Cisco VPN Client routing problem on Debian Sarge

pohl886 · 12-17-2004, 10:21 AM

Hi,

I have a routing problem with Cisco Systems VPN Client Version 4.0.5 (Rel) running on Debian sarge Kernel 2.6.8.

The Client connects to the VPN Gateway of my home university without errors, but I can't send any IP packages through the VPN device. The file resolv.conf gets replaced with a new version containing information about DNS while connected. As soon as I disconnect, my network connection is fine again.

Here is my kernel routing table and the output of vpnclient stat:

------------------------------------------------------------------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
134.225.188.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 134.225.188.254 0.0.0.0 UG 0 0 0 eth0
-------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.8-1-686 #1 Thu Nov 25 04:34:30 UTC 2004 i686

VPN tunnel information.
Connection Entry: TU-extern
Client address: 130.149.216.30
Server address: 130.149.4.26
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is inactive
Local LAN Access is disabled

VPN traffic summary.
Time connected: 0 day(s), 00:07.59
Bytes in: 0
Bytes out: 0
Packets encrypted: 0
Packets decrypted: 0
Packets bypassed: 1063
Packets discarded: 149

Configured routes.
Secured Network Destination Netmask
0.0.0.0 0.0.0.0
---------------------------------------------------------------------------------------------------
The kernel routing table doesn't change whether I am connected to the VPN or not. Can anyone help me to figure out a route add command which adds a new route to the VPN Gateway?

Thanks Alexander

pohl886 · 12-17-2004, 10:45 AM

Under Windows the VPN Client adds the appropriate route to the gateway automatically and I assume the behavior under linux is not diffferent. but which interface should the program take? The kernel module cisco_ipsec.ko doesn't add any new network devices. Under Windows there is a virtual network device called Cisco VPN Adapter.

----------------------------------------------------------
ifconfig output:

eth0 Link encap:Ethernet HWaddr 00:0D:60:77:BF:71
inet addr:134.225.188.14 Bcast:134.225.188.255 Mask:255.255.255.0
inet6 addr: fe80::20d:60ff:fe77:bf71/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1972 errors:0 dropped:0 overruns:0 frame:0
TX packets:594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:465964 (455.0 KiB) TX bytes:90064 (87.9 KiB)
Base address:0x8000 Memory:c0220000-c0240000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18768 errors:0 dropped:0 overruns:0 frame:0
TX packets:18768 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3452609 (3.2 MiB) TX bytes:3452609 (3.2 MiB)

------------------------------------------------------------
/etc/resolv.conf

search readingconnect.net
nameserver 134.225.159.34
nameserver 134.225.159.98
---------------------------------------------------------------
while connected:

domain tu-berlin.de
nameserver 130.149.2.12
nameserver 130.149.4.20
search tu-berlin.de readingconnect.net
----------------------------------------------------------------
/etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
-----------------------------------------------------------------
I'm afraid I can't use the open source vpn client "vpnc" because it requires a plain text vpngroup password. All I have to connect is a .pcf file supplied from my home university with an encoded password, which is fine for the Cisco client.

Alexander

pohl886 · 12-17-2004, 11:36 AM

tried the following:
-------------------------------------------------------------------------
route add -net 0.0.0.0 netmask 0.0.0.0 gw 130.149.4.26 dev eth0

or

route add default gw 130.149.4.26 dev eth0
-----------------------------------------------------------------------

"SIOCADDRT: Network is unreachable" was the answer whether I am connected or not.

Need help.
Alexander

pohl886 · 12-18-2004, 06:52 AM

Hi,

here comes an update what happened so far:

1. added various routes to the new gateway with no success.
2. found a tool to convert encrypted passwords from any .pcf file to plain text passwords, so I can give vpnc a trial as well.
http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
3. found an error message in /var/log/messages, which gives a hint that there is an incopatibility between the kernel 2.6.8 and the Client program

---------------------------------------------------------------------
/var/log/messages:

Dec 18 12:48:47 localhost kernel: Cisco Systems VPN Client Version 4.0.5 (Rel) kernel module loaded
Dec 18 12:49:07 localhost kernel: Badness in local_bh_enable at kernel/softirq.c:136
Dec 18 12:49:07 localhost kernel: [local_bh_enable+137/144] local_bh_enable+0x89/0x90
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271881/10427360] handle_vpnup+0x9d/0x1e0 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271272/10427360] interceptor_ioctl+0x15c/0x160 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [dev_ifsioc+884/992] dev_ifsioc+0x374/0x3e0
Dec 18 12:49:07 localhost kernel: [dev_ioctl+444/784] dev_ioctl+0x1bc/0x310
Dec 18 12:49:07 localhost kernel: [sock_ioctl+656/704] sock_ioctl+0x290/0x2c0
Dec 18 12:49:07 localhost kernel: [sys_ioctl+284/640] sys_ioctl+0x11c/0x280
Dec 18 12:49:07 localhost kernel: [syscall_call+7/11] syscall_call+0x7/0xb
Dec 18 12:49:07 localhost kernel: Badness in local_bh_enable at kernel/softirq.c:136
Dec 18 12:49:07 localhost kernel: [local_bh_enable+137/144] local_bh_enable+0x89/0x90
Dec 18 12:49:07 localhost kernel: [dev_remove_pack+15/32] dev_remove_pack+0xf/0x20
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271968/10427360] handle_vpnup+0xf4/0x1e0 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271272/10427360] interceptor_ioctl+0x15c/0x160 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [dev_ifsioc+884/992] dev_ifsioc+0x374/0x3e0
Dec 18 12:49:07 localhost kernel: [dev_ioctl+444/784] dev_ioctl+0x1bc/0x310
Dec 18 12:49:07 localhost kernel: [sock_ioctl+656/704] sock_ioctl+0x290/0x2c0
Dec 18 12:49:07 localhost kernel: [sys_ioctl+284/640] sys_ioctl+0x11c/0x280
Dec 18 12:49:07 localhost kernel: [syscall_call+7/11] syscall_call+0x7/0xb
Dec 18 12:49:07 localhost kernel: [schedule+1221/1232] schedule+0x4c5/0x4d0
Dec 18 12:49:07 localhost kernel: [common_interrupt+24/32] common_interrupt+0x18/0x20
Dec 18 12:49:07 localhost kernel: [post_set+27/80] post_set+0x1b/0x50
Dec 18 12:49:07 localhost kernel: [wait_for_completion+120/208] wait_for_completion+0x78/0xd0
Dec 18 12:49:07 localhost kernel: [default_wake_function+0/32] default_wake_function+0x0/0x20
Dec 18 12:49:07 localhost kernel: [__kernel_text_address+46/64] __kernel_text_address+0x2e/0x40
Dec 18 12:49:07 localhost kernel: [default_wake_function+0/32] default_wake_function+0x0/0x20
Dec 18 12:49:07 localhost kernel: [show_trace+88/160] show_trace+0x58/0xa0
Dec 18 12:49:07 localhost kernel: [synchronize_kernel+50/64] synchronize_kernel+0x32/0x40
Dec 18 12:49:07 localhost kernel: [dump_stack+28/32] dump_stack+0x1c/0x20
Dec 18 12:49:07 localhost kernel: [wakeme_after_rcu+0/16] wakeme_after_rcu+0x0/0x10
Dec 18 12:49:07 localhost kernel: [dev_remove_pack+15/32] dev_remove_pack+0xf/0x20
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271968/10427360] handle_vpnup+0xf4/0x1e0 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [__crc_do_add_mount+1271272/10427360] interceptor_ioctl+0x15c/0x160 [cisco_ipsec]
Dec 18 12:49:07 localhost kernel: [dev_ifsioc+884/992] dev_ifsioc+0x374/0x3e0
Dec 18 12:49:07 localhost kernel: [dev_ioctl+444/784] dev_ioctl+0x1bc/0x310
Dec 18 12:49:07 localhost kernel: [sock_ioctl+656/704] sock_ioctl+0x290/0x2c0
Dec 18 12:49:07 localhost kernel: [sys_ioctl+284/640] sys_ioctl+0x11c/0x280
Dec 18 12:49:07 localhost kernel: [syscall_call+7/11] syscall_call+0x7/0xb
---------------------------------------------------------------------------------

I wonder why nobody is participating in this thread exept me, has nobody ever tried to use Cisco VPN Client under Linux?
Alexander

pohl886 · 12-18-2004, 07:02 AM

OK I understand, Cisco VPN Client is a commercial software. Try to get support from Cisco now, but if this fails, I will come back to this forum and will seek support for vpnc only.

Alexander

lblinkhorn · 02-18-2005, 04:15 PM

A-ha! Someone having the same problems as me! I have Cisco VPN client v4.60- install, compiled and connecting 'fine'. Have also a WinXP system connecting with same XP version of client through same home router - no problems. Even using the same PCF file on linux system, the connection doesn't work..

Routing table shows up nothing to suggest routing to VPN is known. When VPN connected, I can ping own IP, VPN server (internet addr) but no VPN client addr and hosts on work network.

Running Novell (SuSE) Linux desktop.. bit new to all this, think it's a 2/.6x kernel..

Anyone any ideas ???

Lee

vmicho · 03-12-2005, 11:26 AM

Same problems

Already tested it with 10 kernels (3 distributions) - admins said they tested it and it worked, they said ......
I'm able to connect with ssh to the machines, but http ftp ... dont work, even if I make ssh tunnel to a proxy, it freezes all my terminal tunneling connections

And on cisco.com, I found no such problems. I have the "Badness" problem too

kkting · 09-10-2006, 04:22 PM

Major thread resurrection !

I installed the latest Ubuntu distro on an intel box, using cisco vpn client 4.8 or vpnc, and I have EXACTLY the same problem. I goolged for 2 days and this is where I end up. I have knocked all doors and still no reply.

Have anyone of you got a solution to this problem ?

pohl886 · 09-10-2006, 05:36 PM

Hi,

I have tried again now nearly two years later since my first post. The cisco VPN client still behaves strange under linux (no route to the default gateway). I am using Debian Sarge 3.1 (kernel 2.6.8) and Cisco VPN Client 4.8.00.0490.

My network connection when disconnected:
I have two networks, one wired and one wireless, which both get routed through the default gateway.

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 ath0
134.225.188.0 * 255.255.255.0 U 0 0 0 eth0
default s188.hil-hh-alp 0.0.0.0 UG 0 0 0 eth0

My network connection when I am connected:
130.149.4.26 is the new IP from the cipsec0 vpn adapter, which should go through the new default gateway 130.149.216.11. I think the first route is unnecessary at all, because everything in the net 130.149.0.0 is routed through the default gateway via the second route anyway. Maybe deleting the first route will help.

Destination Gateway Genmask Flags Metric Ref Use Iface
130.149.4.26 134.225.188.254 255.255.255.255 UGH 0 0 0 eth0
130.149.0.0 * 255.255.0.0 U 0 0 0 cipsec0
default 130.149.216.11 0.0.0.0 UG 0 0 0 cipsec0

Alexander

kkting · 09-10-2006, 05:49 PM

pohl886 and all others who helped on this problem:

I finally just give up on cisco vpn and use the opensource vpnc client. It works flawlessly.

Thanks !

kkting