2.6.25 and patched vpnclient

Installation, configuration and troubleshooting of the Cisco VPN Client on Linux systems

2.6.25 and patched vpnclient

Postby vomus » Tue Jun 10, 2008 9:30 pm

Hi!
I just applied a 2.6.24 patch to vpnclient-linux-x86_64-4.8.01.0640 and it compiled just fine. Installation went fine also. Then I did "vpnclient connect" and saw all the appropriate output:

[root@yarilo ~]# vpnclient connect xxxxxx
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.25-std-def-alt2 #1 SMP Sat Jun 7 16:50:31 MSD 2008 i686
Config file directory: /etc/opt/cisco-vpnclient

Initializing the VPN connection.
Contacting the gateway at 83.149.xx.xx
Authenticating user.
Negotiating security policies.
Securing communication channel.

Your VPN connection is secure.

VPN tunnel information.
Client address: 10.61.32.31
Server address: 83.149.xx.xx
Encryption: 256-bit AES
Authentication: HMAC-SHA
IP Compression: LZS
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled

But at this point I can not ping any address within my corporate network, although routing information seems to be ok:

[root@yarilo vpn]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
83.149.xx.xx 192.168.1.1 255.255.255.255 UGH 0 0 0 ath0
10.61.32.0 0.0.0.0 255.255.255.0 U 0 0 0 cipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
2.0.0.0 10.61.32.31 255.0.0.0 UG 0 0 0 cipsec0
10.0.0.0 10.61.32.31 255.0.0.0 UG 0 0 0 cipsec0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ath0

Can anyone explain why I can not access my network?
vomus
Private
Private
 
Posts: 3
Joined: Tue Jun 10, 2008 9:10 pm

Re: 2.6.25 and patched vpnclient

Postby tuxx-home.at » Tue Jun 10, 2008 10:31 pm

Local LAN Access is disabled


Can you still ping your gateway after the VPN connection has been established?
User avatar
tuxx-home.at
Supreme Commander
Supreme Commander
 
Posts: 2199
Joined: Mon Jan 01, 2007 12:51 pm
Location: Vassach - Austria - Europe

Re: 2.6.25 and patched vpnclient

Postby vomus » Wed Jun 11, 2008 8:01 am

Can you still ping your gateway after the VPN connection has been established?


Yes, I can ping the gateway but it seems natural because the traffic there goes through my native interface ath0.
vomus
Private
Private
 
Posts: 3
Joined: Tue Jun 10, 2008 9:10 pm

Re: 2.6.25 and patched vpnclient

Postby ghu » Fri Jun 13, 2008 9:33 pm

The same problem. Kernel 2.6.25.6
Can connect, but no luck when trying to access any server on private network.

Jun 13 21:17:55 mlok kernel: Cisco Systems VPN Client Version 4.8.01 (0640) kernel module loaded
Jun 13 21:18:08 mlok restorecond: Reset file context /etc/resolv.conf: unconfined_u:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0
Jun 13 21:19:23 mlok kernel: SELinux: failure in sel_netif_sid_slow(), invalid network interface (0)

Vomus, do you have it too in your log?
ghu
Private
Private
 
Posts: 3
Joined: Fri Jun 13, 2008 9:24 pm

Re: 2.6.25 and patched vpnclient

Postby tuxx-home.at » Sat Jun 14, 2008 9:37 am

could it be that selinux is active in your Systems?

Please try to disable this extension for testing purposes by running the following command:

Code: Select all
echo 0 > /selinux/enforce
User avatar
tuxx-home.at
Supreme Commander
Supreme Commander
 
Posts: 2199
Joined: Mon Jan 01, 2007 12:51 pm
Location: Vassach - Austria - Europe

Re: 2.6.25 and patched vpnclient

Postby ghu » Mon Jun 16, 2008 8:46 pm

It is active. Have tried what you suggested, but no luck. Got the same message.
There have been changes to security/selinux/netif.c in 2.6.25
ghu
Private
Private
 
Posts: 3
Joined: Fri Jun 13, 2008 9:24 pm

Re: 2.6.25 and patched vpnclient

Postby ghu » Mon Jun 16, 2008 10:43 pm

I have compiled 2.6.24.7 and 'patched vpnclient' now. Everything works as expected.
ghu
Private
Private
 
Posts: 3
Joined: Fri Jun 13, 2008 9:24 pm

Re: 2.6.25 and patched vpnclient

Postby tuxx-home.at » Tue Jun 17, 2008 7:06 pm

OK, thanks for this information. I'll try to figure out why it breaks with SELinux enabled on 2.6.25.
User avatar
tuxx-home.at
Supreme Commander
Supreme Commander
 
Posts: 2199
Joined: Mon Jan 01, 2007 12:51 pm
Location: Vassach - Austria - Europe

Re: 2.6.25 and patched vpnclient

Postby PerYcut » Wed Jun 25, 2008 11:40 am

What can i do to get it work ?
i can connect and ping the GW but nothing other .
for newbie please :)
thanks
PerYcut
Private
Private
 
Posts: 3
Joined: Wed Jun 25, 2008 11:37 am

Re: 2.6.25 and patched vpnclient

Postby tuxx-home.at » Wed Jun 25, 2008 12:51 pm

Please don't hijack this topic, I don't think that you're suffering from the same problem.
But anyway, provide information about the kernel version you're using (`uname -r`), the routing table before and after the VPN client has been established (`route -n`) as well as the output of the `vpnclient connect yourprofile` command when the VPN connection has been established.
User avatar
tuxx-home.at
Supreme Commander
Supreme Commander
 
Posts: 2199
Joined: Mon Jan 01, 2007 12:51 pm
Location: Vassach - Austria - Europe

Re: 2.6.25 and patched vpnclient

Postby PerYcut » Wed Jun 25, 2008 3:44 pm

2.6.25.5-1.1-default

before :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.16.122.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.16.123.200 0.0.0.0 UG 0 0 0 eth0

connect :
Cisco Systems VPN Client Version 4.8.01 (0640)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.25.5-1.1-default #1 SMP 2008-06-07 01:55:22 +0200 i686
Config file directory: /etc/opt/cisco-vpnclient

Initializing the VPN connection.
Contacting the gateway at 193.170.xxx.xx
User Authentication for xxx...

Enter Username and Password.

Username [xxx]:
Password [xxx]:
Authenticating user.
Negotiating security policies.
Securing communication channel.

Your VPN connection is secure.

VPN tunnel information.
Client address: 172.30.xxx.xx
Server address: 193.170.xxx.xx
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled

route with vpnclient connect :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
193.170.xxx.xx 10.16.xxx.xx 255.255.255.255 UGH 0 0 0 eth0
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 cipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.30.xxx.xx 0.0.0.0 UG 0 0 0 cipsec0

i can ping the GW only.

thanks for your help
PerYcut
Private
Private
 
Posts: 3
Joined: Wed Jun 25, 2008 11:37 am

Re: 2.6.25 and patched vpnclient

Postby PerYcut » Thu Jun 26, 2008 11:13 am

more infos needed ?
thanks
PerYcut
Private
Private
 
Posts: 3
Joined: Wed Jun 25, 2008 11:37 am

Re: 2.6.25 and patched vpnclient

Postby vomus » Sat Jun 28, 2008 11:16 am

I tried to disable SElinux with "setenforce 0" but it had no effect on my not being able to ping home network. I still can only ping the gateway. Any more ideas?
vomus
Private
Private
 
Posts: 3
Joined: Tue Jun 10, 2008 9:10 pm

Re: 2.6.25 and patched vpnclient

Postby tuxx-home.at » Wed Dec 24, 2008 11:24 am

Has this issue been resolved already? I forgot to reply to this thread which I'm very sorry for!
User avatar
tuxx-home.at
Supreme Commander
Supreme Commander
 
Posts: 2199
Joined: Mon Jan 01, 2007 12:51 pm
Location: Vassach - Austria - Europe


Return to Cisco VPN Client on Linux systems

Who is online

Users browsing this forum: No registered users and 5 guests

cron