[Vpn-help] Feisty 32 bit network browsing
charles morrison
charlie2 at ledgible.com
Wed Sep 5 17:52:00 CDT 2007
Matthew Grooms wrote:
> Matthew Linehan wrote:
>>
>> We used the linux route command, to dump the routing table. I'm no
>> expert in linux IP routing, but it does not look right to me. There
>> were no entries in the routing table that would direct packets
>> destined for the 192.168.168.* network to the 192.168.167.1 TAP0
>> interface created by the VPN tunnel. Indeed there were NO lines in
>> the routing table that referenced the 192.168.168.* network at all.
>> I'm fairly certain that the incorrect routing table is the source of
>> the problem, however I do not know how iked and the ip routing stuff
>> interact with each other, so I could be wrong.
>>
>
> Charlie and Matthew,
>
> The only problem I saw was related to the tap driver not being
> released due to IPsec policies not being cleared out properly. This
> was a bug I introduced recently while trying to fix a lock recursion
> issue and may have been munging things up. Could you please try the
> following ...
>
> cd <ike dir>
> svn update
> make clean
> rm CMakeCache.txt
> cmake -DCMAKE_INSTALL_PREFIX=/usr -DQTGUI=YES -DETCDIR=/etc -DNATT=YES
> make
> make install
> setkey -F
> setkey -FP
> /etc/init.d/iked stop
> /etc/init.d/iked start
>
> ... and try to connect again. If you still having problems, please let
> me know and we can investigate further. It seems to be working fine on
> my FC6 and Kubuntu 4.07 test hosts. I'm confident we can make it work
> again :)
>
> Thanks,
>
> -Matthew
>
Matt,
I tried your suggestions and seem to have the same problem.
I did have to use sudo make install, sudo setkey -F, sudo setkey -FP,
sudo /etc/init.d.iked stop, and sudo /etc/init.d/start to get it
working. I don't know if the use of root permissions has anything to do
with this or not. Also, when I initially tried to setkey, an error
message told me to install ipsec-tools using apt-get, which I did. Just
to make sure there were no unknown dependencies, I went through the
updates again, but no difference. Also, I disabled zeroconf in the
Kubuntu GUI under system settings>network settings.
Also note that once disconnected from the VPN, I no longer have a
valid internet connection. Even Firefox doesn't work anymore. I can't
bring up Google. Tap0 does start when I connect and vanishes when
disconnected. The IP address for tap0 is a valid IP from our network and
is the same address as assigned when I use the Windows client.
Here is my Linux route table prior to connection:
*Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
10.64.64.64 * 255.255.255.255 UH 0
0 0 ppp0
link-local * 255.255.0.0 U 0
0 0 eth0
link-local * 255.255.0.0 U 0
0 0 ath0
default * 0.0.0.0 U
0 0 0 ppp0
default * 0.0.0.0 U
1000 0 0 eth0
*
Here is the Linux route table during the VPN connection: (note they are
the same)
*Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
10.64.64.64 * 255.255.255.255 UH 0
0 0 ppp0
link-local * 255.255.0.0 U 0
0 0 eth0
link-local * 255.255.0.0 U 0
0 0 ath0
default * 0.0.0.0 U 0
0 0 ppp0
default * 0.0.0.0 U 1000
0 0 eth0
*
I looked at the same tables using Windows and they are quite a bit
different.
Here it is under Windows before the VPN connection:
*===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 166.217.217.243
166.217.217.243 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
166.217.217.243 255.255.255.255 127.0.0.1
127.0.0.1 1
166.217.255.255 255.255.255.255 166.217.217.243
166.217.217.243 1
224.0.0.0 224.0.0.0 166.217.217.243
166.217.217.243 1
255.255.255.255 255.255.255.255
166.217.217.243 2 1
Default Gateway: 166.217.217.243
===========================================================================
Persistent Routes:*
Here it is under Windows during the VPN connection:
*===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 166.217.217.243
166.217.217.243 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
166.217.217.243 255.255.255.255 127.0.0.1
127.0.0.1 1
166.217.255.255 255.255.255.255 166.217.217.243 166.217.217.243 1
192.168.167.2 255.255.255.255 127.0.0.1
127.0.0.1 1
192.168.167.255 255.255.255.255 192.168.167.2
192.168.167.2 1
192.168.168.0 255.255.255.0 192.168.167.2
192.168.167.2 1
224.0.0.0 224.0.0.0 166.217.217.243
166.217.217.243 1
224.0.0.0 224.0.0.0 192.168.167.2
192.168.167.2 1
255.255.255.255 255.255.255.255 192.168.167.2 2
1
Default Gateway: 166.217.217.243
===========================================================================
Persistent Routes:
None*
Note that the IP assigned by my gateway VPN is 192.168.167.2 and appears
in the Windows tables but not in the Linux tables.
Here are the Linux system log messages related to the connection.
Connection made using /dev/ttyUSB0 using KPPP:
09/05/2007 05:44:11 PM charles pppd[5683] Connect: ppp0 <-->
/dev/ttyUSB0
09/05/2007 05:44:11 PM charles pppd[5683] pppd 2.4.4 started by
charles, uid 1000
09/05/2007 05:44:11 PM charles pppd[5683] Using interface ppp0
09/05/2007 05:44:17 PM charles pppd[5683] Cannot determine
ethernet address for proxy ARP
09/05/2007 05:44:17 PM charles pppd[5683] Could not determine
remote IP address: defaulting to 10.64.64.64
09/05/2007 05:44:17 PM charles pppd[5683] local IP address
166.217.178.100
09/05/2007 05:44:17 PM charles pppd[5683] not replacing
existing default route through eth0
09/05/2007 05:44:17 PM charles pppd[5683] primary DNS address
10.11.12.13
09/05/2007 05:44:17 PM charles pppd[5683] remote IP address
10.64.64.64
09/05/2007 05:44:17 PM charles pppd[5683] secondary DNS address
10.11.12.14
09/05/2007 05:46:18 PM charles kernel [ 520.800000] tun: (C)
1999-2004 Max Krasnyansky <maxk at qualcomm.com>
09/05/2007 05:46:18 PM charles kernel [ 520.800000] tun:
Universal TUN/TAP device driver, 1.6
09/05/2007 05:46:28 PM charles kernel [ 531.012000] tap0: no
IPv6 routers present
The message not replacing default route through eth0 looks suspicious to
me. Also, the DNS entries do not look correct.
Sorry about the formatting. I tried to clean it up a little.
Thanks,
Charlie Morrison
--
Charlie Morrison
American LED-gible, Inc
1776 Lone Eagle Street
Columbus, OH 43228 USA
614-851-1100
FAX 614-851-1121
We use ISO 26300 document standards available through Open Office at http://www.openoffice.org
More information about the vpn-help
mailing list