This site is now 100% read-only, and retired.

VPNC and resolvconf aren't working completely

Posted by Anonymous on Fri 24 Feb 2006 at 10:26

Tags: ,

Alright. I'm fed up. I've tried everything I can find on the net (which is _very_ little I'm sad to say), and now I'm more than willing to admit my ignorance on the whole subject since I can't get this working.

I'm running Debian stable, I've got all of the vpn info from my employer and I still can't get it to work.

I'm even willing to do a full reinstall if it would get this going (if I don't get this working in Debian I'm gonna have to switch to WinXP - which I don't want to do since I've been without Windows for years - so I can work and get paid).

I'm at a college, living on campus, and my employer is on-campus but on a different subnet (I think that's the way you say it). They said that the only way I can VNC into my work computer is to setup a VPN connection first and then VNC into my box. The box at work is running WinXP (not my choice), and has RealVNC running as a service.

I setup my work.conf like so (obviously the *'s have the info my employer gave me):

IPSec gateway 128.***.**.***
IPSec ID ********
IPSec secret ********
Xauth username ********

# OPTIONAL
# ========

#
#
# Varios options not undestood by vpnc itself but by some other scripts
#
# Target networks 123.234.210.0/24 10.1.0.0/16
# If Target networks is defined here, the default route is not replaced!

# Don't update resolv.conf though resolvconf is installed
# DNSUpdate no

Running 'ifconfig -a' only shows the eth0 and lo devices.

I run 'vpnc-connect work' and it asks for my password, I enter it, it waits for a bit and spits out a warning message:

This is a private institution. Violaters will be prosecuted.
VPNC started in background (pid:12345)...

Running 'ifconfig -a' now shows the eth0, lo, and tun0 devices, my internet no longer 'works' (I can't get to google - firefox says that it can't find google, that I should check the name and try again), but I also can't VNC to my box either. Feels to me like I don't have any DNS servers.

When I run ifconfig I notice that the tun0 device has an ip different than my eth0 - eth0:10.7.77.34 and tun0:10.10.40.8 ...

What am I leaving out?? Why is this not working??

I have resolvconf installed... is there any other information that I could provide that might help?

 

 


Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (87.65.xx.xx) on Fri 24 Feb 2006 at 10:54
Do you know the IP address of the VNC server ?
Can you 'ping' it?
Can you ping any other machine on the same network as the VNC server ?
Is the VNC server running the WInXP firewall? It might block incoming VNC
connections.

If you can ping the VNC server, use its IP address to VNC connect to it:
vncviewer ip-adress:0

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (128.187.xx.xx) on Fri 24 Feb 2006 at 14:56
I can't ping my work machine.

I don't think it's running a firewall, but that's a good suggestion - I'll check into that.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (141.20.xx.xx) on Fri 24 Feb 2006 at 15:12
if your work box is a Win XP machine and has the latest service pack installed the firewall will definitely block VNC and maybe also your pings. Try disabling the firewalls - if it then works you should tweak the firewall config to open up the ports for VNC (which is 5900 if I recall correctly). As soemone else suggested: try RDP (Remote Destop Protocol) instead of VNC - it's faster, more convenient and not blocked by the XP firewall..

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (128.187.xx.xx) on Fri 24 Feb 2006 at 23:07
Nope. The WinXP machine was free and clear. No Firewall, VNC was running as well as remote desktop. I had a coworker check both from inside the network.

I'm still thinking that something is messed up with the DNS or routing or something...

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (69.139.xx.xx) on Fri 24 Feb 2006 at 11:32
It sounds like your default route is being changed to point to the VPN tunnel. Define a "target network" in you config file.

# Target networks 123.234.210.0/24 10.1.0.0/16
# If Target networks is defined here, the default route is not replaced!


Set this option so your resolv.conf isn't mangled.

# Don't update resolv.conf though resolvconf is installed
# DNSUpdate no



Don't use VNC use RDP instead. The Linux rdp client is rdesktop. You need to enable the remote login/desktop option on the XP machine.

[ Parent ]

Posted by Anonymous (128.187.xx.xx) on Fri 24 Feb 2006 at 23:08
I'm not clear on what you are suggesting I do... could you explain it a bit more?

[ Parent ]

Re: routing
Posted by Anonymous (69.195.xx.xx) on Mon 27 Feb 2006 at 03:46
What he's saying is that you have to be careful not to have the traffic which is supposed to be going to your gateway instead going through the tunnel. What this "Target networks" option does is restrict the route changes that vpnc makes, so that only traffic which should go through the tunnel gets sent through the tunnel. You can't have the traffic which forms the tunnel get sent through the tunnel.

Am I making any sense? :-)

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by jaddle (66.36.xx.xx) on Fri 24 Feb 2006 at 14:05
Looks like everything's fine to this point.

WHen you run vpnc, it makes a tunnel device (tun0) - this will almost always have a new IP, and very often a private one like you're seeing.

Since you didn't specify otherwise (using the "Target Networks" in the config file) a new default route should have been created through the tunnel (type "ip route" to check what your routing table looks like).

Depending where the vpn server is and stuff, you might need to use a different IP to access the VNC server though, since the VPN server might not have masquerading set up properly to forward your connection through the private IP to the real internet...

I expect though, that the problem you see now is simpler - try disabling any firewall rules to see if any of them are interfering. I know that the ipmasq package, for example, doesn't deal well with adding new interfaces, since it no longer knows what is an "internal" interface, and what's an "external" one, so everything on the tunnel ends up completely blocked and nothing can get through! Give it a try, anyway.

[ Parent ]

Posted by Anonymous (128.187.xx.xx) on Fri 24 Feb 2006 at 15:04
Running 'ip route' does show a change (I'll check out the man page to try to understand what I'm supposed to be seeing).

The VPN server is a Cisco one which more than a handful of others use (they use winxp though), and they all VPN to the network, then VNC to their machines - so I'm guessing that the VPN server is setup correctly.

I am running a local firewall (if that's the firewall that you're referring to), and it is very restrictive (I had to allow the VPN port before I could get vpnc to work). I turned it off, ran everything again and still no luck.

I'm thinking that my work box running WinXP might have some default firewall running that I didn't setup (they come with a default setup from the IT dept.)... so I'm gonna check that in a day or so and see if that's the problem... I hope it is - then I can tell my boss (who knows that I was having problems getting Debian to VPN/VNC in) that it was WinXP causin' all the problems all along.

[ Parent ]

Re:
Posted by Anonymous (62.77.xx.xx) on Fri 24 Feb 2006 at 16:52
Hi guys!

I know this is offtopic a bit but i want to get working vpnc in debian.
In my workplace we have a CISCO 830 (ISP hosting) + 90 combination (office).
http://www.cisco.com/en/US/products/hw/routers/ps380/ps4873/index .html

And I can use to connect Cisco VPN Client 4.0.5 under windows XP, but VPNc don't work.
Is it possible that I cannot use for this router??

Because the manual says

"vpnc is a VPN client for the Cisco 3000 VPN Concentrator,"

Thanks!

Oneill

[ Parent ]

Re:
Posted by Anonymous (128.187.xx.xx) on Fri 24 Feb 2006 at 23:10
As a follow up:

I mentioned in a post above this one that there was no firewall running on my work machine... so... I'm lost now.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by pedxing (64.231.xx.xx) on Sat 25 Feb 2006 at 01:02
[ View Weblogs ]
Try setting your netmask on eth0 to 255.255.0.0 or 255.255.255.0.
Do the same for tun0

Then you may need to restore your internet gateway settings with `route add default gw X`. Where X is the ip of the default gateway you had on eth0 before starting all this.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (71.136.xx.xx) on Sat 25 Feb 2006 at 03:56
1. I had a bear of a time with this and had the same symptoms as you. For me, it turned out that I was connecting fine, but my machine was not "hearing" the responses back from the network. I was ready to pull my hair out. Grasping at straws I tried the "--udp" commandline switch and it started working, though I also had to allow udp through my firewall.

2. They have recently changed the vpnc package, at least in testing. vpnc-connect is now a real executable, and not the startup script which used to be called "vpnc-connect". For debian testing, the startup script is /etc/vpnc/vpnc-script, and that's what you want. make sure to try adding the --udp to the commandline.

Hope any of that helps.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (128.187.xx.xx) on Sat 25 Feb 2006 at 04:21
Humm... but I'd have to be running testing for that - right?

Do I have that option with stable(sarge)?

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (71.136.xx.xx) on Sat 25 Feb 2006 at 04:58
I wasn't very clear: The first suggestion is to try "vpnc-connect --udp work". The problem I had was that I was successfully connected to the network (saw the greeting message from the server), but then no other tcp packets were making it back to my machine. For whatever reason, only the upd protocol allowed the packets through. So the connection looked dead after the initial welcome/greeting.

The second was just a sanity check to make sure you're running the startup shell script and not the vpnc binary executable directly. In debian testing, "vpnc-connect" is now a symbolic link to the binary, which is not what you want ... you want to run the script which is in /etc/vpnc/. I don't know if this change has been made in stable, but it is in testing and vpnc stopped working for me until i realized "vpnc-connect" wasn't running the script anymore but was running the binary directly.

Hope that was a little more clear.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (62.77.xx.xx) on Sat 25 Feb 2006 at 21:04
Hi guys!

Ok, here is the conclusion:
---------------------------

If ppl got any problem with a socket connection, the first thing what will check is the firewall logs so plz forget this firewall story.

The facts:
-vpnc is sucks with cisco 830 831

And the funny part:

I installed the

cisco Linux 2.2.x/2.4.x/2.6.x vpnlinux-47.tar.gz 1.3 Mb

original client to my desktop debian box (2.6.12) and it's work fine but I want to install this to my communication server (2.6.14-6-grsec), and what do u think what's happend:

make -C /lib/modules/2.6.14.6-grsec/build SUBDIRS=/usr/src/2/vpnclient modules
make[1]: Entering directory `/usr/src/linux-2.6.14.6'
CC [M] /usr/src/2/vpnclient/linuxcniapi.o
/usr/src/2/vpnclient/linuxcniapi.c: In function `CniInjectReceive':
/usr/src/2/vpnclient/linuxcniapi.c:292: error: structure has no member named `stamp'
/usr/src/2/vpnclient/linuxcniapi.c: In function `CniInjectSend':
/usr/src/2/vpnclient/linuxcniapi.c:432: error: structure has no member named `stamp'
make[2]: * [/usr/src/2/vpnclient/linuxcniapi.o] Error 1
make[1]: * [module/usr/src/2/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-2.6.14.6'
make: * [default] Error 2
Failed to make module "cisco_ipsec.ko".

That's it!
And I found a couple of blogz with the same problem, u cant use this with higher than 2.6.12 maybe...

Oh yes if u need a good link:

http://www.bol.ucla.edu/services/vpn/

Let's download freely ;)))

Now i will install an uml mashine for only this purpose.


Oneill

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (66.36.xx.xx) on Sun 26 Feb 2006 at 14:34
You'll need version 4.8 of the cisco client to work with newer kernels. This is a big reason that I prefer to use vpnc - I think it hasn't needed an update to work with a new kernel in years! Cisco seems to need one every few kernel versions. Unsurprising, really, since it uses its own kernel module, instead of using the standard tun interface like vpnc.

Oh, and the cisco client's license forbids redistribution, so if you care about such things, you'll not want to hand it out....

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (62.77.xx.xx) on Sun 26 Feb 2006 at 17:03
I cannot find that, can u give me a link?

Thanks

Oneill

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by jaddle (66.36.xx.xx) on Sun 26 Feb 2006 at 18:18
It's not actually free software, so I can't tell you where to download it - http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html is the main Cisco page for it and it says "The Cisco VPN Client is included with all models of Cisco VPN 3000 Series concentrators and Cisco ASA 5500 Series security appliances, and most Cisco PIX 500 security appliances. Customers with Cisco SMARTnet´┐Ż support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost. For customers without Cisco SMARTnet support contracts, a media CD containing the client software is available for purchase."

In my case, the university I work for has it available for all students and staff. Not sure how you can go about getting an upgrade though.

That said, I'd recommend vpnc in any case - it's better in almost every way, though I guess it's still lacking some features that might prevent it from connecting to some servers.

In the case of this article, it looks like it's connecting fine, so I'm pretty sure it's a routing or firewall problem that's keeping it from being usable.

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (62.77.xx.xx) on Mon 27 Feb 2006 at 00:01
yepp and what if my former societs drop out the cd to the garbage...

Actually i solved the problem with VPNc, sorry about that comment when I said it's not working with 830.

And really it's very good because no need any spec modul.

Oneill

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (68.48.xx.xx) on Mon 19 Jun 2006 at 17:19
For what's it's worth, I was having the same issues with vpnc (connection was created but no traffic was coming back) and adding the --udp parameter fixed it.

Thanks for the pointer!

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (128.187.xx.xx) on Tue 7 Mar 2006 at 22:59
For anyone following this discussion: I worked with the UUG group on-campus and they suggested a few things. In the end we ran out of things to check and things that could have been misconfigured. The funny thing is: one of the guys that was helping me regularly VPN's into computers on campus - just like I was trying to do only his are in a different building on campus. So I took my laptop down to a regular building on campus and the VPN + rdesktop combo worked like a charm.

(In other words we were both connecting from 'A' but I was connecting to 'B' and he was connecting to 'C'. I went to 'D' and was able to get to 'B'... if that helps.)

So... it's something in the way the VPN access is setup for the specific building I'm connecting to that is causing problems for me when I'm at home. I'm gonna chat with them to see if they can fix it. So... yeah... it wasn't ever Debian's fault and I probably won't have to switch!

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by NickRichardson (210.10.xx.xx) on Tue 14 Mar 2006 at 09:44
I had similar problem. vpnc-connect used to work, but later version which use just vpnc don't. they clobbered all the routes and forced everything through the tun0, even with DNSUpdate no in config file.
I wrote a small script to save the default routes, run vpnc, then reset the routes. Note the 2 work address 172. and 203 . are re-route to the tunnel.

script is ....

echo '------ Current Routing Table --------'
/sbin/route \-n
echo

default_eth=`route -n | grep UG | awk '{ print $2 }'`
echo Default Route is $default_eth

echo /usr/sbin/vpnc /etc/vpnc/cpu.conf
/usr/sbin/vpnc /etc/vpnc/cpu.conf

# get ifconfig.
# look for line of tun0 and include next 4 lines
# look for line containing 'inet' and print the second column
# remove the addr

dynip_tun=`/sbin/ifconfig | grep -A 4 tun0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
dynip_eth=`/sbin/ifconfig | grep -A 4 eth0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`

echo Default Route is $default_eth
echo dynamic tunnel ip = $dynip_tun
echo dynamic local lan ip = $dynip_eth

route del default
route add default gw $default_eth
route add -net 172.0.0.0 netmask 255.0.0.0 gw $dynip_tun
route add -net 203.2.0.0 netmask 255.255.0.0 gw $dynip_tun

echo
echo '------ VPN Routing Table --------'
/sbin/route \-n

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (205.160.xx.xx) on Tue 4 Apr 2006 at 15:20
I got it working on ubuntu using vpnc package.
One thing I noticed is that all my requests are routed trught the tunnel now.
Can you ping a known ip address to see if the tunnel is working or not?
If you have any problems I can try to help you: leandro.saad at gmail.com.

Cheers

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (24.2.xx.xx) on Mon 10 Apr 2006 at 14:24
It sound like "work" doesn't allow split-routing. Although using vpnc, there is a way around it. Provided that you are using an up to date version of vpnc. I have created an additional script to fix this issue.

vpnc /etc/vpnc/default.conf
route del default
route add default gw x.x.x.x (use your old default gateway ip here)
route add -net 10.0.0.0 netmask 255.0.0.0 tun0 (in my case, "work" network uses the 10.x.x.x subnet)

And you're done!

[ Parent ]

Re: VPNC and resolvconf aren't working completely
Posted by Anonymous (128.163.xx.xx) on Wed 23 Jan 2008 at 14:45
Try this:
vpnc --natt-mode cisco-udp your_config.conf

[ Parent ]