Re: [gentoo-user] Networkmanager VPNC key timeout - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Networkmanager VPNC key timeout
Date:	Mon, 02 Mar 2015 20:02:09
Message-Id:	`201503022001.58511.michaelkintzios@gmail.com`
In Reply to:	[gentoo-user] Networkmanager VPNC key timeout by Petric Frank

1

On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:

2

> Hello,

3

>

4

> this is not a Gentoo problem per se, but i'm getting it under Gentoo.

5

>

6

> Runninng KDE + Networkmanager

7

> (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin

8

> (net-misc/networkmanager-vpnc-0.9.10.0).

9

>

10

> I have set up a VPN connection to a AVM FritzBox (which is using - as far

11

> as i can evaluate - a Cisco like IPSec tunnel).

12

>

13

> This is running very well, but after exactly 1 hour the connection is

14

> dropped. I can reconnect, but it also lasts 1 hour.

15

>

16

> After som crawlng though the net it seems that a key validity runs ot of

17

> time at the client side. I t looks like this one

18

>   https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632

19

>

20

> The nmcli output for this connection reads like this (some obfusicated):

21

> ------------------------ cut -----------------------------

22

> ===========================================================================

23

> ==== Details des Verbindungsprofils (XX)

24

> ===========================================================================

25

> ==== connection.id:                          XX

26

> connection.uuid:

27

> 11111111111111-2222-33333333333333333 connection.interface-name:

28

>    --

29

> connection.type:                        vpn

30

> connection.autoconnect:                 no

31

> connection.timestamp:                   1425319416

32

> connection.read-only:                   no

33

> connection.permissions:

34

> connection.zone:

35

> connection.master:                      --

36

> connection.slave-type:                  --

37

> connection.secondaries:

38

> connection.gateway-ping-timeout:        0

39

> ---------------------------------------------------------------------------

40

> ---- ipv4.method:                            auto

41

> ipv4.dns:

42

> ipv4.dns-search:

43

> ipv4.addresses:

44

> ipv4.routes:

45

> ipv4.ignore-auto-routes:                yes

46

> ipv4.ignore-auto-dns:                   no

47

> ipv4.dhcp-client-id:                    --

48

> ipv4.dhcp-send-hostname:                yes

49

> ipv4.dhcp-hostname:                     --

50

> ipv4.never-default:                     yes

51

> ipv4.may-fail:                          no

52

> ---------------------------------------------------------------------------

53

> ---- ipv6.method:                            ignore

54

> ipv6.dns:

55

> ipv6.dns-search:

56

> ipv6.addresses:

57

> ipv6.routes:

58

> ipv6.ignore-auto-routes:                no

59

> ipv6.ignore-auto-dns:                   no

60

> ipv6.never-default:                     no

61

> ipv6.may-fail:                          yes

62

> ipv6.ip6-privacy:                       0 (deaktiviert)

63

> ipv6.dhcp-hostname:                     --

64

> ---------------------------------------------------------------------------

65

> ---- vpn.service-type:

66

> org.freedesktop.NetworkManager.vpnc vpn.user-name:

67

>  --

68

> vpn.data:                               Local Port = 0, IKE DH Group = dh2,

69

> Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID =

70

> user@××××.loc, IPSec gateway = open.nsupdate.info, Xauth username =

71

> user@××××.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec

72

> secret- flags = 1, NAT Traversal Mode = natt

73

> vpn.secrets:

74

>

75

> ------------------------ cut -----------------------------

76

>

77

> Any hints ?

78

>

79

> regards

80

>   Petric

81

82

Going from memory here, but I recall that the VPNC client had problems 

83

rekeying SAs in Phase 2.  I seem to recall there was bug but can't recall if 

84

it was ever patched.

85

86

Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:

87

88

http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html

89

90

I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this 

91

includes any necessary patches.  You could check the changelog.

92

93

BTW, have you tried more actively developed VPN software like strongswan (it 

94

has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if 

95

you're getting the same problem?  I think that they should work with Cisco VPN 

96

gateways, although it may be fiddly to set them up.

97

98

--

99

Regards,

100

Mick

Gentoo Archives: gentoo-user

Attachments

Replies

1	On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
2	> Hello,
3	>
4	> this is not a Gentoo problem per se, but i'm getting it under Gentoo.
5	>
6	> Runninng KDE + Networkmanager
7	> (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
8	> (net-misc/networkmanager-vpnc-0.9.10.0).
9	>
10	> I have set up a VPN connection to a AVM FritzBox (which is using - as far
11	> as i can evaluate - a Cisco like IPSec tunnel).
12	>
13	> This is running very well, but after exactly 1 hour the connection is
14	> dropped. I can reconnect, but it also lasts 1 hour.
15	>
16	> After som crawlng though the net it seems that a key validity runs ot of
17	> time at the client side. I t looks like this one
18	> https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
19	>
20	> The nmcli output for this connection reads like this (some obfusicated):
21	> ------------------------ cut -----------------------------
22	> ===========================================================================
23	> ==== Details des Verbindungsprofils (XX)
24	> ===========================================================================
25	> ==== connection.id: XX
26	> connection.uuid:
27	> 11111111111111-2222-33333333333333333 connection.interface-name:
28	> --
29	> connection.type: vpn
30	> connection.autoconnect: no
31	> connection.timestamp: 1425319416
32	> connection.read-only: no
33	> connection.permissions:
34	> connection.zone:
35	> connection.master: --
36	> connection.slave-type: --
37	> connection.secondaries:
38	> connection.gateway-ping-timeout: 0
39	> ---------------------------------------------------------------------------
40	> ---- ipv4.method: auto
41	> ipv4.dns:
42	> ipv4.dns-search:
43	> ipv4.addresses:
44	> ipv4.routes:
45	> ipv4.ignore-auto-routes: yes
46	> ipv4.ignore-auto-dns: no
47	> ipv4.dhcp-client-id: --
48	> ipv4.dhcp-send-hostname: yes
49	> ipv4.dhcp-hostname: --
50	> ipv4.never-default: yes
51	> ipv4.may-fail: no
52	> ---------------------------------------------------------------------------
53	> ---- ipv6.method: ignore
54	> ipv6.dns:
55	> ipv6.dns-search:
56	> ipv6.addresses:
57	> ipv6.routes:
58	> ipv6.ignore-auto-routes: no
59	> ipv6.ignore-auto-dns: no
60	> ipv6.never-default: no
61	> ipv6.may-fail: yes
62	> ipv6.ip6-privacy: 0 (deaktiviert)
63	> ipv6.dhcp-hostname: --
64	> ---------------------------------------------------------------------------
65	> ---- vpn.service-type:
66	> org.freedesktop.NetworkManager.vpnc vpn.user-name:
67	> --
68	> vpn.data: Local Port = 0, IKE DH Group = dh2,
69	> Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID =
70	> user@××××.loc, IPSec gateway = open.nsupdate.info, Xauth username =
71	> user@××××.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
72	> secret- flags = 1, NAT Traversal Mode = natt
73	> vpn.secrets:
74	>
75	> ------------------------ cut -----------------------------
76	>
77	> Any hints ?
78	>
79	> regards
80	> Petric
81
82	Going from memory here, but I recall that the VPNC client had problems
83	rekeying SAs in Phase 2. I seem to recall there was bug but can't recall if
84	it was ever patched.
85
86	Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:
87
88	http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html
89
90	I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this
91	includes any necessary patches. You could check the changelog.
92
93	BTW, have you tried more actively developed VPN software like strongswan (it
94	has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if
95	you're getting the same problem? I think that they should work with Cisco VPN
96	gateways, although it may be fiddly to set them up.
97
98	--
99	Regards,
100	Mick