* [gentoo-user] Networkmanager VPNC key timeout
@ 2015-03-02 18:07 Petric Frank
2015-03-02 20:01 ` Mick
0 siblings, 1 reply; 6+ messages in thread
From: Petric Frank @ 2015-03-02 18:07 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3425 bytes --]
Hello,
this is not a Gentoo problem per se, but i'm getting it under Gentoo.
Runninng KDE + Networkmanager (net-misc/networkmanager-0.9.10.1_pre20141101)
together with vpnc plugin (net-misc/networkmanager-vpnc-0.9.10.0).
I have set up a VPN connection to a AVM FritzBox (which is using - as far as i
can evaluate - a Cisco like IPSec tunnel).
This is running very well, but after exactly 1 hour the connection is dropped.
I can reconnect, but it also lasts 1 hour.
After som crawlng though the net it seems that a key validity runs ot of time
at the client side. I t looks like this one
https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
The nmcli output for this connection reads like this (some obfusicated):
------------------------ cut -----------------------------
===============================================================================
Details des Verbindungsprofils (XX)
===============================================================================
connection.id: XX
connection.uuid: 11111111111111-2222-33333333333333333
connection.interface-name: --
connection.type: vpn
connection.autoconnect: no
connection.timestamp: 1425319416
connection.read-only: no
connection.permissions:
connection.zone:
connection.master: --
connection.slave-type: --
connection.secondaries:
connection.gateway-ping-timeout: 0
-------------------------------------------------------------------------------
ipv4.method: auto
ipv4.dns:
ipv4.dns-search:
ipv4.addresses:
ipv4.routes:
ipv4.ignore-auto-routes: yes
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.never-default: yes
ipv4.may-fail: no
-------------------------------------------------------------------------------
ipv6.method: ignore
ipv6.dns:
ipv6.dns-search:
ipv6.addresses:
ipv6.routes:
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.ip6-privacy: 0 (deaktiviert)
ipv6.dhcp-hostname: --
-------------------------------------------------------------------------------
vpn.service-type: org.freedesktop.NetworkManager.vpnc
vpn.user-name: --
vpn.data: Local Port = 0, IKE DH Group = dh2,
Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID =
user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec secret-
flags = 1, NAT Traversal Mode = natt
vpn.secrets:
------------------------ cut -----------------------------
Any hints ?
regards
Petric
[-- Attachment #2: Type: text/html, Size: 14732 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [gentoo-user] Networkmanager VPNC key timeout
2015-03-02 18:07 [gentoo-user] Networkmanager VPNC key timeout Petric Frank
@ 2015-03-02 20:01 ` Mick
2015-03-02 22:13 ` Petric Frank
0 siblings, 1 reply; 6+ messages in thread
From: Mick @ 2015-03-02 20:01 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 4173 bytes --]
On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
> Hello,
>
> this is not a Gentoo problem per se, but i'm getting it under Gentoo.
>
> Runninng KDE + Networkmanager
> (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
> (net-misc/networkmanager-vpnc-0.9.10.0).
>
> I have set up a VPN connection to a AVM FritzBox (which is using - as far
> as i can evaluate - a Cisco like IPSec tunnel).
>
> This is running very well, but after exactly 1 hour the connection is
> dropped. I can reconnect, but it also lasts 1 hour.
>
> After som crawlng though the net it seems that a key validity runs ot of
> time at the client side. I t looks like this one
> https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
>
> The nmcli output for this connection reads like this (some obfusicated):
> ------------------------ cut -----------------------------
> ===========================================================================
> ==== Details des Verbindungsprofils (XX)
> ===========================================================================
> ==== connection.id: XX
> connection.uuid:
> 11111111111111-2222-33333333333333333 connection.interface-name:
> --
> connection.type: vpn
> connection.autoconnect: no
> connection.timestamp: 1425319416
> connection.read-only: no
> connection.permissions:
> connection.zone:
> connection.master: --
> connection.slave-type: --
> connection.secondaries:
> connection.gateway-ping-timeout: 0
> ---------------------------------------------------------------------------
> ---- ipv4.method: auto
> ipv4.dns:
> ipv4.dns-search:
> ipv4.addresses:
> ipv4.routes:
> ipv4.ignore-auto-routes: yes
> ipv4.ignore-auto-dns: no
> ipv4.dhcp-client-id: --
> ipv4.dhcp-send-hostname: yes
> ipv4.dhcp-hostname: --
> ipv4.never-default: yes
> ipv4.may-fail: no
> ---------------------------------------------------------------------------
> ---- ipv6.method: ignore
> ipv6.dns:
> ipv6.dns-search:
> ipv6.addresses:
> ipv6.routes:
> ipv6.ignore-auto-routes: no
> ipv6.ignore-auto-dns: no
> ipv6.never-default: no
> ipv6.may-fail: yes
> ipv6.ip6-privacy: 0 (deaktiviert)
> ipv6.dhcp-hostname: --
> ---------------------------------------------------------------------------
> ---- vpn.service-type:
> org.freedesktop.NetworkManager.vpnc vpn.user-name:
> --
> vpn.data: Local Port = 0, IKE DH Group = dh2,
> Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID =
> user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
> user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
> secret- flags = 1, NAT Traversal Mode = natt
> vpn.secrets:
>
> ------------------------ cut -----------------------------
>
> Any hints ?
>
> regards
> Petric
Going from memory here, but I recall that the VPNC client had problems
rekeying SAs in Phase 2. I seem to recall there was bug but can't recall if
it was ever patched.
Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html
I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this
includes any necessary patches. You could check the changelog.
BTW, have you tried more actively developed VPN software like strongswan (it
has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if
you're getting the same problem? I think that they should work with Cisco VPN
gateways, although it may be fiddly to set them up.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Networkmanager VPNC key timeout
2015-03-02 20:01 ` Mick
@ 2015-03-02 22:13 ` Petric Frank
2015-03-02 23:00 ` Mick
0 siblings, 1 reply; 6+ messages in thread
From: Petric Frank @ 2015-03-02 22:13 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 5106 bytes --]
Hello,
Am Montag, 2. März 2015, 21:01:48 schrieb Mick:
> On Monday 02 Mar 2015 18:07:45 Petric Frank wrote:
> > Hello,
> >
> > this is not a Gentoo problem per se, but i'm getting it under Gentoo.
> >
> > Runninng KDE + Networkmanager
> > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin
> > (net-misc/networkmanager-vpnc-0.9.10.0).
> >
> > I have set up a VPN connection to a AVM FritzBox (which is using - as far
> > as i can evaluate - a Cisco like IPSec tunnel).
> >
> > This is running very well, but after exactly 1 hour the connection is
> > dropped. I can reconnect, but it also lasts 1 hour.
> >
> > After som crawlng though the net it seems that a key validity runs ot of
> > time at the client side. I t looks like this one
> >
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> >
> > The nmcli output for this connection reads like this (some obfusicated):
> > ------------------------ cut -----------------------------
> > =========================================================================
> > == ==== Details des Verbindungsprofils (XX)
> > =========================================================================
> > == ==== connection.id: XX
> > connection.uuid:
> >
> > 11111111111111-2222-33333333333333333 connection.interface-name:
> > --
> >
> > connection.type: vpn
> > connection.autoconnect: no
> > connection.timestamp: 1425319416
> > connection.read-only: no
> > connection.permissions:
> > connection.zone:
> > connection.master: --
> > connection.slave-type: --
> > connection.secondaries:
> > connection.gateway-ping-timeout: 0
> > -------------------------------------------------------------------------
> > -- ---- ipv4.method: auto
> > ipv4.dns:
> > ipv4.dns-search:
> > ipv4.addresses:
> > ipv4.routes:
> > ipv4.ignore-auto-routes: yes
> > ipv4.ignore-auto-dns: no
> > ipv4.dhcp-client-id: --
> > ipv4.dhcp-send-hostname: yes
> > ipv4.dhcp-hostname: --
> > ipv4.never-default: yes
> > ipv4.may-fail: no
> > -------------------------------------------------------------------------
> > -- ---- ipv6.method: ignore
> > ipv6.dns:
> > ipv6.dns-search:
> > ipv6.addresses:
> > ipv6.routes:
> > ipv6.ignore-auto-routes: no
> > ipv6.ignore-auto-dns: no
> > ipv6.never-default: no
> > ipv6.may-fail: yes
> > ipv6.ip6-privacy: 0 (deaktiviert)
> > ipv6.dhcp-hostname: --
> > -------------------------------------------------------------------------
> > -- ---- vpn.service-type:
> >
> > org.freedesktop.NetworkManager.vpnc vpn.user-name:
> > --
> >
> > vpn.data: Local Port = 0, IKE DH Group =
> > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec
> > ID = user@host.loc, IPSec gateway = open.nsupdate.info, Xauth username =
> > user@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec
> > secret- flags = 1, NAT Traversal Mode = natt
> > vpn.secrets:
> >
> > ------------------------ cut -----------------------------
> >
> > Any hints ?
> >
> > regards
> >
> > Petric
>
> Going from memory here, but I recall that the VPNC client had problems
> rekeying SAs in Phase 2. I seem to recall there was bug but can't recall
> if it was ever patched.
>
> Yep - see here, a regression problem with version net-misc/vpnc-0.5.3:
>
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html
>
> I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this
> includes any necessary patches. You could check the changelog.
The homepage on vpnc in chapter TODO tells:
"phase2-rekeying is now supported as of svn revision 126!"
Changelog states for 0.5.2:
"Fix Phase 2 rekeying, by various authors"
I don't know whether this is along your statement above.
So it seems not to be completely fixed. The homepage is not updated the last 7
years.
> BTW, have you tried more actively developed VPN software like strongswan
> (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to
> see if you're getting the same problem? I think that they should work
> with Cisco VPN gateways, although it may be fiddly to set them up.
i can find only ebuilds of (networkmanager-)openswan in the official tree.
strongswan is in the stable tree but not the networkmanager plugin.
I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the
dependency to libgnomeui. I do not have gnome installed (and don't intend to
do so). My desktop is a kde one.
Anyone has a ebuild/package not requiring gnome ?
regards
Petric
[-- Attachment #2: Type: text/html, Size: 23887 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Networkmanager VPNC key timeout
2015-03-02 22:13 ` Petric Frank
@ 2015-03-02 23:00 ` Mick
2015-03-03 19:52 ` Petric Frank
0 siblings, 1 reply; 6+ messages in thread
From: Mick @ 2015-03-02 23:00 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 2117 bytes --]
On Monday 02 Mar 2015 22:13:05 Petric Frank wrote:
> Hello,
>
> Am Montag, 2. März 2015, 21:01:48 schrieb Mick:
> The homepage on vpnc in chapter TODO tells:
> "phase2-rekeying is now supported as of svn revision 126!"
>
> Changelog states for 0.5.2:
> "Fix Phase 2 rekeying, by various authors"
>
> I don't know whether this is along your statement above.
>
> So it seems not to be completely fixed. The homepage is not updated the
> last 7 years.
OK, then yes, it has been fixed and your problem is not related to that old
bug, but could it be a more recent regression?
> > BTW, have you tried more actively developed VPN software like strongswan
> > (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to
> > see if you're getting the same problem? I think that they should work
> > with Cisco VPN gateways, although it may be fiddly to set them up.
>
> i can find only ebuilds of (networkmanager-)openswan in the official tree.
No, this only good for the SSL VPN solution of Cisco.
> strongswan is in the stable tree but not the networkmanager plugin.
Are you sure? This is what I see here for strongswan-5.2.2
[+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
networkmanager
^^^^^^^^^^^^^^
+non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
+strongswan_plugins_lookip strongswan_plugins_ntru strongswan_plugins_padlock
strongswan_plugins_rdrand +strongswan_plugins_systime-fix
strongswan_plugins_unbound +strongswan_plugins_unity +strongswan_plugins_vici
strongswan_plugins_whitelist]
The latest version 5.2.2 has a bug with some IKEv1 implementations. There is
a patch proposed which works and will be included in the next version 5.2.3
when released. If your VPN server is affected then you'll have to apply the
patch yourself in a local overlay:
https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Networkmanager VPNC key timeout
2015-03-02 23:00 ` Mick
@ 2015-03-03 19:52 ` Petric Frank
2015-03-03 22:56 ` Mick
0 siblings, 1 reply; 6+ messages in thread
From: Petric Frank @ 2015-03-03 19:52 UTC (permalink / raw
To: gentoo-user
Hello Mick,
Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick:
> > The homepage on vpnc in chapter TODO tells:
> > "phase2-rekeying is now supported as of svn revision 126!"
> >
> > Changelog states for 0.5.2:
> > "Fix Phase 2 rekeying, by various authors"
> >
> > I don't know whether this is along your statement above.
> >
> > So it seems not to be completely fixed. The homepage is not updated the
> > last 7 years.
>
> OK, then yes, it has been fixed and your problem is not related to that old
> bug, but could it be a more recent regression?
maybe.
> > > BTW, have you tried more actively developed VPN software like
> > > strongswan (it has a networkmanager plugin) or even ipsec-tools
> > > instead of vpnc, to see if you're getting the same problem? I think
> > > that they should work with Cisco VPN gateways, although it may be
> > > fiddly to set them up.
> >
> > i can find only ebuilds of (networkmanager-)openswan in the official
> > tree.
>
> No, this only good for the SSL VPN solution of Cisco.
good to know.
> > strongswan is in the stable tree but not the networkmanager plugin.
>
> Are you sure? This is what I see here for strongswan-5.2.2
>
> [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
> networkmanager
> ^^^^^^^^^^^^^^
> +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
> strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
> strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
> +strongswan_plugins_lookip strongswan_plugins_ntru
> strongswan_plugins_padlock strongswan_plugins_rdrand
> +strongswan_plugins_systime-fix
> strongswan_plugins_unbound +strongswan_plugins_unity
> +strongswan_plugins_vici strongswan_plugins_whitelist]
True, strongswan is in tree, but not networkmanager-strongswan (NetworkManager
plugin).
> The latest version 5.2.2 has a bug with some IKEv1 implementations. There
> is a patch proposed which works and will be included in the next version
> 5.2.3 when released. If your VPN server is affected then you'll have to
> apply the patch yourself in a local overlay:
>
> https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
Stable strongswan is already compiled and installed on my system. Any of the
"strongswan_plugins_*" use flags i have to enable here ?
But it could take some days (because of my business job).
regards
Petric
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Networkmanager VPNC key timeout
2015-03-03 19:52 ` Petric Frank
@ 2015-03-03 22:56 ` Mick
0 siblings, 0 replies; 6+ messages in thread
From: Mick @ 2015-03-03 22:56 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 3776 bytes --]
On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote:
> Hello Mick,
>
> Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick:
> > > The homepage on vpnc in chapter TODO tells:
> > > "phase2-rekeying is now supported as of svn revision 126!"
> > >
> > > Changelog states for 0.5.2:
> > > "Fix Phase 2 rekeying, by various authors"
> > >
> > > I don't know whether this is along your statement above.
> > >
> > > So it seems not to be completely fixed. The homepage is not updated the
> > > last 7 years.
> >
> > OK, then yes, it has been fixed and your problem is not related to that
> > old bug, but could it be a more recent regression?
>
> maybe.
>
> > > > BTW, have you tried more actively developed VPN software like
> > > > strongswan (it has a networkmanager plugin) or even ipsec-tools
> > > > instead of vpnc, to see if you're getting the same problem? I think
> > > > that they should work with Cisco VPN gateways, although it may be
> > > > fiddly to set them up.
> > >
> > > i can find only ebuilds of (networkmanager-)openswan in the official
> > > tree.
> >
> > No, this only good for the SSL VPN solution of Cisco.
>
> good to know.
I beg your pardon, I typed too fast. I was referring to net-misc/openconnect,
which is an alternative client for Cisco AnyConnect SSL VPN. The net-
misc/openswan package is hard masked because of the security bug #499870. You
could try net-misc/libreswan instead, a fork of openswan. It may just work
with the net-misc/networkmanager-openswan plugin.
> > > strongswan is in the stable tree but not the networkmanager plugin.
> >
> > Are you sure? This is what I see here for strongswan-5.2.2
> >
> > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
> > networkmanager
> > ^^^^^^^^^^^^^^
> > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
> > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
> > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
> > +strongswan_plugins_lookip strongswan_plugins_ntru
> > strongswan_plugins_padlock strongswan_plugins_rdrand
> > +strongswan_plugins_systime-fix
> > strongswan_plugins_unbound +strongswan_plugins_unity
> > +strongswan_plugins_vici strongswan_plugins_whitelist]
>
> True, strongswan is in tree, but not networkmanager-strongswan
> (NetworkManager plugin).
My understanding is that as long as you enable the networkmanager plugin in
the strongswan package, it will interoperate with the networkmanager front end
- but I have not tried it. Reading now the relevant webpage it says that it
is *only* available for IKEv2 - so probably not good for your use case.
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
> > The latest version 5.2.2 has a bug with some IKEv1 implementations.
> > There is a patch proposed which works and will be included in the next
> > version 5.2.3 when released. If your VPN server is affected then you'll
> > have to apply the patch yourself in a local overlay:
> >
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
>
> Stable strongswan is already compiled and installed on my system. Any of
> the "strongswan_plugins_*" use flags i have to enable here ?
Since its networkmanager plugin is only useful for IKEv2 I don't think it
would make any odds. You can enable it anyway and initially try it from the
command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN
gateway. If it does, then try it with the networkmanager front end, but I
don't expect this to work. If a GUI is a must for you, libreswan with the
net-misc/networkmanager-openswan plugin may be a better bet.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-03-03 22:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-02 18:07 [gentoo-user] Networkmanager VPNC key timeout Petric Frank
2015-03-02 20:01 ` Mick
2015-03-02 22:13 ` Petric Frank
2015-03-02 23:00 ` Mick
2015-03-03 19:52 ` Petric Frank
2015-03-03 22:56 ` Mick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox