wrote:
>> To see if the problem (and solution) is the same as I experienced, it is
>> useful to run tcpdump on eth0
>> -> tcpdump -i eth0 arp
>> If you see your router asking for your eth0 mac but with no response then
>> this could be the same problem.
>>
>> If so, it is likely that the VPN server has installed another route to
>> 10.0.0.x which is overriding the one for you home LAN.
>> The solution is to delete the route added by the VPN server. Routes can be
>> listed using 'ip route'
>>
>>
>> ________________________________
>> From: Lonni J Friedman <netllama [at] gmail>
>> To: vpnc list to send bug reports and discussions with developers
>> <vpnc-devel [at] unix-ag>
>> Sent: Mon, November 23, 2009 6:27:44 PM
>> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>>
>> On Sun, Nov 22, 2009 at 10:22 PM, Jan Engelhardt <jengelh [at] medozas>
>> wrote:
>>>
>>> On Monday 2009-11-23 03:40, C V wrote:
>>>
>>>>In my case it appears to be a route confusion issue. My home LAN is
>>>>192.168.1.0/24 and so is my work LAN.
>>>
>>> Aha! That is naturally never going to work -- irrespective of vpnc.
>>>
>>>>So after the VPN is established, I
>>>>have 2 routes:
>>>>192.168.1.0/24 dev tap0  scope link  [ this is the work LAN ]
>>>>192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.107
>>>>metric 2 [this is the home LAN]
>>>>
>>>>When my home router arps for 192.168.1.107 (the address of my wireless
>>>>adapter), I suspect that this dual route prevents the arp response from
>>>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>>>sure why).
>>>
>>> If the chosen interface has the NOARP flag set (`ip a`),
>>> there will be no arps sent. That is a valid case, btw.
>>>
>>
>> I'm a bit confused.  Are you saying that a potential workaround for
>> this problem is to disable ARPs?  On which interface should I be doing
>> that:
>> 0) the eth0 interface inside the OS that is establishing the VPN
>> connection
>> 1) the tun0 interface inside the OS that is establishing the VPN
>> connection (that vpnc sets up)
>> 2) somewhere else
>>
>> For the record, eth0 on my system has a 10.0.0.x IP address.  The tun0
>> interface usually ends up with a 10.2.x.x IP address.
>>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


jengelh at medozas

Nov 25, 2009, 7:53 AM

Post #30 of 32 (1707 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
On Wednesday 2009-11-25 15:44, Lonni J Friedman wrote:
>
>Similarly:
># ip route del 10.0.0.0
>RTNETLINK answers: No such process

You usually have to specify the complete prefix and device:

ip route del 10.0.0.0/8 dev tun0

>On Tue, Nov 24, 2009 at 7:17 PM, C V <rayvittal-lists [at] yahoo> wrote:
>> The conflicting route is
>> 10.0.0.0        0.0.0.0        255.0.0.0      U    0      0        0 tun0
>>
>> This conflicts with
>> 10.0.2.0        0.0.0.0        255.255.255.0  U    0      0        0 eth0

This would not "conflict", because 10.0.2.0/24 is not exactly the same
as 10.0.0.0/8. It may provide ground for "undesired" routing however,
but technically this would be fine.
The set of addresses routed through tun0 is then

\text{10.0.0.0/8} - (\text{10.0.0.0/8} \cap \text{10.0.2.0/24})

[--hooray for latex -.-]

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


netllama at gmail

Nov 25, 2009, 8:15 AM

Post #31 of 32 (1686 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
On Wed, Nov 25, 2009 at 7:53 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>
> On Wednesday 2009-11-25 15:44, Lonni J Friedman wrote:
>>
>>Similarly:
>># ip route del 10.0.0.0
>>RTNETLINK answers: No such process
>
> You usually have to specify the complete prefix and device:
>
>        ip route del 10.0.0.0/8 dev tun0
>
>>On Tue, Nov 24, 2009 at 7:17 PM, C V <rayvittal-lists [at] yahoo> wrote:
>>> The conflicting route is
>>> 10.0.0.0        0.0.0.0        255.0.0.0      U    0      0        0 tun0
>>>
>>> This conflicts with
>>> 10.0.2.0        0.0.0.0        255.255.255.0  U    0      0        0 eth0
>
> This would not "conflict", because 10.0.2.0/24 is not exactly the same
> as 10.0.0.0/8. It may provide ground for "undesired" routing however,
> but technically this would be fine.
> The set of addresses routed through tun0 is then
>
>        \text{10.0.0.0/8} - (\text{10.0.0.0/8} \cap \text{10.0.2.0/24})
>
>        [--hooray for latex -.-]

Thanks. That route del command worked, but unfortunately, my vpn
connection continues to get dropped after a random amount of time. :(

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


dcbw at redhat

Nov 29, 2009, 3:13 PM

Post #32 of 32 (1647 views)
Permalink
Re: vpnc connection hangs on fedora 12 [In reply to]
On Thu, 2009-11-19 at 20:16 -0800, rayvittal-clist [at] yahoo wrote:
> I am able to successfully connect to my workplace (Cisco ASA 5510)
> with the vpnc bundled with fc12 (ver 0.5.3).
> However the connection stops working after a few packets are
> exchanged. How do I go about debugging this issue? I was on Fedora 8
> previously and used the cisco proprietary vpn client without any
> issues. I've tried all the natt modes with pretty much the same
> results.

What is 'route -n' right after you connect?

You can also use 'Debug 3' in the configuration to get more information
out of vpnc which might help to debug the issue.

Dan

> The cisco vpn client doesn't work on FC12 (even after patching the
> code to conform to the new network API).
> My kernel version is 2.6.31.5-127.fc12.x86_64
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

First page Previous page 1 2 Next page Last page  View All vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.