Hello,
Am Montag, 2. März 2015, 21:01:48 schrieb Mick:
> On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
> > Hello,
> >
> > this is not a Gentoo problem per se, but i'm getting it under Gentoo.
> >
> > Runninng KDE + Networkmanager
> > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
> > (net-misc/networkmanager-vpnc-0.9.10.0).
> >
> > I have set up a VPN connection to a AVM FritzBox (which is using - as far
> > as i can evaluate - a Cisco like IPSec tunnel).
> >
> > This is running very well, but after exactly 1 hour the connection is
> > dropped. I can reconnect, but it also lasts 1 hour.
> >
> > After som crawlng though the net it seems that a key validity runs ot of
> > time at the client side. I t looks like this one
> >
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> >
> > The nmcli output for this connection reads like this (some obfusicated):
> > ------------------------ cut -----------------------------
> > =========================================================================
> > == ==== Details des Verbindungsprofils (XX)
> > =========================================================================
> > == ==== connection.id: XX
> > connection.uuid:
> >
> > 11111111111111-2222-33333333333333333 connection.interface-name:
> > --
> >
> > connection.type: vpn
> > connection.autoconnect: no
> > connection.timestamp: 1425319416
> > connection.read-only: no
> > connection.permissions:
> > connection.zone:
> > connection.master: --
> > connection.slave-type: --
> > connection.secondaries:
> > connection.gateway-ping-timeout: 0
> > -------------------------------------------------------------------------
> > -- ---- ipv4.method: auto
> > ipv4.dns:
> > ipv4.dns-search:
> > ipv4.addresses:
> > ipv4.routes:
> > ipv4.ignore-auto-routes: yes
> > ipv4.ignore-auto-dns: no
> > ipv4.dhcp-client-id: --
> > ipv4.dhcp-send-hostname: yes
> > ipv4.dhcp-hostname: --
> > ipv4.never-default: yes
> > ipv4.may-fail: no
> > -------------------------------------------------------------------------
> > -- ---- ipv6.method: ignore
> > ipv6.dns:
> > ipv6.dns-search:
> > ipv6.addresses:
> > ipv6.routes:
> > ipv6.ignore-auto-routes: no
> > ipv6.ignore-auto-dns: no
> > ipv6.never-default: no
> > ipv6.may-fail: yes
> > ipv6.ip6-privacy: 0 (deaktiviert)
> > ipv6.dhcp-hostname: --
> > -------------------------------------------------------------------------
> > -- ---- vpn.service-type:
> >
> > org.freedesktop.NetworkManager.vpnc vpn.user-name:
> > --
> >
> > vpn.data: Local Port = 0, IKE DH Group =
> > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec
> > ID = user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
> > user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
> > secret- flags = 1, NAT Traversal Mode = natt
> > vpn.secrets:
> >
> > ------------------------ cut -----------------------------
> >
> > Any hints ?
> >
> > regards
> >
> > Petric
>
> Going from memory here, but I recall that the VPNC client had problems
> rekeying SAs in Phase 2. I seem to recall there was bug but can't recall
> if it was ever patched.
>
> Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:
>
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html
>
> I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this
> includes any necessary patches. You could check the changelog.
The homepage on vpnc in chapter TODO tells:
"phase2-rekeying is now supported as of svn revision 126!"
Changelog states for 0.5.2:
"Fix Phase 2 rekeying, by various authors"
I don't know whether this is along your statement above.
So it seems not to be completely fixed. The homepage is not updated the last 7 years.
> BTW, have you tried more actively developed VPN software like strongswan
> (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to
> see if you're getting the same problem? I think that they should work
> with Cisco VPN gateways, although it may be fiddly to set them up.
i can find only ebuilds of (networkmanager-)openswan in the official tree.
strongswan is in the stable tree but not the networkmanager plugin.
I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the dependency to libgnomeui. I do not have gnome installed (and don't intend to do so). My desktop is a kde one.
Anyone has a ebuild/package not requiring gnome ?
regards
Petric