1 |
Hello, |
2 |
|
3 |
Am Montag, 2. März 2015, 21:01:48 schrieb Mick: |
4 |
> On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: |
5 |
> > Hello, |
6 |
> > |
7 |
> > this is not a Gentoo problem per se, but i'm getting it under Gentoo. |
8 |
> > |
9 |
> > Runninng KDE + Networkmanager |
10 |
> > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin |
11 |
> > (net-misc/networkmanager-vpnc-0.9.10.0). |
12 |
> > |
13 |
> > I have set up a VPN connection to a AVM FritzBox (which is using - as far |
14 |
> > as i can evaluate - a Cisco like IPSec tunnel). |
15 |
> > |
16 |
> > This is running very well, but after exactly 1 hour the connection is |
17 |
> > dropped. I can reconnect, but it also lasts 1 hour. |
18 |
> > |
19 |
> > After som crawlng though the net it seems that a key validity runs ot of |
20 |
> > time at the client side. I t looks like this one |
21 |
> > |
22 |
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 |
23 |
> > |
24 |
> > The nmcli output for this connection reads like this (some obfusicated): |
25 |
> > ------------------------ cut ----------------------------- |
26 |
> > ========================================================================= |
27 |
> > == ==== Details des Verbindungsprofils (XX) |
28 |
> > ========================================================================= |
29 |
> > == ==== connection.id: XX |
30 |
> > connection.uuid: |
31 |
> > |
32 |
> > 11111111111111-2222-33333333333333333 connection.interface-name: |
33 |
> > -- |
34 |
> > |
35 |
> > connection.type: vpn |
36 |
> > connection.autoconnect: no |
37 |
> > connection.timestamp: 1425319416 |
38 |
> > connection.read-only: no |
39 |
> > connection.permissions: |
40 |
> > connection.zone: |
41 |
> > connection.master: -- |
42 |
> > connection.slave-type: -- |
43 |
> > connection.secondaries: |
44 |
> > connection.gateway-ping-timeout: 0 |
45 |
> > ------------------------------------------------------------------------- |
46 |
> > -- ---- ipv4.method: auto |
47 |
> > ipv4.dns: |
48 |
> > ipv4.dns-search: |
49 |
> > ipv4.addresses: |
50 |
> > ipv4.routes: |
51 |
> > ipv4.ignore-auto-routes: yes |
52 |
> > ipv4.ignore-auto-dns: no |
53 |
> > ipv4.dhcp-client-id: -- |
54 |
> > ipv4.dhcp-send-hostname: yes |
55 |
> > ipv4.dhcp-hostname: -- |
56 |
> > ipv4.never-default: yes |
57 |
> > ipv4.may-fail: no |
58 |
> > ------------------------------------------------------------------------- |
59 |
> > -- ---- ipv6.method: ignore |
60 |
> > ipv6.dns: |
61 |
> > ipv6.dns-search: |
62 |
> > ipv6.addresses: |
63 |
> > ipv6.routes: |
64 |
> > ipv6.ignore-auto-routes: no |
65 |
> > ipv6.ignore-auto-dns: no |
66 |
> > ipv6.never-default: no |
67 |
> > ipv6.may-fail: yes |
68 |
> > ipv6.ip6-privacy: 0 (deaktiviert) |
69 |
> > ipv6.dhcp-hostname: -- |
70 |
> > ------------------------------------------------------------------------- |
71 |
> > -- ---- vpn.service-type: |
72 |
> > |
73 |
> > org.freedesktop.NetworkManager.vpnc vpn.user-name: |
74 |
> > -- |
75 |
> > |
76 |
> > vpn.data: Local Port = 0, IKE DH Group = |
77 |
> > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec |
78 |
> > ID = user@××××.loc, IPSec gateway = open.nsupdate.info, Xauth username = |
79 |
> > user@××××.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec |
80 |
> > secret- flags = 1, NAT Traversal Mode = natt |
81 |
> > vpn.secrets: |
82 |
> > |
83 |
> > ------------------------ cut ----------------------------- |
84 |
> > |
85 |
> > Any hints ? |
86 |
> > |
87 |
> > regards |
88 |
> > |
89 |
> > Petric |
90 |
> |
91 |
> Going from memory here, but I recall that the VPNC client had problems |
92 |
> rekeying SAs in Phase 2. I seem to recall there was bug but can't recall |
93 |
> if it was ever patched. |
94 |
> |
95 |
> Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: |
96 |
> |
97 |
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html |
98 |
> |
99 |
> I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this |
100 |
> includes any necessary patches. You could check the changelog. |
101 |
|
102 |
The homepage on vpnc in chapter TODO tells: |
103 |
"phase2-rekeying is now supported as of svn revision 126!" |
104 |
|
105 |
Changelog states for 0.5.2: |
106 |
"Fix Phase 2 rekeying, by various authors" |
107 |
|
108 |
I don't know whether this is along your statement above. |
109 |
|
110 |
So it seems not to be completely fixed. The homepage is not updated the last 7 |
111 |
years. |
112 |
|
113 |
> BTW, have you tried more actively developed VPN software like strongswan |
114 |
> (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to |
115 |
> see if you're getting the same problem? I think that they should work |
116 |
> with Cisco VPN gateways, although it may be fiddly to set them up. |
117 |
|
118 |
i can find only ebuilds of (networkmanager-)openswan in the official tree. |
119 |
strongswan is in the stable tree but not the networkmanager plugin. |
120 |
I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the |
121 |
dependency to libgnomeui. I do not have gnome installed (and don't intend to |
122 |
do so). My desktop is a kde one. |
123 |
|
124 |
Anyone has a ebuild/package not requiring gnome ? |
125 |
|
126 |
regards |
127 |
Petric |