VPNC and resolvconf aren't working completely
Posted by Anonymous on Fri 24 Feb 2006 at 10:26
Alright. I'm fed up. I've tried everything I can find on the net (which is _very_ little I'm sad to say), and now I'm more than willing to admit my ignorance on the whole subject since I can't get this working.
I'm running Debian stable, I've got all of the vpn info from my employer and I still can't get it to work.
I'm even willing to do a full reinstall if it would get this going (if I don't get this working in Debian I'm gonna have to switch to WinXP - which I don't want to do since I've been without Windows for years - so I can work and get paid).
I'm at a college, living on campus, and my employer is on-campus but on a different subnet (I think that's the way you say it). They said that the only way I can VNC into my work computer is to setup a VPN connection first and then VNC into my box. The box at work is running WinXP (not my choice), and has RealVNC running as a service.
I setup my work.conf like so (obviously the *'s have the info my employer gave me):
IPSec gateway 128.***.**.*** IPSec ID ******** IPSec secret ******** Xauth username ******** # OPTIONAL # ======== # # # Varios options not undestood by vpnc itself but by some other scripts # # Target networks 123.234.210.0/24 10.1.0.0/16 # If Target networks is defined here, the default route is not replaced! # Don't update resolv.conf though resolvconf is installed # DNSUpdate no
Running 'ifconfig -a' only shows the eth0 and lo devices.
I run 'vpnc-connect work' and it asks for my password, I enter it, it waits for a bit and spits out a warning message:
This is a private institution. Violaters will be prosecuted. VPNC started in background (pid:12345)...
Running 'ifconfig -a' now shows the eth0, lo, and tun0 devices, my internet no longer 'works' (I can't get to google - firefox says that it can't find google, that I should check the name and try again), but I also can't VNC to my box either. Feels to me like I don't have any DNS servers.
When I run ifconfig I notice that the tun0 device has an ip different than my eth0 - eth0:10.7.77.34 and tun0:10.10.40.8 ...
What am I leaving out?? Why is this not working??
I have resolvconf installed... is there any other information that I could provide that might help?
Can you 'ping' it?
Can you ping any other machine on the same network as the VNC server ?
Is the VNC server running the WInXP firewall? It might block incoming VNC
connections.
If you can ping the VNC server, use its IP address to VNC connect to it:
vncviewer ip-adress:0
[ Parent | Reply to this comment ]
I don't think it's running a firewall, but that's a good suggestion - I'll check into that.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I'm still thinking that something is messed up with the DNS or routing or something...
[ Parent | Reply to this comment ]
# Target networks 123.234.210.0/24 10.1.0.0/16
# If Target networks is defined here, the default route is not replaced!
Set this option so your resolv.conf isn't mangled.
# Don't update resolv.conf though resolvconf is installed
# DNSUpdate no
Don't use VNC use RDP instead. The Linux rdp client is rdesktop. You need to enable the remote login/desktop option on the XP machine.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Am I making any sense? :-)
[ Parent | Reply to this comment ]
WHen you run vpnc, it makes a tunnel device (tun0) - this will almost always have a new IP, and very often a private one like you're seeing.
Since you didn't specify otherwise (using the "Target Networks" in the config file) a new default route should have been created through the tunnel (type "ip route" to check what your routing table looks like).
Depending where the vpn server is and stuff, you might need to use a different IP to access the VNC server though, since the VPN server might not have masquerading set up properly to forward your connection through the private IP to the real internet...
I expect though, that the problem you see now is simpler - try disabling any firewall rules to see if any of them are interfering. I know that the ipmasq package, for example, doesn't deal well with adding new interfaces, since it no longer knows what is an "internal" interface, and what's an "external" one, so everything on the tunnel ends up completely blocked and nothing can get through! Give it a try, anyway.
[ Parent | Reply to this comment ]
The VPN server is a Cisco one which more than a handful of others use (they use winxp though), and they all VPN to the network, then VNC to their machines - so I'm guessing that the VPN server is setup correctly.
I am running a local firewall (if that's the firewall that you're referring to), and it is very restrictive (I had to allow the VPN port before I could get vpnc to work). I turned it off, ran everything again and still no luck.
I'm thinking that my work box running WinXP might have some default firewall running that I didn't setup (they come with a default setup from the IT dept.)... so I'm gonna check that in a day or so and see if that's the problem... I hope it is - then I can tell my boss (who knows that I was having problems getting Debian to VPN/VNC in) that it was WinXP causin' all the problems all along.
[ Parent | Reply to this comment ]
I know this is offtopic a bit but i want to get working vpnc in debian.
In my workplace we have a CISCO 830 (ISP hosting) + 90 combination (office).
http://www.cisco.com/en/US/products/hw/routers/ps380/ps4873/index .html
And I can use to connect Cisco VPN Client 4.0.5 under windows XP, but VPNc don't work.
Is it possible that I cannot use for this router??
Because the manual says
"vpnc is a VPN client for the Cisco 3000 VPN Concentrator,"
Thanks!
Oneill
[ Parent | Reply to this comment ]
I mentioned in a post above this one that there was no firewall running on my work machine... so... I'm lost now.
[ Parent | Reply to this comment ]
Do the same for tun0
Then you may need to restore your internet gateway settings with `route add default gw X`. Where X is the ip of the default gateway you had on eth0 before starting all this.
[ Parent | Reply to this comment ]
2. They have recently changed the vpnc package, at least in testing. vpnc-connect is now a real executable, and not the startup script which used to be called "vpnc-connect". For debian testing, the startup script is /etc/vpnc/vpnc-script, and that's what you want. make sure to try adding the --udp to the commandline.
Hope any of that helps.
[ Parent | Reply to this comment ]
Do I have that option with stable(sarge)?
[ Parent | Reply to this comment ]
The second was just a sanity check to make sure you're running the startup shell script and not the vpnc binary executable directly. In debian testing, "vpnc-connect" is now a symbolic link to the binary, which is not what you want ... you want to run the script which is in /etc/vpnc/. I don't know if this change has been made in stable, but it is in testing and vpnc stopped working for me until i realized "vpnc-connect" wasn't running the script anymore but was running the binary directly.
Hope that was a little more clear.
[ Parent | Reply to this comment ]
Ok, here is the conclusion:
---------------------------
If ppl got any problem with a socket connection, the first thing what will check is the firewall logs so plz forget this firewall story.
The facts:
-vpnc is sucks with cisco 830 831
And the funny part:
I installed the
cisco Linux 2.2.x/2.4.x/2.6.x vpnlinux-47.tar.gz 1.3 Mb
original client to my desktop debian box (2.6.12) and it's work fine but I want to install this to my communication server (2.6.14-6-grsec), and what do u think what's happend:
make -C /lib/modules/2.6.14.6-grsec/build SUBDIRS=/usr/src/2/vpnclient modules
make[1]: Entering directory `/usr/src/linux-2.6.14.6'
CC [M] /usr/src/2/vpnclient/linuxcniapi.o
/usr/src/2/vpnclient/linuxcniapi.c: In function `CniInjectReceive':
/usr/src/2/vpnclient/linuxcniapi.c:292: error: structure has no member named `stamp'
/usr/src/2/vpnclient/linuxcniapi.c: In function `CniInjectSend':
/usr/src/2/vpnclient/linuxcniapi.c:432: error: structure has no member named `stamp'
make[2]: * [/usr/src/2/vpnclient/linuxcniapi.o] Error 1
make[1]: * [module/usr/src/2/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-2.6.14.6'
make: * [default] Error 2
Failed to make module "cisco_ipsec.ko".
That's it!
And I found a couple of blogz with the same problem, u cant use this with higher than 2.6.12 maybe...
Oh yes if u need a good link:
http://www.bol.ucla.edu/services/vpn/
Let's download freely ;)))
Now i will install an uml mashine for only this purpose.
Oneill
[ Parent | Reply to this comment ]
Oh, and the cisco client's license forbids redistribution, so if you care about such things, you'll not want to hand it out....
[ Parent | Reply to this comment ]
Thanks
Oneill
[ Parent | Reply to this comment ]
In my case, the university I work for has it available for all students and staff. Not sure how you can go about getting an upgrade though.
That said, I'd recommend vpnc in any case - it's better in almost every way, though I guess it's still lacking some features that might prevent it from connecting to some servers.
In the case of this article, it looks like it's connecting fine, so I'm pretty sure it's a routing or firewall problem that's keeping it from being usable.
[ Parent | Reply to this comment ]
Actually i solved the problem with VPNc, sorry about that comment when I said it's not working with 830.
And really it's very good because no need any spec modul.
Oneill
[ Parent | Reply to this comment ]
Thanks for the pointer!
[ Parent | Reply to this comment ]
(In other words we were both connecting from 'A' but I was connecting to 'B' and he was connecting to 'C'. I went to 'D' and was able to get to 'B'... if that helps.)
So... it's something in the way the VPN access is setup for the specific building I'm connecting to that is causing problems for me when I'm at home. I'm gonna chat with them to see if they can fix it. So... yeah... it wasn't ever Debian's fault and I probably won't have to switch!
[ Parent | Reply to this comment ]
I wrote a small script to save the default routes, run vpnc, then reset the routes. Note the 2 work address 172. and 203 . are re-route to the tunnel.
script is ....
echo '------ Current Routing Table --------'
/sbin/route \-n
echo
default_eth=`route -n | grep UG | awk '{ print $2 }'`
echo Default Route is $default_eth
echo /usr/sbin/vpnc /etc/vpnc/cpu.conf
/usr/sbin/vpnc /etc/vpnc/cpu.conf
# get ifconfig.
# look for line of tun0 and include next 4 lines
# look for line containing 'inet' and print the second column
# remove the addr
dynip_tun=`/sbin/ifconfig | grep -A 4 tun0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
dynip_eth=`/sbin/ifconfig | grep -A 4 eth0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
echo Default Route is $default_eth
echo dynamic tunnel ip = $dynip_tun
echo dynamic local lan ip = $dynip_eth
route del default
route add default gw $default_eth
route add -net 172.0.0.0 netmask 255.0.0.0 gw $dynip_tun
route add -net 203.2.0.0 netmask 255.255.0.0 gw $dynip_tun
echo
echo '------ VPN Routing Table --------'
/sbin/route \-n
[ Parent | Reply to this comment ]
One thing I noticed is that all my requests are routed trught the tunnel now.
Can you ping a known ip address to see if the tunnel is working or not?
If you have any problems I can try to help you: leandro.saad at gmail.com.
Cheers
[ Parent | Reply to this comment ]
vpnc /etc/vpnc/default.conf
route del default
route add default gw x.x.x.x (use your old default gateway ip here)
route add -net 10.0.0.0 netmask 255.0.0.0 tun0 (in my case, "work" network uses the 10.x.x.x subnet)
And you're done!
[ Parent | Reply to this comment ]
vpnc --natt-mode cisco-udp your_config.conf
[ Parent | Reply to this comment ]