| 1 |
Hello, |
| 2 |
|
| 3 |
Am Montag, 2. März 2015, 21:01:48 schrieb Mick: |
| 4 |
> On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: |
| 5 |
> > Hello, |
| 6 |
> > |
| 7 |
> > this is not a Gentoo problem per se, but i'm getting it under Gentoo. |
| 8 |
> > |
| 9 |
> > Runninng KDE + Networkmanager |
| 10 |
> > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin |
| 11 |
> > (net-misc/networkmanager-vpnc-0.9.10.0). |
| 12 |
> > |
| 13 |
> > I have set up a VPN connection to a AVM FritzBox (which is using - as far |
| 14 |
> > as i can evaluate - a Cisco like IPSec tunnel). |
| 15 |
> > |
| 16 |
> > This is running very well, but after exactly 1 hour the connection is |
| 17 |
> > dropped. I can reconnect, but it also lasts 1 hour. |
| 18 |
> > |
| 19 |
> > After som crawlng though the net it seems that a key validity runs ot of |
| 20 |
> > time at the client side. I t looks like this one |
| 21 |
> > |
| 22 |
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 |
| 23 |
> > |
| 24 |
> > The nmcli output for this connection reads like this (some obfusicated): |
| 25 |
> > ------------------------ cut ----------------------------- |
| 26 |
> > ========================================================================= |
| 27 |
> > == ==== Details des Verbindungsprofils (XX) |
| 28 |
> > ========================================================================= |
| 29 |
> > == ==== connection.id: XX |
| 30 |
> > connection.uuid: |
| 31 |
> > |
| 32 |
> > 11111111111111-2222-33333333333333333 connection.interface-name: |
| 33 |
> > -- |
| 34 |
> > |
| 35 |
> > connection.type: vpn |
| 36 |
> > connection.autoconnect: no |
| 37 |
> > connection.timestamp: 1425319416 |
| 38 |
> > connection.read-only: no |
| 39 |
> > connection.permissions: |
| 40 |
> > connection.zone: |
| 41 |
> > connection.master: -- |
| 42 |
> > connection.slave-type: -- |
| 43 |
> > connection.secondaries: |
| 44 |
> > connection.gateway-ping-timeout: 0 |
| 45 |
> > ------------------------------------------------------------------------- |
| 46 |
> > -- ---- ipv4.method: auto |
| 47 |
> > ipv4.dns: |
| 48 |
> > ipv4.dns-search: |
| 49 |
> > ipv4.addresses: |
| 50 |
> > ipv4.routes: |
| 51 |
> > ipv4.ignore-auto-routes: yes |
| 52 |
> > ipv4.ignore-auto-dns: no |
| 53 |
> > ipv4.dhcp-client-id: -- |
| 54 |
> > ipv4.dhcp-send-hostname: yes |
| 55 |
> > ipv4.dhcp-hostname: -- |
| 56 |
> > ipv4.never-default: yes |
| 57 |
> > ipv4.may-fail: no |
| 58 |
> > ------------------------------------------------------------------------- |
| 59 |
> > -- ---- ipv6.method: ignore |
| 60 |
> > ipv6.dns: |
| 61 |
> > ipv6.dns-search: |
| 62 |
> > ipv6.addresses: |
| 63 |
> > ipv6.routes: |
| 64 |
> > ipv6.ignore-auto-routes: no |
| 65 |
> > ipv6.ignore-auto-dns: no |
| 66 |
> > ipv6.never-default: no |
| 67 |
> > ipv6.may-fail: yes |
| 68 |
> > ipv6.ip6-privacy: 0 (deaktiviert) |
| 69 |
> > ipv6.dhcp-hostname: -- |
| 70 |
> > ------------------------------------------------------------------------- |
| 71 |
> > -- ---- vpn.service-type: |
| 72 |
> > |
| 73 |
> > org.freedesktop.NetworkManager.vpnc vpn.user-name: |
| 74 |
> > -- |
| 75 |
> > |
| 76 |
> > vpn.data: Local Port = 0, IKE DH Group = |
| 77 |
> > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec |
| 78 |
> > ID = user@××××.loc, IPSec gateway = open.nsupdate.info, Xauth username = |
| 79 |
> > user@××××.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec |
| 80 |
> > secret- flags = 1, NAT Traversal Mode = natt |
| 81 |
> > vpn.secrets: |
| 82 |
> > |
| 83 |
> > ------------------------ cut ----------------------------- |
| 84 |
> > |
| 85 |
> > Any hints ? |
| 86 |
> > |
| 87 |
> > regards |
| 88 |
> > |
| 89 |
> > Petric |
| 90 |
> |
| 91 |
> Going from memory here, but I recall that the VPNC client had problems |
| 92 |
> rekeying SAs in Phase 2. I seem to recall there was bug but can't recall |
| 93 |
> if it was ever patched. |
| 94 |
> |
| 95 |
> Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: |
| 96 |
> |
| 97 |
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html |
| 98 |
> |
| 99 |
> I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this |
| 100 |
> includes any necessary patches. You could check the changelog. |
| 101 |
|
| 102 |
The homepage on vpnc in chapter TODO tells: |
| 103 |
"phase2-rekeying is now supported as of svn revision 126!" |
| 104 |
|
| 105 |
Changelog states for 0.5.2: |
| 106 |
"Fix Phase 2 rekeying, by various authors" |
| 107 |
|
| 108 |
I don't know whether this is along your statement above. |
| 109 |
|
| 110 |
So it seems not to be completely fixed. The homepage is not updated the last 7 |
| 111 |
years. |
| 112 |
|
| 113 |
> BTW, have you tried more actively developed VPN software like strongswan |
| 114 |
> (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to |
| 115 |
> see if you're getting the same problem? I think that they should work |
| 116 |
> with Cisco VPN gateways, although it may be fiddly to set them up. |
| 117 |
|
| 118 |
i can find only ebuilds of (networkmanager-)openswan in the official tree. |
| 119 |
strongswan is in the stable tree but not the networkmanager plugin. |
| 120 |
I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the |
| 121 |
dependency to libgnomeui. I do not have gnome installed (and don't intend to |
| 122 |
do so). My desktop is a kde one. |
| 123 |
|
| 124 |
Anyone has a ebuild/package not requiring gnome ? |
| 125 |
|
| 126 |
regards |
| 127 |
Petric |
Archives