VPN Client can't access Internet

Whiskerz · 04-16-2007, 10:16 AM

Hey there,

the situation is as follows : at work I need a VPN connection if I want to access the internet with my laptop. This works great using windows, just type in the VPN server address, your username and password and you're all set. However when using Linux I can also get a vpn connection set up but no internet.

According to the administrator they don't really have any experience in Linux and don't plan to support it directly, but there have been rumors of people long gone who made it work. Supposedly it was some sort of routing problem.

I've tried both vpnc and a cisco vpn client. Using vpnc I get the following results for ifconfig and route :

Code:

Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.0.2     *               255.255.255.255 UH    0      0        0 eth1
192.168.0.0     *               255.255.0.0     U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         *               0.0.0.0         U     0      0        0 tun0

Code:

eth0      Protokoll:Ethernet  Hardware Adresse 00:0D:60:8C:26:0D  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Basisadresse:0x8000 Speicher:c0220000-c0240000 

eth1      Protokoll:Ethernet  Hardware Adresse 00:0E:35:0C:47:FA  
          inet Adresse:192.168.1.77  Bcast:192.168.255.255  Maske:255.255.0.0
          inet6 Adresse: fe80::20e:35ff:fe0c:47fa/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1995 errors:0 dropped:25 overruns:0 frame:0
          TX packets:286 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:124824 (121.8 Kb)  TX bytes:39193 (38.2 Kb)
          Interrupt:11 Basisadresse:0x6000 Speicher:c0214000-c0214fff 

lo        Protokoll:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:134 errors:0 dropped:0 overruns:0 frame:0
          TX packets:134 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:0 
          RX bytes:27712 (27.0 Kb)  TX bytes:27712 (27.0 Kb)

tun0      Protokoll:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet Adresse:141.21.5.181  P-z-P:141.21.5.181  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:500 
          RX bytes:294 (294.0 b)  TX bytes:140 (140.0 b)

Using the cisco client yields similar values and the same result, for the sake of completeness :

Code:

Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.0.2     *               255.255.255.255 UH    0      0        0 eth1
141.21.0.0      *               255.255.0.0     U     0      0        0 cipsec0
loopback        *               255.0.0.0       U     0      0        0 lo
default         vpnclient21.fzi 0.0.0.0         UG    0      0        0 cipsec0

Code:

cipsec0   Protokoll:Ethernet  Hardware Adresse 00:0B:FC:F8:01:8F  
          inet Adresse:141.21.5.181  Maske:255.255.0.0
          inet6 Adresse: fe80::20b:fcff:fef8:18f/64 Gültigkeitsbereich:Verbindung
          UP RUNNING NOARP  MTU:1356  Metric:1
          RX packets:25 errors:0 dropped:434 overruns:0 frame:0
          TX packets:101 errors:0 dropped:146 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:3688 (3.6 Kb)  TX bytes:12249 (11.9 Kb)

eth0      Protokoll:Ethernet  Hardware Adresse 00:0D:60:8C:26:0D  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Basisadresse:0x8000 Speicher:c0220000-c0240000 

eth1      Protokoll:Ethernet  Hardware Adresse 00:0E:35:0C:47:FA  
          inet Adresse:192.168.1.77  Bcast:192.168.255.255  Maske:255.255.0.0
          inet6 Adresse: fe80::20e:35ff:fe0c:47fa/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1742 errors:0 dropped:25 overruns:0 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:100343 (97.9 Kb)  TX bytes:33529 (32.7 Kb)
          Interrupt:11 Basisadresse:0x6000 Speicher:c0214000-c0214fff 

lo        Protokoll:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:0 
          RX bytes:27432 (26.7 Kb)  TX bytes:27432 (26.7 Kb)

I looked through what I found on the net, but did not have the time to go into linux routing internals. There didn't seem to be an "obvious" solution to me. Does anybody have an idea, what might be wrong? As I said, it works for the windows client. Do I need to switch back or is there some way I don't have to spend hours figuring out linux internals if I preferred not to use M$?

/Whizz

acid_kewpie · 04-17-2007, 03:07 AM

by default all traffic will be sent to the vpn peer. under vpnc you can control if this is actually the case. edit the /etc/vpnc/vpnc-script and follow the comments at the top to add CISCO_SPLIT_????? entries, e.g.

CISCO_SPLIT_INC=1

CISCO_SPLIT_INC_0_ADDR=10.1.0.0
CISCO_SPLIT_INC_0_MASK=255.255.0.0
CISCO_SPLIT_INC_0_MASKLEN=16
CISCO_SPLIT_INC_0_PROTOCOL=0
CISCO_SPLIT_INC_0_SPORT=0
CISCO_SPLIT_INC_0_DPORT=0

please don't think this is a bug or anything, and if you use the cisco client, then it's impossibel for it to override the settings as defined by your companies firewall. it's actally more likely down to the rst of your work netwrok stopping you using internet via their own woutes that would be used from a desk in the office...

Whiskerz · 04-18-2007, 04:02 AM

Thanks for the advice. Having been unsure about what data to set, and not finding anything on the net I tried the network address of my network adapter, the network address of the vpn server, the network address I get when I connect to the vpn server but all to no avail.

I'll cancel the project "vpn with linux at work" for now since it uses up to much time, but for now will refrain from reinstalling windows for the same reason. Thanks for your effort again!

Cheers

Whizz

acid_kewpie · 04-18-2007, 04:41 AM

i'd suggest sticking with it to be honest, as above doing what you want with VPNC is very simple.

CowLoon · 04-20-2007, 03:43 PM

What are the split entries doing? What does having 1 entry mean?

I am on the outside of my company and want to connect to the vpn but also be able to connect to the internet directly, not through the VPN. Is this possible?

acid_kewpie · 04-20-2007, 04:00 PM

well that's clearly exactly what the OP was asking, and what i answered. yes totally possible.

CowLoon · 04-20-2007, 04:16 PM

I didn't learn anything, but at least I feel pain.

acid_kewpie · 04-20-2007, 04:20 PM

hmm? if you are using vpnc, just read the comments at the top of the vpnc-script file with it and it should make more sense.