Bug 731200

Summary: vpnc stopped working completely
Product: [Fedora] Fedora Reporter: Felipe Contreras <felipe.contreras>
Component: vpncAssignee: Christian Krause <chkr>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 16CC: rjones
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-02 18:45:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log for old vpnc
none
Log for new vpnc none

Description Felipe Contreras 2011-08-16 22:27:11 UTC 
Description of problem:
vpnc used to work, now the connection seems to succeed, but no packets make it anywhere.

Version-Release number of selected component (if applicable):
vpnc-0.5.3-12.svn457

How reproducible:
Always

Steps to Reproduce:
1. Connect to a VPN
  
Actual results:
ping google.com (or anything) doesn't work

Expected results:
the connection works properly

Additional info:
I have a laptop with F14, and the same VPNs that fail here work there completely fine.
Comment 1 Felipe Contreras 2011-08-17 00:05:11 UTC 
Actually, I downgraded to 0.5.3-9.fc15, and it works fine.
Comment 2 Fedora Admin XMLRPC Client 2011-08-31 00:43:37 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Christian Krause 2011-09-06 23:28:49 UTC 
Please can you run vpnc on the command line with "--debug 3" and attach the complete debug output? Please do the test with version 0.5.3-9.fc15 as well as with 0.5.3-12.svn457. Thank you very much in advance!

from "vpnc --long-help":
  --debug <0/1/2/3/99>
      Show verbose debug messages
       *  0: Do not print debug information.
       *  1: Print minimal debug information.
       *  2: Show statemachine and packet/payload type information.
       *  3: Dump everything exluding authentication data.
       * 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
  conf-variable: Debug <0/1/2/3/99>
Comment 4 Felipe Contreras 2011-09-07 15:59:24 UTC 
Created attachment 521935 [details]
Log for old vpnc
Comment 5 Felipe Contreras 2011-09-07 16:00:12 UTC 
Created attachment 521936 [details]
Log for new vpnc
Comment 6 Felipe Contreras 2011-09-07 16:03:24 UTC 
As you can see, there's clearly a regression, I say you should revert back to the old one.

It's also interesting the fact that even though vpnc fails (it doesn't go to the background), the NetworkManager plug in think it does.
Comment 7 Christian Krause 2011-09-11 17:03:26 UTC 
I have looked at both attachments and it looks like that the differences start when dealing with NAT mode.

1. Please can you double-check that you have used in both tests (old and new vpnc version) exactly the same config file?

2. Please can you also attach the config file (please replace all private data like IP addresses, user names and passwords with xxxx or so)?

3. Please can you also try, whether changing the NAT mode helps by any chance?

From the "man vpnc":
--------------------------
       --natt-mode <natt/none/force-natt/cisco-udp>
              Which NAT-Traversal Method to use:
              ·      natt -- NAT-T as defined in RFC3947
              ·      none -- disable use of any NAT-T method
              ·      force-natt -- always use NAT-T encapsulation even without
                     presence  of  a NAT device (useful if the OS captures all
                     ESP traffic)
              ·      cisco-udp -- Cisco proprietary  UDP  encapsulation,  com‐
                     monly over Port 10000
              Note: cisco-tcp encapsulation is not yet supported
              Default: natt
       conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
-------------------------
Comment 8 Felipe Contreras 2011-09-13 08:42:13 UTC 
(In reply to comment #7)
> I have looked at both attachments and it looks like that the differences start
> when dealing with NAT mode.
> 
> 1. Please can you double-check that you have used in both tests (old and new
> vpnc version) exactly the same config file?

Yes, I used the same configuration because I actually didn't use a configuration, I specified everything on the command line.

> 2. Please can you also attach the config file (please replace all private data
> like IP addresses, user names and passwords with xxxx or so)?

No configuration:

% vpnc --gateway $gw --id $id --username $user --debug 3

> 3. Please can you also try, whether changing the NAT mode helps by any chance?

Yup, disabling NAT seemed to work, however, I noticed a difference between two different VPNs.

One VPN works perfectly fine when I disable NAT from NetworkManager, but the other one never works. NM says it connected just fine, but it just doesn't work.
Comment 9 Felipe Contreras 2011-11-16 16:44:48 UTC 
Why no update? The new version is clearly breaking existing use-cases, if there is no fix, it should be reverted.

Still happening on Fedora 16.
Comment 10 Felipe Contreras 2012-02-02 18:45:34 UTC 
Obviously nobody cares if vpn is broken.