Bug 449283 - Only default route is set when connecting to concentrator
Only default route is set when connecting to concentrator
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc (Show other bugs)
9
All Linux
low Severity high
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-01 14:04 EDT by kelsey hudson
Modified: 2008-12-21 18:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-21 18:38:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description kelsey hudson 2008-06-01 14:04:37 EDT
Description of problem:
VPN Concentrators that feed lists of split-tunneled networks back to the client
for routing through the tunnel are silently ignored and only a default route is
set through the tun/tap interface.

Version-Release number of selected component (if applicable):
All versions

How reproducible:
100%

Steps to Reproduce:
1. Configure a cisco vpn headednd device for split-tunnel ipsec.
2. Use vpnc on the command-line to connect to the headend device. The
tunnelspecified routes will show up in the kernel routing table. Disconnect.
3. Configure networkmanager to connect to this same vpn. The kernel routing
table will have the default route going through the tun/tap device every time,
ignoring the tunneled networks list sent down from the concentrator.

  
Actual results:
A default route through the tun/tap device regardless of the concentrator's
split tunnel setting.


Expected results:
Only routes specified by the concentrator to cross the ipsec tunnel should be
added to the kernel routing table. If split tunneling is not turned on, a
default route should be applied to the tun/tap device.

Additional info:

Contact me with any questions or for sample cisco device configurations which
can be used to easily reproduce this issue.
Comment 1 Rogers W. Claggett 2008-07-26 07:55:24 EDT
Me too. I originially thought this was a vpnc problem but it turned out to be a
routing problem (I think).  Vpnc set up the connection but the tun0 and default
had to be fiddled.  At this point I'm using a script and a personal /etc/vpnc
config file to invoke vpnc and fiddle the routes.  Is the NetworkManager at
fault?  It still sets up the vpn connection (I get the vpn welcome message) but
won't pass traffic since the routes aren't right.  Thanks for your help.
Comment 2 kelsey hudson 2008-07-28 20:11:31 EDT
It's both a design problem with vpnc (bad!) and something NetworkManager should
definitely take into account. vpnc doesn't actually set kernel routes directly,
and instead relies on a script which it calls post-connection to do it
(/usr/sbin/vpnc-script or something). This is well-documented in the vpnc man page.

NetworkManager is definitely the culprit in this case, as it either prevents
vpnc-script from being run or doesn't perform the necessary steps itself which
vpnc-script performs.

-kelsey
Comment 3 Fedora Update System 2008-11-23 18:05:13 EST
NetworkManager-0.7.0-0.12.svn4326.fc9,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9,NetworkManager-openvpn-0.7.0-16.svn4326.fc9,NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0-0.12.svn4326.fc9,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9,NetworkManager-openvpn-0.7.0-16.svn4326.fc9,NetworkManager-pptp-0.7.0-0.12.svn4326.fc9
Comment 4 Fedora Update System 2008-11-23 18:07:33 EST
NetworkManager-0.7.0-0.12.svn4326.fc8,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8,NetworkManager-openvpn-0.7.0-16.svn4326.fc8,NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0-0.12.svn4326.fc8,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8,NetworkManager-openvpn-0.7.0-16.svn4326.fc8,NetworkManager-pptp-0.7.0-0.12.svn4326.fc8
Comment 5 Fedora Update System 2008-11-26 01:15:04 EST
NetworkManager-0.7.0-0.12.svn4326.fc8, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8, NetworkManager-openvpn-0.7.0-16.svn4326.fc8, NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update NetworkManager NetworkManager-vpnc NetworkManager-openvpn NetworkManager-pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-10263
Comment 6 Fedora Update System 2008-11-26 01:19:09 EST
NetworkManager-0.7.0-0.12.svn4326.fc9, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9, NetworkManager-openvpn-0.7.0-16.svn4326.fc9, NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update NetworkManager NetworkManager-vpnc NetworkManager-openvpn NetworkManager-pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-10321
Comment 7 Fedora Update System 2008-11-26 01:23:05 EST
NetworkManager-pptp-0.7.0-0.12.svn4326.fc10, NetworkManager-openvpn-0.7.0-16.svn4326.fc10, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc10, NetworkManager-0.7.0-0.12.svn4326.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-12-21 18:37:43 EST
NetworkManager-0.7.0-0.12.svn4326.fc9, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9, NetworkManager-openvpn-0.7.0-16.svn4326.fc9, NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-12-21 18:42:46 EST
NetworkManager-0.7.0-0.12.svn4326.fc8, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8, NetworkManager-openvpn-0.7.0-16.svn4326.fc8, NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.