gmane.network.vpnc.devel

Help ! Vpnc-nortel don't work...

Alberto . — 2013-05-22T10:47:51

Hi ,
my company use a Nortel device as VPN concentrator to permit remote access to it's internal network.
Usually I use  Contivity client for Windows to connect and working from everywhere but I'd like to do the same also from my linux machine ...

Unfortunatly the connection from linux don't work , because the link isn't stable and was always dropped after 30-40 secs...
I have tried several configuration but without success....

I hope that you could help me....
To give you all needed info I  attached the following  files :

- the trace of execution of vpnc with debug level 3 ,
- the vpnc configuration 
- the info showed by working Windows Nortel Contivity client

.... and ....

- the source code of an old  linux client for nortel vpn ( for kernel 2.4 / 2.6 )


Thanx in advance...
Al


---------------------------------------------------------------------------------------------------------------------------------------------Onesto è colui che cambia il proprio pensiero per accordarlo alla veritàDisonesto

Re: vpnc doesn't work with libgcrypt build with caps support

Florian Schlichting — 2013-05-06T07:06:04

Hi Antonio,


that sounds a little worrying!

While vpnc as-is works reasonably well for many people and ipsec-based VPN
generally seems to be on the decline (at least for Cisco), so lots of
upstream development may not be needed or worthwhile any more, I think
there still needs to be someone who picks up the patches that get sent
to the mailing list. Thorough testing may not be necessary or can be
done by the bug reporters / patch submitters / SVN version users, but it
would be good to keep the upstream repository as a central place to
collect contributions.

Would you (or anybody else with commit access) stay around to do
something like that?

Florian
- maintaining vpnc in Debian -

Re: vpnc doesn't work with libgcrypt build with caps support

Richard Grenville — 2013-05-02T16:10:10

Hello Antonio Borneo and Justin Lecher,

I'm the original reporter of the bug on Gentoo side. Justin Lecher told
me to continue the discussion here.


Oh, I remember openvpn supports dropping privileges after establishing
tunnel, so I thought vpnc could as well. I didn't look into how openvpn
achieved that, though.


It sounds like the easiest option, but Justin apparently doesn't like it
("libgcrypt is not an option from the gentoo packaging guideline
perspective.")


Yeah, sounds pretty tricky indeed.


I might be able to provide a Cisco VPN account for testing, but probably
only during very limited hours in a day, if you really really can't find
a better way to test this.


I could confirm the trick works in my brief test with
net-misc/vpnc-0.5.3_p527.

With my severely limited comprehension of the situation, what I could
see regarding libgcrypt's secure memory implementation are:

1. Secure memory is (usually) allocated via mmap() with MAP_PRIVATE |
MAP_ANONYMOUS (src/secmem.c, init_pool()), while standa

Re: vpnc doesn't work with libgcrypt build with caps support

Justin — 2013-05-02T10:57:47

Hello Antonio,


I would like someone to pick up this idea and do the work.


I tried this and it works. How severe would you consider the security
reduction?
Is this something one could do or rather a no-go?

Thanks for the quick response,
Justin

Re: vpnc doesn't work with libgcrypt build with capssupport

Antonio Borneo — 2013-05-01T16:48:33

Hi Justin,

On Wed, May 1, 2013 at 9:27 PM, Justin <jlec-aBrp7R+bbdUdnm+yROfE0A< at >public.gmane.org> wrote:

Well spotted!


In the long term it will require a special libgcrypt for vpnc only!
I'm not sure this is the right way.


Root privileges are required also at vpnc exit to resume initial
routing table and DNS and to remove tun/tap device. Dropping
privileges is not correct.
Probably the solution is to split vpnc is two tasks, one that keeps
root privileges and another that uses GCRYCTL_INIT_SECMEM. But it's a
major rework!


I'm not anymore active in vpnc, since all my accounts with Cisco or
Nortel vpn are over.
I even cannot test completely a new binary.

Digging with google, one possible solution is by stop using secure
memory and use the standard allocator:
-       gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
+      gcry_control(GCRYCTL_DISABLE_SECMEM);
This could have drawbacks in terms of security. Need deeper investigation.

In mean time would be good if you could test the code change above.

Best

vpnc doesn't work with libgcrypt build with capssupport

Justin — 2013-05-01T13:27:25

Hello,

I would like to forward to you a bug report I received
(https://bugs.gentoo.org/show_bug.cgi?id=467744):


Problem:

net-misc/vpnc-0.5.3_p527 doesn't connect to server with
dev-libs/libgcrypt-1.5.2[caps] (the "caps" USE flag was added yesterday,
by the way):

----
# vpnc /etc/vpnc/vpnc.conf --debug 3

vpnc version 0.5.3
   hex_test: 00010203

S1 init_sockaddr
 [2013-04-28 21:41:02]

S2 make_socket
 [2013-04-28 21:41:03]
vpnc: Error binding to source port. Try '--local-port 0'
Failed to bind to 0.0.0.0:500: Permission denied

## Try an unprivileged port
# vpnc /etc/vpnc/vpnc.conf --debug 3 --local-port 10942

vpnc version 0.5.3
   hex_test: 00010203

S1 init_sockaddr
 [2013-04-28 21:41:59]

S2 make_socket
 [2013-04-28 21:42:00]

S3 setup_tunnel
 [2013-04-28 21:42:00]
   using interface
vpnc: can't initialise tunnel interface: Operation not permitted
----

With dev-libs/libgcrypt-1.5.2[-caps] it works correctly.

I did a bit debugging, and found vpnc calls
"gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);"

VPNC no longer connecting?

Darin McBride — 2013-04-22T16:15:07

Yesterday, vpnc connected to my office.  Today, it doesn't.  And, of course, 
$work doesn't want to support me at all for reasons I can never quite 
understand.

I'm hoping someone here will have some sort of idea what's going on, as I can 
no longer do any work.

The end of the --debug 98 looks like this:

   PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
   PARSE_OK
   got ike lifetime attributes: 2147483 seconds
   IKE SA selected psk+xauth-3des-sha1
   unknown ISAKMP_PAYLOAD_VID: 12f5f28c 457168a9 702d9fe2 74cc0100
   peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)
   ignoring that peer is DPD capable (RFC3706)
   peer is NAT-T capable (RFC 3947)
   peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads
   peer is using type 20 (ISAKMP_PAYLOAD_NAT_D) for NAT-Discovery payloads
   unknown ISAKMP_PAYLOAD_VID:
   4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
   unknown ISAKMP_PAYLOAD_VID: 1f07f70e aa6514d3 b0fa9654 2a500100
   dh_shared_secret:
   a786d3c9 5f2f9f1d e0b5ad9e e8ab8a33

Timeout issue (rekeying?)

Tobia Conforto — 2013-04-04T17:47:11

I'm having a timeout issue: after 30m vpnc dies with message "vpnc: no
response from target". The lifetime advertised by the server is 8h.

Here is an abridged version of the log:

VPNC started in foreground
(it works for exactly 30m, then:)
S7.1 QM_packet1
S7.2 QM_packet2 send_receive
S7.3 QM_packet2 validate type
vpnc: no response from target

Full --debug 3 is available here:
http://www.gruppo4.com/~tobia/vpnc_vr_3.log

Many thanks to whomever will help me figure out what the problem might be.

Best regards,
Tobia

Stable release issue

Tobia Conforto — 2013-04-04T16:29:04

Hello

I'm writing to raise an issue that is probably of low interest to vpnc
developers, but is of some relevance to the user base at large.

Recently I was having a problem with the dead peer detection firing at
random. After some googling I found Mihai's post from 2010 [1]. I
cursed the ancient Debian package and went off to recompile vpnc from
the latest sources.

I did so, downloading the latest tarball from the website, only to
discover (hours later) that it *still* didn't include that fix from
2010.

Now, I have no problem building from svn, (that's what I did, at last)
but I think it's misleading to offer "stable" releases for download on
the project's website without either 1) a maintainer that periodically
releases them, or 2) a notice that users are advised to checkout from
svn.

So, in the absence of 1), I would suggest that somebody who has access
to the website adds a notice to direct users (and distribution
packagers) to use the latest commit. I believe this would save a
non-trivial amount of

Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working

Antonio Borneo — 2013-03-17T02:39:36

Thanks!

Antonio

Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working

Daniel Motles — 2013-03-16T16:20:22

Hi Antonio,

The changes you made to vpnc-nortel (r527) work for me when specifying
the vendor as cisco. I just tested them out and connected fine.

Dan Motles

On Sun, Mar 10, 2013 at 11:05 AM, Antonio Borneo
<borneo.antonio-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

Re: [PATCH 0/4] Unprivileged daemon

Alon Bar-Lev — 2013-03-15T21:18:33

https://github.com/alonbl/vpnc-scripts/compare/master...unprivileged

Re: [PATCH 0/4] Unprivileged daemon

Alon Bar-Lev — 2013-03-15T21:18:04

0/5 of course...

https://github.com/alonbl/vpnc/compare/master...unprivileged

[PATCH 4/4] support route metric

Alon Bar-Lev — 2013-03-15T21:13:14

This adds optional ROUTE_METRIC environment variable to vpnc-script to
allow set non default routes and dns metrics.

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 vpnc-script | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index cd12324..3e1472c 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -238,7 +238,7 < at >< at > if [ -n "$IPROUTE" ]; then
 NETWORK="$1"
 NETMASK="$2"
 NETMASKLEN="$3"
-$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" ${ROUTE_METRIC:+metric ${ROUTE_METRIC}}
 $IPROUTE route flush cache
 }
 
< at >< at > -553,7 +553,7 < at >< at > nameserver $i"
 NEW_RESOLVCONF="$NEW_RESOLVCONF
 domain $CISCO_DEF_DOMAIN"
 fi
-echo "$NEW_RESOLVCONF" | ${RESOLVCONF} -a $TUNDEV
+echo "$NEW_RESOLVCONF" | ${RESOLVCONF} ${ROUTE_METRIC:+-m ${ROUTE_METRIC}} -a $TUNDEV
 }
 
 restore_resolvconf_manager() {

[PATCH 3/4] always run the vpnc-script at exit

Alon Bar-Lev — 2013-03-15T21:13:13

This allows persisted tun device to be cleaned up for reuse.

This is the minimal change to reach the goal using atexit(),
not sure it is the best way.

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 vpnc-script | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/vpnc-script b/vpnc-script
index 0b68623..cd12324 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -738,7 +738,9 < at >< at > do_disconnect() {
 $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV
 fi
 fi
+}
 
+destroy() {
 destroy_tun_device
 }
 
< at >< at > -767,6 +769,10 < at >< at > case "$reason" in
 reconnect)
 run_hooks reconnect
 ;;
+destroy)
+run_hooks destroy
+do_destroy
+;;
 *)
 echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
 exit 1

[PATCH 2/4] delete tun address on disconnect

Alon Bar-Lev — 2013-03-15T21:13:12

This enables persist tun device to be reused in future
connections.

ipv6 is not tested.

Maybe it would be cleaner to define functions for address
manipulation, not sure.

To be simple, this patch only handles iproute2.

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 vpnc-script | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/vpnc-script b/vpnc-script
index 07dd2b0..0b68623 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -725,6 +725,20 < at >< at > do_disconnect() {
 if [ -n "$INTERNAL_IP4_DNS" ]; then
 $RESTORERESOLVCONF
 fi
+
+if [ -n "$IPROUTE" ]; then
+if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
+$IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
+fi
+# If the netmask is provided, it contains the address _and_ netmask
+if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
+INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
+fi
+if [ -n "$INTERNAL_IP6_NETMASK" ]; then
+

[PATCH 0/4] Unprivileged daemon

Alon Bar-Lev — 2013-03-15T21:13:10

1. Allow overriding utilities.
2. Allow overriding rootfs location.
3. Handle tun interface cleanup when disconnect.
4. Support route and dns metrics.

This patch is against vpnc-scripts repository.
It is a resent as was not applied.

Alon Bar-Lev (4):
  allow overriding utilities and /var/run location
  delete tun address on disconnect
  always run the vpnc-script at exit
  support password program

 config.c        |  17 +++++-
 config.h        |   1 +
 tunip.c         |   2 +-
 tunip.h         |   1 +
 vpnc-disconnect |   3 +-
 vpnc-script     |  42 +++++++++++----
 vpnc.c          | 165 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 vpnc.h          |   2 +
 8 files changed, 215 insertions(+), 18 deletions(-)

[PATCH 1/4] allow overriding utilities and /varlocation

Alon Bar-Lev — 2013-03-15T21:13:11

This patch enables a wrapper to override the /sbin/ip and
/sbin/resolvconf utilities, and the /etc, /var locations.

The idea is to allow non-root execution of vpnc, as tun
can be used by unprivileged user.

A simple vpnc-script wrapper such as the following is doing
the work:
 ---
export HOOKS_DIR="/home/user/vpnc"
export VAR_RUN="/home/user/vpnc/run"
export IPROUTE="sudo /sbin/ip"
export RESOLVCONF="sudo /sbin/resolvconf"

exec /etc/vpnc/vpnc-script
 ---

Configuration:
 ---
Interface name vpn0
Local Port 0
Pidfile /home/user/vpnc/run/pid
Script /home/user/vpnc/vpnc-script
 ---

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 vpnc-script | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index 047e94a..07dd2b0 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -77,19 +77,20 < at >< at > PATH=/sbin:/usr/sbin:$PATH
 
 OS="`uname -s`"
 
-HOOKS_DIR=/etc/vpnc
-DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute
-RESOLV_CONF_B

[PATCH 3/5] always run the vpnc-script at exit

Alon Bar-Lev — 2013-03-15T21:11:16

This allows persisted tun device to be cleaned up for reuse.

This is the minimal change to reach the goal using atexit(),
not sure it is the best way.

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 tunip.h     |  1 +
 vpnc-script |  5 +++++
 vpnc.c      | 28 +++++++++++++++++++++++++---
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/tunip.h b/tunip.h
index 216fdf0..eaeab5a 100644
--- a/tunip.h
+++ b/tunip.h
< at >< at > -64,6 +64,7 < at >< at > struct sa_block {
 int tun_fd; /* fd to host via tun/tap */
 char tun_name[IFNAMSIZ];
 uint8_t tun_hwaddr[ETH_ALEN];
+int tun_configured;
 
 struct in_addr dst; /* ip of concentrator, must be set */
 struct in_addr src; /* local ip, from getsockname() */
diff --git a/vpnc-script b/vpnc-script
index 0b68623..eb9749d 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -738,7 +738,9 < at >< at > do_disconnect() {
 $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV
 fi
 fi
+}
 
+do_destroy() {
 destroy_tun_device
 }
 
< at >< at > -767,6 +76

[PATCH 4/5] support route metric

Alon Bar-Lev — 2013-03-15T21:11:17

This adds optional ROUTE_METRIC environment variable to vpnc-script to
allow set non default routes and dns metrics.

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 vpnc-script | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index eb9749d..9a98628 100755
--- a/vpnc-script
+++ b/vpnc-script
< at >< at > -238,7 +238,7 < at >< at > if [ -n "$IPROUTE" ]; then
 NETWORK="$1"
 NETMASK="$2"
 NETMASKLEN="$3"
-$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" ${ROUTE_METRIC:+metric ${ROUTE_METRIC}}
 $IPROUTE route flush cache
 }
 
< at >< at > -553,7 +553,7 < at >< at > nameserver $i"
 NEW_RESOLVCONF="$NEW_RESOLVCONF
 domain $CISCO_DEF_DOMAIN"
 fi
-echo "$NEW_RESOLVCONF" | ${RESOLVCONF} -a $TUNDEV
+echo "$NEW_RESOLVCONF" | ${RESOLVCONF} ${ROUTE_METRIC:+-m ${ROUTE_METRIC}} -a $TUNDEV
 }
 
 restore_resolvconf_manager() {

[PATCH 5/5] support password program

Alon Bar-Lev — 2013-03-15T21:11:18

Allows to integrate UI, similar to ssh-askpass, program prompt user
for password and echo result to stdout.

Settings:
 ---
Password Program /home/alonbl/vpnc/vpnc-getpass
Xauth interactive
 ---

vpn-getpass script for KDE:
 ---
prompt="$1"
exec kdialog --title "vpnc" --password "$prompt";
 ---

vpn-getpass script for KDE with SecurID:
 ---
prompt="$1"
pass="$(kdialog --title "vpnc" --password "$prompt")" || exit 1
otp="$(RSA_SecurID_getpasswd)" || exit 1
echo "${pass}${otp}"
exit 0
 ---

Signed-off-by: Alon Bar-Lev <alon.barlev-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
---
 config.c |  17 +++++++-
 config.h |   1 +
 tunip.c  |   2 +-
 vpnc.c   | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 vpnc.h   |   2 +
 5 files changed, 155 insertions(+), 4 deletions(-)

diff --git a/config.c b/config.c
index 7080630..36227b7 100644
--- a/config.c
+++ b/config.c
< at >< at > -469,6 +469,13 < at >< at > static const struct config_names_s {
 "Target network in dotted decimal or CIDR notation\n",
 config_def_target_