From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CB19F138C31 for ; Mon, 2 Mar 2015 22:13:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D33A2E0893; Mon, 2 Mar 2015 22:13:08 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 59FC1E084F for ; Mon, 2 Mar 2015 22:13:07 +0000 (UTC) Received: from t520.localnet ([46.5.202.149]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MbKXI-1Y9nFN3pIq-00IoS5 for ; Mon, 02 Mar 2015 23:13:06 +0100 From: Petric Frank To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Networkmanager VPNC key timeout Date: Mon, 2 Mar 2015 23:13:05 +0100 User-Agent: KMail/1.13.7 (Linux/3.14.14-gentoo; KDE/4.14.3; x86_64; ; ) References: <201503021907.45075.pfrank@gmx.de> <201503022001.58511.michaelkintzios@gmail.com> In-Reply-To: <201503022001.58511.michaelkintzios@gmail.com> X-KMail-Markup: true Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="Boundary-01=_xBO9UFeXyroWzGs" Content-Transfer-Encoding: 7bit Message-Id: <201503022313.05400.pfrank@gmx.de> X-Provags-ID: V03:K0:6GQRYqvK2NLFb6Uo89fK30r1PqYUYjp4N+ui2KajaiW2BK6xccy S8ASTZJ1xImRexoR69x0edbEy66JI7Mee431L3ZZVcKEvddgMGvsu2IvIFgFnWKitsDteNP RtxPMfbG/dld14OL4rRFNlGDan1LyjsHco0ZWx7vhqfxKrZV89ddj4V/5lIffPpQTA6QeJh V+2+Kj9zNuAWc7oy1t2BQ== X-UI-Out-Filterresults: notjunk:1; X-Archives-Salt: 5361ddb2-7551-4c69-b8c2-1bfaf03be206 X-Archives-Hash: a64e665e7ebe8b8434bff9093e7503d3 --Boundary-01=_xBO9UFeXyroWzGs Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Hello, Am Montag, 2. M=E4rz 2015, 21:01:48 schrieb Mick: > On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: > > Hello, > >=20 > > this is not a Gentoo problem per se, but i'm getting it under Gentoo. > >=20 > > Runninng KDE + Networkmanager > > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin > > (net-misc/networkmanager-vpnc-0.9.10.0). > >=20 > > I have set up a VPN connection to a AVM FritzBox (which is using - as f= ar > > as i can evaluate - a Cisco like IPSec tunnel). > >=20 > > This is running very well, but after exactly 1 hour the connection is > > dropped. I can reconnect, but it also lasts 1 hour. > >=20 > > After som crawlng though the net it seems that a key validity runs ot of > > time at the client side. I t looks like this one > >=20 > > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 > >=20 > > The nmcli output for this connection reads like this (some obfusicated): > > ------------------------ cut ----------------------------- > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > =3D=3D =3D=3D=3D=3D Details des Verbindungsprofils (XX) > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > =3D=3D =3D=3D=3D=3D connection.id: XX > > connection.uuid: > >=20 > > 11111111111111-2222-33333333333333333 connection.interface-name: > > -- > >=20 > > connection.type: vpn > > connection.autoconnect: no > > connection.timestamp: 1425319416 > > connection.read-only: no > > connection.permissions: > > connection.zone: > > connection.master: -- > > connection.slave-type: -- > > connection.secondaries: > > connection.gateway-ping-timeout: 0 > > -----------------------------------------------------------------------= =2D- > > -- ---- ipv4.method: auto > > ipv4.dns: > > ipv4.dns-search: > > ipv4.addresses: > > ipv4.routes: > > ipv4.ignore-auto-routes: yes > > ipv4.ignore-auto-dns: no > > ipv4.dhcp-client-id: -- > > ipv4.dhcp-send-hostname: yes > > ipv4.dhcp-hostname: -- > > ipv4.never-default: yes > > ipv4.may-fail: no > > -----------------------------------------------------------------------= =2D- > > -- ---- ipv6.method: ignore > > ipv6.dns: > > ipv6.dns-search: > > ipv6.addresses: > > ipv6.routes: > > ipv6.ignore-auto-routes: no > > ipv6.ignore-auto-dns: no > > ipv6.never-default: no > > ipv6.may-fail: yes > > ipv6.ip6-privacy: 0 (deaktiviert) > > ipv6.dhcp-hostname: -- > > -----------------------------------------------------------------------= =2D- > > -- ---- vpn.service-type: > >=20 > > org.freedesktop.NetworkManager.vpnc vpn.user-name: > > -- > >=20 > > vpn.data: Local Port =3D 0, IKE DH Group = =3D > > dh2, Perfect Forward Secrecy =3D server, Xauth password-flags =3D 1, IP= Sec > > ID =3D user@host.loc, IPSec gateway =3D open.nsupdate.info, Xauth usern= ame =3D > > user@host.loc, Cisco UDP Encapsulation Port =3D 0, Vendor =3D cisco, IP= Sec > > secret- flags =3D 1, NAT Traversal Mode =3D natt > > vpn.secrets: > >=20 > > ------------------------ cut ----------------------------- > >=20 > > Any hints ? > >=20 > > regards > >=20 > > Petric >=20 > Going from memory here, but I recall that the VPNC client had problems > rekeying SAs in Phase 2. I seem to recall there was bug but can't recall > if it was ever patched. >=20 > Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: >=20 > http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html >=20 > I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this > includes any necessary patches. You could check the changelog. The homepage on vpnc in chapter TODO tells: "phase2-rekeying is now supported as of svn revision 126!" Changelog states for 0.5.2: "Fix Phase 2 rekeying, by various authors" I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the las= t 7=20 years. =20 > BTW, have you tried more actively developed VPN software like strongswan > (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to > see if you're getting the same problem? I think that they should work > with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. strongswan is in the stable tree but not the networkmanager plugin. I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss th= e=20 dependency to libgnomeui. I do not have gnome installed (and don't intend t= o=20 do so). My desktop is a kde one. Anyone has a ebuild/package not requiring gnome ? regards Petric --Boundary-01=_xBO9UFeXyroWzGs Content-Type: text/html; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable

Hello,

&nb= sp;

Am Montag, 2. M=E4rz 2015, 21= :01:48 schrieb Mick:

> On Mon= day 02 Mar 2015 18:07:45 Petric Frank wrote:

> > H= ello,

> > <= /p>

> > t= his is not a Gentoo problem per se, but i'm getting it under Gentoo.

> > <= /p>

> > R= unninng KDE + Networkmanager

> > (= net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin

> > (= net-misc/networkmanager-vpnc-0.9.10.0).

> > <= /p>

> > I= have set up a VPN connection to a AVM FritzBox (which is using - as far

> > a= s i can evaluate - a Cisco like IPSec tunnel).

> > <= /p>

> > T= his is running very well, but after exactly 1 hour the connection is

> > d= ropped. I can reconnect, but it also lasts 1 hour.

> > <= /p>

> > A= fter som crawlng though the net it seems that a key validity runs ot of

> > t= ime at the client side. I t looks like this one

> > <= /p>

> > = https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632

> > <= /p>

> > T= he nmcli output for this connection reads like this (some obfusicated):

> > -= =2D---------------------- cut -----------------------------

> > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

> > = =3D=3D =3D=3D=3D=3D Details des Verbindungsprofils (XX)

> > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

> > = =3D=3D =3D=3D=3D=3D connection.id: XX

> > c= onnection.uuid:

> > <= /p>

> > 1= 1111111111111-2222-33333333333333333 connection.interface-name:

> > = --

> > <= /p>

> > c= onnection.type: vpn

> > c= onnection.autoconnect: no

> > c= onnection.timestamp: 1425319416

> > c= onnection.read-only: no

> > c= onnection.permissions:

> > c= onnection.zone:

> > c= onnection.master: --

> > c= onnection.slave-type: --

> > c= onnection.secondaries:

> > c= onnection.gateway-ping-timeout: 0

> > -= =2D-----------------------------------------------------------------------<= /p>

> > -= =2D ---- ipv4.method: auto

> > i= pv4.dns:

> > i= pv4.dns-search:

> > i= pv4.addresses:

> > i= pv4.routes:

> > i= pv4.ignore-auto-routes: yes

> > i= pv4.ignore-auto-dns: no

> > i= pv4.dhcp-client-id: --

> > i= pv4.dhcp-send-hostname: yes

> > i= pv4.dhcp-hostname: --

> > i= pv4.never-default: yes

> > i= pv4.may-fail: no

> > -= =2D-----------------------------------------------------------------------<= /p>

> > -= =2D ---- ipv6.method: ignore

> > i= pv6.dns:

> > i= pv6.dns-search:

> > i= pv6.addresses:

> > i= pv6.routes:

> > i= pv6.ignore-auto-routes: no

> > i= pv6.ignore-auto-dns: no

> > i= pv6.never-default: no

> > i= pv6.may-fail: yes

> > i= pv6.ip6-privacy: 0 (deaktiviert)

> > i= pv6.dhcp-hostname: --

> > -= =2D-----------------------------------------------------------------------<= /p>

> > -= =2D ---- vpn.service-type:

> > <= /p>

> > o= rg.freedesktop.NetworkManager.vpnc vpn.user-name:

> > = =2D-

> > <= /p>

> > v= pn.data: Local Port =3D 0, IKE DH Group =3D

> > d= h2, Perfect Forward Secrecy =3D server, Xauth password-flags =3D 1, IPSec

> > I= D =3D user@host.loc, IPSec gateway =3D open.nsupdate.info, Xauth username = =3D

> > u= ser@host.loc, Cisco UDP Encapsulation Port =3D 0, Vendor =3D cisco, IPSec

> > s= ecret- flags =3D 1, NAT Traversal Mode =3D natt

> > v= pn.secrets:

> > <= /p>

> > -= =2D---------------------- cut -----------------------------

> > <= /p>

> > A= ny hints ?

> > <= /p>

> > r= egards

> > <= /p>

> > = Petric

>

> Going = from memory here, but I recall that the VPNC client had problems

> rekeyi= ng SAs in Phase 2. I seem to recall there was bug but can't recall

> if it = was ever patched.

>

> Yep - = see here, a regression problem with version net-misc/vpnc-0.5.3:

>

> http:/= /lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html

>

> I see = that portage has 0.5.3_p527-r1 as stable, but I don't know if this

> includ= es any necessary patches. You could check the changelog.

&nb= sp;

The homepage on vpnc in chapt= er TODO tells:

"phase2-rekeying is now supported as of svn rev= ision 126!"

&nb= sp;

Changelog states for 0.5.2:

"Fix Phase 2 rekeying, by vari= ous authors"

&nb= sp;

I don't know whethe= r this is along your statement above.

&nb= sp;

So it seems not to be completely fixed. The homepage i= s not updated the last 7 years.

> BTW, h= ave you tried more actively developed VPN software like strongswan

> (it ha= s a networkmanager plugin) or even ipsec-tools instead of vpnc, to

> see if= you're getting the same problem? I think that they should work

> with C= isco VPN gateways, although it may be fiddly to set them up.

&nb= sp;

i can find only ebuilds of (n= etworkmanager-)openswan in the official tree.

strongswan is in the stable t= ree but not the networkmanager plugin.

I tried the one from the zuga= ina overlay (v. 1.3.0) but it seems to miss the dependency to libgnomeui. I= do not have gnome installed (and don't intend to do so). My desktop is a k= de one.

&nb= sp;

Anyone has a ebuild/package n= ot requiring gnome ?

&nb= sp;

regards

Petric

&nb= sp;

--Boundary-01=_xBO9UFeXyroWzGs--