tuxx-home.at Support Forum

[drpepperONE]

Hi many compliments for yours project...very nice!!

I wanna ask you something about cisco client.

I've the last release vpnclient-linux-x86_64-4.8.01.0640-k9.tar.gz on a kubuntu 7.10 kernel 2.6.22.14.

It works fine but there's the known problem of LocalAccessNetwork.

I now that this is possible only if the remote server enable the split tunneling mode.

So if I set the EnableLocalLAN=1 option anything changes.

But i saw in a ubuntu forum your post :

5. Download the override-local-lan-access.diff.gz into current directory

6. Unpack it
# gunzip override-local-lan-access.diff.gz

7. Apply it
# patch < override-local-lan-access.diff
patching file interceptor.c

Now the patches has been applied and you can safely install the client
#./vpn_install

I just tried it and it did miracles in my case! I have access to all I need.

I wanna know if these is a method to have access to lan even the remote side in not enable.

Is it a trick?

Or is it possible??

And if yes where could I download the override-local-lan-access.diff.gz file??

Thank a lot in advance!!

[tuxx-home.at]

Hi many compliments for yours project...very nice!!

Thanks!

But i saw in a ubuntu forum your post :

To be honest, that wasn't my post and the patch was _NOT_ my work.
I wasn't even afraid of such a patch until now, but nice to know that one can circumvent split tunneling protection on the client side.

I wanna know if these is a method to have access to lan even the remote side in not enable.

Yes, it is.

I wanna know if these is a method to have access to lan even the remote side in not enable.

I found the patch on the Ubuntu forum, modified it to be compatible to the latest kernel versions and cisco vpnclient versions
and now it can be downloaded from here:

[http://projects.tuxx-home.at/ciscovpn/patches]

To apply this patch, follow these simple installation instructions:

1. Download and extract the vpnclient-linux package
2. Change to the directory "vpnclient" that has been created during point 1) above
3. Download the patch with the following command

# wget http://projects.tuxx-home.at/ciscovpn/p ... ccess.diff

4. Patch the source of the vpnclient

# patch < override-local-lan-access.diff

5. Install the VPN client

# ./vpn_install

Afterwards, you'll have to manually restore the routes to your private network at home (or wherever you're connecting from)
as mentioned in the posting you referred to.

[drpepperONE]

Hi thank you for your help.

I patched the client but the local lan is not avaiable

This is the routing table before strating vpn

Code: Select all

root@drpepperone:~/vpnclient# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.64.0    *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         192.168.64.2    0.0.0.0         UG    100    0        0 eth0
root@drpepperone:~/vpnclient#


These are the nic config before the vpn starting:

Code: Select all

root@drpepperone:~/vpnclient# ifconfig -a
[quote]cipsec0   Link encap:Ethernet  HWaddr 00:0B:FC:F8:01:8F
          inet addr:10.1.225.171  Mask:255.0.0.0
          NOARP  MTU:1500  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:253 errors:0 dropped:9 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12375 (12.0 KB)  TX bytes:19611 (19.1 KB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:37:3B:24
          inet addr:192.168.64.129  Bcast:192.168.64.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe37:3b24/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1978 errors:0 dropped:0 overruns:0 frame:0
          TX packets:541 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:205642 (200.8 KB)  TX bytes:67253 (65.6 KB)
          Interrupt:16 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:137 errors:0 dropped:0 overruns:0 frame:0
          TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:38017 (37.1 KB)  TX bytes:38017 (37.1 KB)

root@drpepperone:~/vpnclient#   


When I star vpn these are the configurations:

Even if i patched I have always the Local LAN Access is disabled messages

IP Compression: None
NAT passthrough is active on port UDP 21072
Local LAN Access is disabled

These is my pcf file:

Code: Select all

Description=vpn Cisco
Host=[my-vpn-site]
AuthType=1
GroupName=suppliersaccess
GroupPwd=
enc_GroupPwd=[my enc pass]
EnableISPConnect=0
ISPConnectType=0
ISPConnect=[my isp]
ISPCommand=
Username=[my username]
SaveUserPassword=1
UserPassword=
enc_UserPassword=[my enc user pass]
NTDomain=
EnableBackup=1
BackupServer=[my backup vpn server]
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=1


This is the nics ifconfig after vpn starting:

Code: Select all

ifconfig -a
cipsec0   Link encap:Ethernet  HWaddr 00:0B:FC:F8:01:8F
          inet addr:10.1.225.164  Mask:255.0.0.0
          inet6 addr: fe80::20b:fcff:fef8:18f/64 Scope:Link
          UP RUNNING NOARP  MTU:1356  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:254 errors:0 dropped:12 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12375 (12.0 KB)  TX bytes:19953 (19.4 KB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:37:3B:24
          inet addr:192.168.64.129  Bcast:192.168.64.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe37:3b24/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:230549 (225.1 KB)  TX bytes:75155 (73.3 KB)
          Interrupt:16 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:49740 (48.5 KB)  TX bytes:49740 (48.5 KB)


These is the routing table after vpn starting

Code: Select all


root@drpepperone:~/vpnclient# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
194.20.70.220   192.168.64.2    255.255.255.255 UGH   0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 cipsec0
default         10.1.225.164    0.0.0.0         UG    0      0        0 cipsec0
root@drpepperone:~/vpnclient#



I think that I miss something to configure ....I dont know what ad how.

In your opinion is the patch is working or is a missconfiguration issues??

Thank you in advance

[tuxx-home.at]

Even if i patched I have always the Local LAN Access is disabled messages

That is OK. The output hasn't been patched, so even if it says "Local Lan Access is disabled" it's possible to enable it with the above mentioned patch.

I think that I miss something to configure ...

Yes, you need to manually change your routing table after the VPN connection has been established. The patch doesn't do this for you.
So according to your values, you need to do the following _AFTER_ the VPN connection has been established:

Code: Select all

# Delete the default route (all traffic is routed through the VPN clients cipsec0 interface by default,
# thus disabling local LAN access
route del -net 0.0.0.0 dev cipsec0

# Add a static route to your local LAN gateway on your local LAN device
route add -host 192.168.64.2 dev eth0

# Set the default gateway to your local LAN gateway. This will let you connect to the internet via your
# local LAN connection and not via the VPN tunnel. Only traffic to your companys site will be tunneld through
# the VPN
route add default gw 192.168.64.2


You might want to put these three lines into a shellscript for easier handling in the future.

[drpepperONE]

Hi thank u very much I added the routing info but it still not working but adding at the end the following routing it worked!!!!

route add -net 192.168.64.0 netmask 255.255.255.0 dev eth0

Many thanks Man!!You are very very smart!!!!Niceeee one!!!

Bye from Italy!!!

[tuxx-home.at]

Hi thank u very much I added the routing info but it still not working

Could I please see the `route -n` output after you applied the three `route` commands I wrote above?
Usually, if the default gateway has been replaced it should handle the local subnet too, but maybe something
went wrong.

Anyhow, adding a network route as you already did should work too, but I'd love to see what was wrong before adding
this route

BTW: Thanks for the flowers, I'm glad that I could help you!

[drpepperONE]

This not works

Code: Select all

root@drpepperone:~# route del -net 0.0.0.0 dev cipsec0
root@drpepperone:~# route add -host 192.168.64.2 dev eth0
root@drpepperone:~# route add default gw 192.168.64.2
root@drpepperone:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
194.20.70.220   192.168.64.2    255.255.255.255 UGH   0      0        0 eth0
192.168.64.2    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 cipsec0
0.0.0.0         192.168.64.2    0.0.0.0         UG    0      0        0 eth0
root@drpepperone:~#


After route add -net 192.168.64.0 netmask 255.255.255.0 dev eth0 it works

Code: Select all

root@drpepperone:~# route add -net 192.168.64.0 netmask 255.255.255.0 dev eth0
root@drpepperone:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
194.20.70.220   192.168.64.2    255.255.255.255 UGH   0      0        0 eth0
192.168.64.2    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.64.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 cipsec0
0.0.0.0         192.168.64.2    0.0.0.0         UG    0      0        0 eth0
root@drpepperone:~#


[tuxx-home.at]

Hmm... That's strange, the kernel shouldn't do that.
Can you confirm that using your `route add -net ...` command instead of `route add -host 192.168.64.2 dev eth0` still works?
When the network route is in place you shouldn't need a static route to your gateway...

[drpepperONE]

Yes it works perfect only if I add the following routing rule as is:

route add -net 192.168.64.0 netmask 255.255.255.0 dev eth0

[tuxx-home.at]

OK, then for the records:

After establishing the VPN connection you have to modify your routing table with the following commands (the code section below can be used
as shell script for easier handling of the local LAN access override trick):

Code: Select all

#!/bin/sh
#################################################
# change these values to suite your needs
LOCALNET=192.168.64.0
LOCALMASK=255.255.255.0
LOCALGW=192.168.64.2
LOCALDEV=eth0
#################################################

# Allow access to your local LAN
route add -net $LOCALNET netmask $LOCALMASK dev $LOCALDEV

# Don't route traffic to the internet or other subnets through the VPN tunnel
# If there are more than one subnets on the destination site, make sure that
# all of them are having a static route entry, otherwise you are only able to
# connect to the default subnet on the remote site.
route del -net 0.0.0.0 dev cipsec0
route add default gw $LOCALGW


Basically, adding the network rule alone should work too, but then traffic to the internet will be tunneled through your VPN connection too and that is
not always wanted.