Bug 492208

Summary: NetworkManager-vpnc sets default route to vpn
Product: [Fedora] Fedora Reporter: Jeremy Fitzhardinge <jeremy>
Component: NetworkManager-vpncAssignee: Dan Williams <dcbw>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: davidz, dcbw, don, jfenal, rather.b.sailing, skr, vaxon77
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-06 06:42:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Fitzhardinge 2009-03-25 21:44:28 UTC 
Description of problem:
When connecting to VPN with NetworkManager-vpnc, it sets the default route to the VPN device.  When I connect with "vpnc" it leaves the default route alone.

There are also a couple of other routes missing when I use NetworkManager to connect.

Version-Release number of selected component (if applicable):
NetworkManager-vpnc-0.7.0.99-1.fc10.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Connect to vpn
2.Check route with "route"
3.
  
Actual results:
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Expected results:
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0

Additional info:
The diff between the vpnc routing and the NetworkManager-vpnc routing is:
--- vpnc	2009-03-25 14:38:59.629563747 -0700
+++ nwman	2009-03-25 14:39:25.283537596 -0700
@@ -1,7 +1,5 @@
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
-10.yy.yy.yy     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
-10.zz.zz.zz     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
 xx.xx.xx.xx     192.168.1.1     255.255.255.255 UGH   0      0        0 wlan0
 192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
 10.69.148.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
@@ -32,4 +30,4 @@
 10.224.0.0      0.0.0.0         255.224.0.0     U     0      0        0 tun0
 10.0.0.0        0.0.0.0         255.192.0.0     U     0      0        0 tun0
 10.128.0.0      0.0.0.0         255.192.0.0     U     0      0        0 tun0
-0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
+0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
Comment 1 vaxon 2009-04-03 23:16:23 UTC 
Same problem here.
Comment 2 vaxon 2009-04-04 00:22:18 UTC 
Actually, looking a bit more at the vpn configuration I can tell that it's all configurable.

Click on the Network Manager icon and choose "VPN Connections" -> "Configure VPN...". Then choose the connection name and click "Edit". Go to "IPv4 Settings" tab and click the "Routes" button at the lower-right corner.
Check off "Use this connection only for resources on its network".
This should make vpn use the old default route instead of redirecting all traffic to tun0.
Additional routes can be set up here as well.

But I really think that leaving the default route intact should be the default vpnc behaviour.

Thanks,
Vax.
Comment 3 Stephen Rowles 2009-05-01 10:43:16 UTC 
I have a very similar problem here. But I cannot work around it using the technique mentioned in #2 because that box is not checked.

When I connect using vpnc from the command line my name servers are correctly tunnelled down tun0 as in the bug description. However when I connect using NetworkManager-vpnc (default settings, and in fact every combination of settings I have tried so far) my name servers are not send down tun0 and consequently I cannot access any internal systems.

NetworkManager-vpnc should have the same behaviour as the vpnc command line client.
Comment 4 Jeremy Fitzhardinge 2009-05-01 17:54:02 UTC 
(In reply to comment #2)
> But I really think that leaving the default route intact should be the default
> vpnc behaviour.

It must be a behaviour change, because it used to work OK.  Anyway, checking that box does fix the problem for me.
Comment 5 Don Seiler 2009-11-05 14:33:37 UTC 
Confirmed that checking the box fixes the problem here as well.
Comment 6 Dan Williams 2009-11-06 06:42:10 UTC 
By default, VPNs get the default route as that is the most secure configuration of a VPN.  If that is not your VPN configuration, you'll need to check the "Only use this connection for resources on its network" and then only the specific routes sent by the VPN server (or ones you enter manually) will be routed over the VPN tunnel.

If you have further problems, please re-open and include some of /var/log/messages that show the IP configuration that NM is getting from vpnc.  It will look like this:

NetworkManager: <info>  VPN connection 'foobar' (Connect) reply received.
NetworkManager: <info>  VPN connection 'foobar' (IP Config Get) reply received.
NetworkManager: <info>  VPN Gateway: 101.22.183.53
NetworkManager: <info>  Tunnel Device: tun0
NetworkManager: <info>  Internal IP4 Address: 10.3.227.85
NetworkManager: <info>  Internal IP4 Prefix: 20
NetworkManager: <info>  Internal IP4 Point-to-Point Address: 10.3.227.85
NetworkManager: <info>  Maximum Segment Size (MSS): 0
NetworkManager: <info>  Static Route: 172.16.0.0/16   Next Hop: 172.16.0.0
NetworkManager: <info>  Static Route: 10.0.0.0/8   Next Hop: 10.0.0.0
NetworkManager: <info>  Internal IP4 DNS: 10.5.26.20
NetworkManager: <info>  Internal IP4 DNS: 10.5.26.21
NetworkManager: <info>  DNS Domain: 'foobar.com'

that will help us determine if vpnc and NM are getting the right data.