Bug 514071 - NetworkManager does not connect to Cisco VPN, although vpnc does
Summary: NetworkManager does not connect to Cisco VPN, although vpnc does
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc
Version: 13
Hardware: i686
OS: Linux
low
high
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 619469 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-27 20:18 UTC by Chris Rankin
Modified: 2018-05-13 15:05 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-27 14:18:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
A sanitised version of my PCF file (754 bytes, text/plain)
2009-07-27 20:23 UTC, Chris Rankin
no flags Details

Description Chris Rankin 2009-07-27 20:18:17 UTC
Description of problem:
Cannot use NetworkManager to connect to Cisco VPN as of 27th July 2009. Last successful connection via NM was on 23rd July 2009.

Version-Release number of selected component (if applicable):
NetworkManager-0.7.1-8.git20090708.fc11.i586
NetworkManager-glib-0.7.1-8.git20090708.fc11.i586
NetworkManager-gnome-0.7.1-8.git20090708.fc11.i586

How reproducible:
All the time.

Steps to Reproduce:
1. Existing VPN configuration imported from PCF file, about 7 months ago
2. Activate VPN via NM tray icon, and enter password
  
Actual results:
NM fails to authenticate with the VPN


Expected results:
Creation of tun0 device, and establishment of VPN


Additional info:
I tried to reimport my PCF file into NM, but NM rejected it as invalid. However, the pcf2vpnc perl script had no problem using it to create a default.conf file, and vpnc used this file to create a successful VPN despite NM's protestations.

Comment 1 Chris Rankin 2009-07-27 20:23:19 UTC
Created attachment 355318 [details]
A sanitised version of my PCF file

Here is what pcf2vpnc makes of my sanitised file (key notwithstanding):

## generated by pcf2vpnc
IPSec ID groupname
IPSec gateway 0.0.0.0
IPSec secret yadaydayadayadayada
Xauth username myusername
IKE Authmode psk
IKE DH Group dh2

Comment 2 Chris Rankin 2009-07-28 19:04:03 UTC
Reverting to these packages fixes the problem (for now):
NetworkManager-gnome-0.7.1-4.git20090414.fc11.i586
NetworkManager-glib-0.7.1-4.git20090414.fc11.i586
NetworkManager-0.7.1-4.git20090414.fc11.i586

Comment 3 Chris Rankin 2009-07-28 19:11:03 UTC
Note that even 0.7.1-4.git20090414.fc11.i586 cannot parse my perfectly valid PCF file.

Comment 4 Chris Rankin 2009-08-27 23:07:21 UTC
(In reply to comment #3)
> Note that even 0.7.1-4.git20090414.fc11.i586 cannot parse my perfectly valid
> PCF file.  

I have discovered that this PCF file is rejected only because the Description property is blank. The help message was absolutely *no use whatsoever* in diagnosing this.

Comment 5 Dan Williams 2009-11-06 06:09:40 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Note that even 0.7.1-4.git20090414.fc11.i586 cannot parse my perfectly valid
> > PCF file.  
> 
> I have discovered that this PCF file is rejected only because the Description
> property is blank. The help message was absolutely *no use whatsoever* in
> diagnosing this.  

This should be fixed in rawhide and will be fixed soon in F11/F10.

Comment 6 Dan Williams 2009-11-06 06:11:40 UTC
If this is still happening, try running nm-vpnc-service from a terminal (as root) with:

/usr/libexec/nm-vpnc-service

and then try to connection.  This will redirect vpnc's output to the terminal where we can get more information about the error.  Thanks!

Comment 7 David Chin 2009-11-23 20:01:30 UTC
I am having similar problems. What's weird is that I have colleagues who connect to the same VPN using Fedora Core 11 with no issues.

Anyway, to summarize:

1. Setup Cisco VPN connection but NM cannot connect.

2. Run /usr/libexec/nm-vpn-service from terminal (using sudo), and here's the output while the connection attempt was made:

** Message: <info>  vpnc started with pid 18985

/usr/sbin/vpnc: no response from target

** (process:18974): WARNING **: <WARN>  vpnc_watch_cb(): vpnc exited with error code 1

3. Ran vpnc on from terminal with a config file that was converted with pcf2vpnc. (All attempts are with iptables off.):

    ## generated by pcf2vpnc
    IPSec ID MyNiceVPN
    IPSec gateway 11.22.33.45
    IPSec secret BigSecret3
    Xauth username myname
    IKE Authmode psk
    IKE DH Group dh2

a) First try:

    myself> sudo vpnc $HOME/mynicevpn.vpnc
    Enter password for myname.33.45:
    vpnc: no response from target

b) Second try, specifying local-port:

    myself> sudo vpnc --local-port 0 $HOME/mynicevpn.vpnc
    Enter password for myname.33.45:
    VPNC started in background (pid: 20061)...

So, knowing that, I added the line "Local Port 0" in the .vpnc file.

Comment 8 Chris Rankin 2009-11-26 23:45:22 UTC
(In reply to comment #6)
> If this is still happening, try running nm-vpnc-service from a terminal (as
> root) with:

It is no longer happening for me, and I have no idea what might have changed to get things working again.

Comment 9 Dan Williams 2009-11-29 02:52:53 UTC
Local Port "0" should be the default already if local port isn't sepecified in the config.  NM-vpnc doesn't send Local Port so I'd expect that to work.  I've committed some code upstream to turn on vpnc debugging manually which should show up soon in F12's NM-vpnc which we can use to try to help debug this.

Comment 10 Dan Williams 2009-12-23 22:41:25 UTC
David, this link:

https://admin.fedoraproject.org/updates/F11/FEDORA-2009-13032

has the NetworkManager-vpnc with updated debugging support.  To help diagnose your issue, do the following, as root:

1) killall -TERM nm-vpnc-service
2) VPNC_DEBUG=1 /usr/libexec/nm-vpnc-service
3) try to connect and get the problem to appear

then attach the output of nm-vpnc-service with the debug info to this bug.  I do not believe it will expose any passwords, but feel free to set the "Private" flag on the attachment just to be safe.  Thanks!

Comment 11 Bug Zapper 2010-04-28 09:24:22 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 12 Dan Williams 2010-06-10 04:44:10 UTC
Closing due to lack of response.  Please re-open if you grab the info I've requested.  Thanks!

Comment 13 Toni Willberg 2010-08-30 06:28:48 UTC
Re-opening. I'm seeing this with Fedora 13 right after upgrading from Fedora 12 where it worked perfectly.

NetworkManager-0.8.1-4.git20100817.fc13.x86_64
NetworkManager-vpnc-0.8.1-1.fc13.x86_64
vpnc-0.5.3-7.fc13.x86_64
fedora-release-13-1.noarch


DEBUG OUTPUT:
***


VPNC_DEBUG=1 /usr/libexec/nm-vpnc-service
** Message: <info>  vpnc started with pid 4438

   
vpnc version 0.5.3
   hex_test: 00010203

S1 init_sockaddr
 [2010-08-30 09:25:48]

S2 make_socket
 [2010-08-30 09:25:48]
/usr/sbin/vpnc: Error binding to source port. Try '--local-port 0'
Failed to bind to 0.0.0.0:500: Address already in use

** (process:4435): WARNING **: <WARN>  vpnc_watch_cb(): vpnc exited with error code 1

***

(tested starting vpnc manually with --local-port 0 and it works)

Comment 14 Jirka Klimes 2010-08-30 14:08:36 UTC
The error is due to problem in binding the local port 500. The port 500 is used by vpnc client as default ISAKMP port.

However, some other process has already bound the port. Probably, you have 'openswan' package installed for managing IPsec. The package installs 'ipsec' service that runs 'pluto' daemon to perform key exchange for IPsec and it binds UDP port 500.

To release the port stop/disable ipsec service:
sudo service ipsec stop              (temporarily stops the service)
sudo chkconfig --level 35 ipsec off  (permanently disables the service)

Or you can just remove openswan if you don't use it.

Comment 15 Toni Willberg 2010-08-30 14:22:07 UTC
Jirka, thank you for the solution, it was ipsec service hanging on the port.

I think there's a need to add some permanent solution to this also. Is the port configurable for NetworkManager-vpnc? I didn't find anything in the docs. If we change the default port from 500 to some upper port we shouldn't have this problem anymore.

Comment 16 David Chin 2010-08-30 14:27:17 UTC
(In reply to comment #14)
> The error is due to problem in binding the local port 500. The port 500 is used
> by vpnc client as default ISAKMP port.
> 
> However, some other process has already bound the port. Probably, you have
> 'openswan' package installed for managing IPsec. The package installs 'ipsec'
> service that runs 'pluto' daemon to perform key exchange for IPsec and it binds
> UDP port 500.
> 
> To release the port stop/disable ipsec service:
> sudo service ipsec stop              (temporarily stops the service)
> sudo chkconfig --level 35 ipsec off  (permanently disables the service)
> 
> Or you can just remove openswan if you don't use it.

I am now running Fedora 13, and opened [Bug 619469].

Anyway, my ipsec service is off. According to netstat, port 500 is free.

But the VPNC client in NetworkManager still cannot connect.

I can do it from the commandline:

sudo /usr/sbin/vpnc --local-port 0 ~/etc/vpnc/myvpn.conf

Comment 17 Jirka Klimes 2010-10-15 13:11:28 UTC
vpnc actually uses local port 500 by default. So, without configuring vpnc tries to bind port 500 and fails when it was bound before.
I fixed that by sending 'Local Port 0' configuration to vpnc.

Upstream fix:
fcb196788634db66b30245f346812070604ff0ef (master)

Comment 18 Jirka Klimes 2010-10-15 13:20:01 UTC
*** Bug 619469 has been marked as a duplicate of this bug. ***

Comment 19 Bug Zapper 2011-06-02 17:52:50 UTC
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 20 Bug Zapper 2011-06-27 14:18:58 UTC
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 21 Jose Mantilla 2018-05-13 15:05:24 UTC
I am using Fedora 28 -- I tried Fedora 26, 27-- and I get the same stupid error:

vpnc: no response from target

I have done all the previous steps and nothing but in Ubuntu it works! -- I want to continue with Fedora, what happens with vpnc ?

May 13 09:48:51 soporte.fedora.local NetworkManager[1248]: /usr/sbin/vpnc: no response from target
May 13 09:48:51 soporte.fedora.local NetworkManager[1248]: <warn>  [1526222931.9124] vpn-connection[0x5615a3e8a360,a41791d3-9d90-44c2-8272-ae98735010be,"SIC",0]: VPN plugin: failed: connect-failed (1)
May 13 09:48:51 soporte.fedora.local NetworkManager[1248]: <warn>  [1526222931.9126] vpn-connection[0x5615a3e8a360,a41791d3-9d90-44c2-8272-ae98735010be,"SIC",0]: VPN plugin: failed: connect-failed (1)
May 13 09:48:51 soporte.fedora.local NetworkManager[1248]: <info>  [1526222931.9126] vpn-connection[0x5615a3e8a360,a41791d3-9d90-44c2-8272-ae98735010be,"SIC",0]: VPN plugin: state changed: stopping (5)

Someone has fixed exactly ?


Note You need to log in before you can comment on or make changes to this bug.