Bug 449283 - Only default route is set when connecting to concentrator
Summary: Only default route is set when connecting to concentrator
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc
Version: 9
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-01 18:04 UTC by kelsey hudson
Modified: 2008-12-21 23:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-21 23:38:40 UTC


Attachments (Terms of Use)

Description kelsey hudson 2008-06-01 18:04:37 UTC
Description of problem:
VPN Concentrators that feed lists of split-tunneled networks back to the client
for routing through the tunnel are silently ignored and only a default route is
set through the tun/tap interface.

Version-Release number of selected component (if applicable):
All versions

How reproducible:
100%

Steps to Reproduce:
1. Configure a cisco vpn headednd device for split-tunnel ipsec.
2. Use vpnc on the command-line to connect to the headend device. The
tunnelspecified routes will show up in the kernel routing table. Disconnect.
3. Configure networkmanager to connect to this same vpn. The kernel routing
table will have the default route going through the tun/tap device every time,
ignoring the tunneled networks list sent down from the concentrator.

  
Actual results:
A default route through the tun/tap device regardless of the concentrator's
split tunnel setting.


Expected results:
Only routes specified by the concentrator to cross the ipsec tunnel should be
added to the kernel routing table. If split tunneling is not turned on, a
default route should be applied to the tun/tap device.

Additional info:

Contact me with any questions or for sample cisco device configurations which
can be used to easily reproduce this issue.

Comment 1 Rogers W. Claggett 2008-07-26 11:55:24 UTC
Me too. I originially thought this was a vpnc problem but it turned out to be a
routing problem (I think).  Vpnc set up the connection but the tun0 and default
had to be fiddled.  At this point I'm using a script and a personal /etc/vpnc
config file to invoke vpnc and fiddle the routes.  Is the NetworkManager at
fault?  It still sets up the vpn connection (I get the vpn welcome message) but
won't pass traffic since the routes aren't right.  Thanks for your help.

Comment 2 kelsey hudson 2008-07-29 00:11:31 UTC
It's both a design problem with vpnc (bad!) and something NetworkManager should
definitely take into account. vpnc doesn't actually set kernel routes directly,
and instead relies on a script which it calls post-connection to do it
(/usr/sbin/vpnc-script or something). This is well-documented in the vpnc man page.

NetworkManager is definitely the culprit in this case, as it either prevents
vpnc-script from being run or doesn't perform the necessary steps itself which
vpnc-script performs.

-kelsey

Comment 3 Fedora Update System 2008-11-23 23:05:13 UTC
NetworkManager-0.7.0-0.12.svn4326.fc9,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9,NetworkManager-openvpn-0.7.0-16.svn4326.fc9,NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0-0.12.svn4326.fc9,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9,NetworkManager-openvpn-0.7.0-16.svn4326.fc9,NetworkManager-pptp-0.7.0-0.12.svn4326.fc9

Comment 4 Fedora Update System 2008-11-23 23:07:33 UTC
NetworkManager-0.7.0-0.12.svn4326.fc8,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8,NetworkManager-openvpn-0.7.0-16.svn4326.fc8,NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0-0.12.svn4326.fc8,NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8,NetworkManager-openvpn-0.7.0-16.svn4326.fc8,NetworkManager-pptp-0.7.0-0.12.svn4326.fc8

Comment 5 Fedora Update System 2008-11-26 06:15:04 UTC
NetworkManager-0.7.0-0.12.svn4326.fc8, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8, NetworkManager-openvpn-0.7.0-16.svn4326.fc8, NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update NetworkManager NetworkManager-vpnc NetworkManager-openvpn NetworkManager-pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-10263

Comment 6 Fedora Update System 2008-11-26 06:19:09 UTC
NetworkManager-0.7.0-0.12.svn4326.fc9, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9, NetworkManager-openvpn-0.7.0-16.svn4326.fc9, NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update NetworkManager NetworkManager-vpnc NetworkManager-openvpn NetworkManager-pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-10321

Comment 7 Fedora Update System 2008-11-26 06:23:05 UTC
NetworkManager-pptp-0.7.0-0.12.svn4326.fc10, NetworkManager-openvpn-0.7.0-16.svn4326.fc10, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc10, NetworkManager-0.7.0-0.12.svn4326.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-12-21 23:37:43 UTC
NetworkManager-0.7.0-0.12.svn4326.fc9, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc9, NetworkManager-openvpn-0.7.0-16.svn4326.fc9, NetworkManager-pptp-0.7.0-0.12.svn4326.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-12-21 23:42:46 UTC
NetworkManager-0.7.0-0.12.svn4326.fc8, NetworkManager-vpnc-0.7.0-0.11.svn4326.fc8, NetworkManager-openvpn-0.7.0-16.svn4326.fc8, NetworkManager-pptp-0.7.0-0.12.svn4326.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.