Re: [gentoo-user] Networkmanager VPNC key timeout

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 3776 bytes --]

On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote:
> Hello Mick,
> 
> Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick:
> > > The homepage on vpnc in chapter TODO tells:
> > >   "phase2-rekeying is now supported as of svn revision 126!"
> > > 
> > > Changelog states for 0.5.2:
> > >   "Fix Phase 2 rekeying, by various authors"
> > > 
> > > I don't know whether this is along your statement above.
> > > 
> > > So it seems not to be completely fixed. The homepage is not updated the
> > > last 7 years.
> > 
> > OK, then yes, it has been fixed and your problem is not related to that
> > old bug, but could it be a more recent regression?
> 
> maybe.
> 
> > > > BTW, have you tried more actively developed VPN software like
> > > > strongswan (it has a networkmanager plugin) or even ipsec-tools
> > > > instead of vpnc, to see if you're getting the same problem?  I think
> > > > that they should work with Cisco VPN gateways, although it may be
> > > > fiddly to set them up.
> > > 
> > > i can find only ebuilds of (networkmanager-)openswan in the official
> > > tree.
> > 
> > No, this only good for the SSL VPN solution of Cisco.
> 
> good to know.

I beg your pardon, I typed too fast.  I was referring to net-misc/openconnect, 
which is an alternative client for Cisco AnyConnect SSL VPN.  The net-
misc/openswan package is hard masked because of the security bug #499870.  You 
could try net-misc/libreswan instead, a fork of openswan.  It may just work 
with the net-misc/networkmanager-openswan plugin.


> > > strongswan is in the stable tree but not the networkmanager plugin.
> > 
> > Are you sure?  This is what I see here for strongswan-5.2.2
> > 
> > [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql
> > networkmanager
> > ^^^^^^^^^^^^^^
> > +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
> > strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm
> > strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led
> > +strongswan_plugins_lookip strongswan_plugins_ntru
> > strongswan_plugins_padlock strongswan_plugins_rdrand
> > +strongswan_plugins_systime-fix
> > strongswan_plugins_unbound +strongswan_plugins_unity
> > +strongswan_plugins_vici strongswan_plugins_whitelist]
> 
> True, strongswan is in tree, but not networkmanager-strongswan
> (NetworkManager plugin).

My understanding is that as long as you enable the networkmanager plugin in 
the strongswan package, it will interoperate with the networkmanager front end 
- but I have not tried it.  Reading now the relevant webpage it says that it 
is *only* available for IKEv2 - so probably not good for your use case.

https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager


> > The latest version 5.2.2 has a bug with some IKEv1 implementations. 
> > There is a patch proposed which works and will be included in the next
> > version 5.2.3 when released.  If your VPN server is affected then you'll
> > have to apply the patch yourself in a local overlay:
> > 
> > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632
> 
> Stable strongswan is already compiled and installed on my system. Any of
> the "strongswan_plugins_*" use flags i have to enable here ?

Since its networkmanager plugin is only useful for IKEv2 I don't think it 
would make any odds.  You can enable it anyway and initially try it from the 
command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN 
gateway.  If it does, then try it with the networkmanager front end, but I 
don't expect this to work.  If a GUI is a must for you, libreswan with the 
net-misc/networkmanager-openswan plugin may be a better bet.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]