[gentoo-user] Networkmanager VPNC key timeout

[gentoo-user] Networkmanager VPNC key timeout

[Petric Frank]

[-- Attachment #1: Type: text/plain, Size: 3425 bytes --]

Hello,

this is not a Gentoo problem per se, but i'm getting it under Gentoo.

Runninng KDE + Networkmanager (net-misc/networkmanager-0.9.10.1_pre20141101) 
together with vpnc plugin (net-misc/networkmanager-vpnc-0.9.10.0).

I have set up a VPN connection to a AVM FritzBox (which is using - as far as i 
can evaluate - a Cisco like IPSec tunnel).

This is running very well, but after exactly 1 hour the connection is dropped. 
I can reconnect, but it also lasts 1 hour.

After som crawlng though the net it seems that a key validity runs ot of time 
at the client side. I t looks like this one
  https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632

The nmcli output for this connection reads like this (some obfusicated):
------------------------ cut -----------------------------
===============================================================================
                      Details des Verbindungsprofils (XX)
===============================================================================
connection.id:                          XX
connection.uuid:                        11111111111111-2222-33333333333333333
connection.interface-name:              --
connection.type:                        vpn
connection.autoconnect:                 no
connection.timestamp:                   1425319416
connection.read-only:                   no
connection.permissions:                 
connection.zone:                        
connection.master:                      --
connection.slave-type:                  --
connection.secondaries:                 
connection.gateway-ping-timeout:        0
-------------------------------------------------------------------------------
ipv4.method:                            auto
ipv4.dns:                               
ipv4.dns-search:                        
ipv4.addresses:                         
ipv4.routes:                            
ipv4.ignore-auto-routes:                yes
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.never-default:                     yes
ipv4.may-fail:                          no
-------------------------------------------------------------------------------
ipv6.method:                            ignore
ipv6.dns:                               
ipv6.dns-search:                        
ipv6.addresses:                         
ipv6.routes:                            
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       0 (deaktiviert)
ipv6.dhcp-hostname:                     --
-------------------------------------------------------------------------------
vpn.service-type:                       org.freedesktop.NetworkManager.vpnc
vpn.user-name:                          --
vpn.data:                               Local Port = 0, IKE DH Group = dh2, 
Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID = 
user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username = 
user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec secret-
flags = 1, NAT Traversal Mode = natt
vpn.secrets:                            

------------------------ cut -----------------------------

Any hints ?

regards
  Petric

[-- Attachment #2: Type: text/html, Size: 14732 bytes --]

Re: [gentoo-user] Networkmanager VPNC key timeout

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 4173 bytes --]

On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
> Hello,
> 
> this is not a Gentoo problem per se, but i'm getting it under Gentoo.
> 
> Runninng KDE + Networkmanager
> (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
> (net-misc/networkmanager-vpnc-0.9.10.0).
> 
> I have set up a VPN connection to a AVM FritzBox (which is using - as far
> as i can evaluate - a Cisco like IPSec tunnel).
> 
> This is running very well, but after exactly 1 hour the connection is
> dropped. I can reconnect, but it also lasts 1 hour.
> 
> After som crawlng though the net it seems that a key validity runs ot of
> time at the client side. I t looks like this one
>   https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> 
> The nmcli output for this connection reads like this (some obfusicated):
> ------------------------ cut -----------------------------
> ===========================================================================
> ==== Details des Verbindungsprofils (XX)
> ===========================================================================
> ==== connection.id:                          XX
> connection.uuid:                       
> 11111111111111-2222-33333333333333333 connection.interface-name:          
>    --
> connection.type:                        vpn
> connection.autoconnect:                 no
> connection.timestamp:                   1425319416
> connection.read-only:                   no
> connection.permissions:
> connection.zone:
> connection.master:                      --
> connection.slave-type:                  --
> connection.secondaries:
> connection.gateway-ping-timeout:        0
> ---------------------------------------------------------------------------
> ---- ipv4.method:                            auto
> ipv4.dns:
> ipv4.dns-search:
> ipv4.addresses:
> ipv4.routes:
> ipv4.ignore-auto-routes:                yes
> ipv4.ignore-auto-dns:                   no
> ipv4.dhcp-client-id:                    --
> ipv4.dhcp-send-hostname:                yes
> ipv4.dhcp-hostname:                     --
> ipv4.never-default:                     yes
> ipv4.may-fail:                          no
> ---------------------------------------------------------------------------
> ---- ipv6.method:                            ignore
> ipv6.dns:
> ipv6.dns-search:
> ipv6.addresses:
> ipv6.routes:
> ipv6.ignore-auto-routes:                no
> ipv6.ignore-auto-dns:                   no
> ipv6.never-default:                     no
> ipv6.may-fail:                          yes
> ipv6.ip6-privacy:                       0 (deaktiviert)
> ipv6.dhcp-hostname:                     --
> ---------------------------------------------------------------------------
> ---- vpn.service-type:                      
> org.freedesktop.NetworkManager.vpnc vpn.user-name:                        
>  --
> vpn.data:                               Local Port = 0, IKE DH Group = dh2,
> Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID =
> user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
> user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
> secret- flags = 1, NAT Traversal Mode = natt
> vpn.secrets:
> 
> ------------------------ cut -----------------------------
> 
> Any hints ?
> 
> regards
>   Petric

Going from memory here, but I recall that the VPNC client had problems 
rekeying SAs in Phase 2.  I seem to recall there was bug but can't recall if 
it was ever patched.

Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:

http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html

I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this 
includes any necessary patches.  You could check the changelog.

BTW, have you tried more actively developed VPN software like strongswan (it 
has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if 
you're getting the same problem?  I think that they should work with Cisco VPN 
gateways, although it may be fiddly to set them up.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Networkmanager VPNC key timeout

[Petric Frank]

[-- Attachment #1: Type: text/plain, Size: 5106 bytes --]

Hello,

Am Montag, 2. März 2015, 21:01:48 schrieb Mick:
> On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
> > Hello,
> > 
> > this is not a Gentoo problem per se, but i'm getting it under Gentoo.
> > 
> > Runninng KDE + Networkmanager
> > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
> > (net-misc/networkmanager-vpnc-0.9.10.0).
> > 
> > I have set up a VPN connection to a AVM FritzBox (which is using - as far
> > as i can evaluate - a Cisco like IPSec tunnel).
> > 
> > This is running very well, but after exactly 1 hour the connection is
> > dropped. I can reconnect, but it also lasts 1 hour.
> > 
> > After som crawlng though the net it seems that a key validity runs ot of
> > time at the client side. I t looks like this one
> > 
> >   https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> > 
> > The nmcli output for this connection reads like this (some obfusicated):
> > ------------------------ cut -----------------------------
> > =========================================================================
> > == ==== Details des Verbindungsprofils (XX)
> > =========================================================================
> > == ==== connection.id:                          XX
> > connection.uuid:
> > 
> > 11111111111111-2222-33333333333333333 connection.interface-name:
> >    --
> > 
> > connection.type:                        vpn
> > connection.autoconnect:                 no
> > connection.timestamp:                   1425319416
> > connection.read-only:                   no
> > connection.permissions:
> > connection.zone:
> > connection.master:                      --
> > connection.slave-type:                  --
> > connection.secondaries:
> > connection.gateway-ping-timeout:        0
> > -------------------------------------------------------------------------
> > -- ---- ipv4.method:                            auto
> > ipv4.dns:
> > ipv4.dns-search:
> > ipv4.addresses:
> > ipv4.routes:
> > ipv4.ignore-auto-routes:                yes
> > ipv4.ignore-auto-dns:                   no
> > ipv4.dhcp-client-id:                    --
> > ipv4.dhcp-send-hostname:                yes
> > ipv4.dhcp-hostname:                     --
> > ipv4.never-default:                     yes
> > ipv4.may-fail:                          no
> > -------------------------------------------------------------------------
> > -- ---- ipv6.method:                            ignore
> > ipv6.dns:
> > ipv6.dns-search:
> > ipv6.addresses:
> > ipv6.routes:
> > ipv6.ignore-auto-routes:                no
> > ipv6.ignore-auto-dns:                   no
> > ipv6.never-default:                     no
> > ipv6.may-fail:                          yes
> > ipv6.ip6-privacy:                       0 (deaktiviert)
> > ipv6.dhcp-hostname:                     --
> > -------------------------------------------------------------------------
> > -- ---- vpn.service-type:
> > 
> > org.freedesktop.NetworkManager.vpnc vpn.user-name:
> >  --
> > 
> > vpn.data:                               Local Port = 0, IKE DH Group =
> > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec
> > ID = user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
> > user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
> > secret- flags = 1, NAT Traversal Mode = natt
> > vpn.secrets:
> > 
> > ------------------------ cut -----------------------------
> > 
> > Any hints ?
> > 
> > regards
> > 
> >   Petric
> 
> Going from memory here, but I recall that the VPNC client had problems
> rekeying SAs in Phase 2.  I seem to recall there was bug but can't recall
> if it was ever patched.
> 
> Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:
> 
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html
> 
> I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this
> includes any necessary patches.  You could check the changelog.

The homepage on vpnc in chapter TODO tells:
  "phase2-rekeying is now supported as of svn revision 126!"

Changelog states for 0.5.2:
  "Fix Phase 2 rekeying, by various authors"

I don't know whether this is along your statement above.

So it seems not to be completely fixed. The homepage is not updated the last 7 
years.
 
> BTW, have you tried more actively developed VPN software like strongswan
> (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to
> see if you're getting the same problem?  I think that they should work
> with Cisco VPN gateways, although it may be fiddly to set them up.

i can find only ebuilds of (networkmanager-)openswan in the official tree.
strongswan is in the stable tree but not the networkmanager plugin.
I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the 
dependency to libgnomeui. I do not have gnome installed (and don't intend to 
do so). My desktop is a kde one.

Anyone has a ebuild/package not requiring gnome ?

regards
  Petric

[-- Attachment #2: Type: text/html, Size: 23887 bytes --]

Re: [gentoo-user] Networkmanager VPNC key timeout

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2117 bytes --]

On Monday 02 Mar 2015 22:13:05 Petric Frank wrote:
> Hello,
> 
> Am Montag, 2. März 2015, 21:01:48 schrieb Mick:

> The homepage on vpnc in chapter TODO tells:
>   "phase2-rekeying is now supported as of svn revision 126!"
> 
> Changelog states for 0.5.2:
>   "Fix Phase 2 rekeying, by various authors"
> 
> I don't know whether this is along your statement above.
> 
> So it seems not to be completely fixed. The homepage is not updated the
> last 7 years.

OK, then yes, it has been fixed and your problem is not related to that old 
bug, but could it be a more recent regression?


> > BTW, have you tried more actively developed VPN software like strongswan
> > (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to
> > see if you're getting the same problem?  I think that they should work
> > with Cisco VPN gateways, although it may be fiddly to set them up.
> 
> i can find only ebuilds of (networkmanager-)openswan in the official tree.

No, this only good for the SSL VPN solution of Cisco.


> strongswan is in the stable tree but not the networkmanager plugin.

Are you sure?  This is what I see here for strongswan-5.2.2

[+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql 
networkmanager 
^^^^^^^^^^^^^^
+non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish 
strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm 
strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led 
+strongswan_plugins_lookip strongswan_plugins_ntru strongswan_plugins_padlock 
strongswan_plugins_rdrand +strongswan_plugins_systime-fix 
strongswan_plugins_unbound +strongswan_plugins_unity +strongswan_plugins_vici 
strongswan_plugins_whitelist]

The latest version 5.2.2 has a bug with some IKEv1 implementations.  There is 
a patch proposed which works and will be included in the next version 5.2.3 
when released.  If your VPN server is affected then you'll have to apply the 
patch yourself in a local overlay:

https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Networkmanager VPNC key timeout

[Petric Frank]

Hello Mick,

Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick:
> > The homepage on vpnc in chapter TODO tells:
> >   "phase2-rekeying is now supported as of svn revision 126!"
> > 
> > Changelog states for 0.5.2:
> >   "Fix Phase 2 rekeying, by various authors"
> > 
> > I don't know whether this is along your statement above.
> > 
> > So it seems not to be completely fixed. The homepage is not updated the
> > last 7 years.
> 
> OK, then yes, it has been fixed and your problem is not related to that old
> bug, but could it be a more recent regression?

maybe.
 
> > > BTW, have you tried more actively developed VPN software like
> > > strongswan (it has a networkmanager plugin) or even ipsec-tools
> > > instead of vpnc, to see if you're getting the same problem?  I think
> > > that they should work with Cisco VPN gateways, although it may be
> > > fiddly to set them up.
> > 
> > i can find only ebuilds of (networkmanager-)openswan in the official
> > tree.
> 
> No, this only good for the SSL VPN solution of Cisco.

good to know.

> > strongswan is in the stable tree but not the networkmanager plugin.
> 
> Are you sure?  This is what I see here for strongswan-5.2.2
>
> [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
> networkmanager
> ^^^^^^^^^^^^^^
> +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
> strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
> strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
> +strongswan_plugins_lookip strongswan_plugins_ntru
> strongswan_plugins_padlock strongswan_plugins_rdrand
> +strongswan_plugins_systime-fix
> strongswan_plugins_unbound +strongswan_plugins_unity
> +strongswan_plugins_vici strongswan_plugins_whitelist]

True, strongswan is in tree, but not networkmanager-strongswan (NetworkManager 
plugin).
 
> The latest version 5.2.2 has a bug with some IKEv1 implementations.  There
> is a patch proposed which works and will be included in the next version
> 5.2.3 when released.  If your VPN server is affected then you'll have to
> apply the patch yourself in a local overlay:
> 
> https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632

Stable strongswan is already compiled and installed on my system. Any of the 
"strongswan_plugins_*" use flags i have to enable here ?

But it could take some days (because of my business job).

regards
  Petric

Re: [gentoo-user] Networkmanager VPNC key timeout

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3776 bytes --]

On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote:
> Hello Mick,
> 
> Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick:
> > > The homepage on vpnc in chapter TODO tells:
> > >   "phase2-rekeying is now supported as of svn revision 126!"
> > > 
> > > Changelog states for 0.5.2:
> > >   "Fix Phase 2 rekeying, by various authors"
> > > 
> > > I don't know whether this is along your statement above.
> > > 
> > > So it seems not to be completely fixed. The homepage is not updated the
> > > last 7 years.
> > 
> > OK, then yes, it has been fixed and your problem is not related to that
> > old bug, but could it be a more recent regression?
> 
> maybe.
> 
> > > > BTW, have you tried more actively developed VPN software like
> > > > strongswan (it has a networkmanager plugin) or even ipsec-tools
> > > > instead of vpnc, to see if you're getting the same problem?  I think
> > > > that they should work with Cisco VPN gateways, although it may be
> > > > fiddly to set them up.
> > > 
> > > i can find only ebuilds of (networkmanager-)openswan in the official
> > > tree.
> > 
> > No, this only good for the SSL VPN solution of Cisco.
> 
> good to know.

I beg your pardon, I typed too fast.  I was referring to net-misc/openconnect, 
which is an alternative client for Cisco AnyConnect SSL VPN.  The net-
misc/openswan package is hard masked because of the security bug #499870.  You 
could try net-misc/libreswan instead, a fork of openswan.  It may just work 
with the net-misc/networkmanager-openswan plugin.


> > > strongswan is in the stable tree but not the networkmanager plugin.
> > 
> > Are you sure?  This is what I see here for strongswan-5.2.2
> > 
> > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
> > networkmanager
> > ^^^^^^^^^^^^^^
> > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
> > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
> > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
> > +strongswan_plugins_lookip strongswan_plugins_ntru
> > strongswan_plugins_padlock strongswan_plugins_rdrand
> > +strongswan_plugins_systime-fix
> > strongswan_plugins_unbound +strongswan_plugins_unity
> > +strongswan_plugins_vici strongswan_plugins_whitelist]
> 
> True, strongswan is in tree, but not networkmanager-strongswan
> (NetworkManager plugin).

My understanding is that as long as you enable the networkmanager plugin in 
the strongswan package, it will interoperate with the networkmanager front end 
- but I have not tried it.  Reading now the relevant webpage it says that it 
is *only* available for IKEv2 - so probably not good for your use case.

https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager


> > The latest version 5.2.2 has a bug with some IKEv1 implementations. 
> > There is a patch proposed which works and will be included in the next
> > version 5.2.3 when released.  If your VPN server is affected then you'll
> > have to apply the patch yourself in a local overlay:
> > 
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> 
> Stable strongswan is already compiled and installed on my system. Any of
> the "strongswan_plugins_*" use flags i have to enable here ?

Since its networkmanager plugin is only useful for IKEv2 I don't think it 
would make any odds.  You can enable it anyway and initially try it from the 
command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN 
gateway.  If it does, then try it with the networkmanager front end, but I 
don't expect this to work.  If a GUI is a must for you, libreswan with the 
net-misc/networkmanager-openswan plugin may be a better bet.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]