| View previous topic :: View next topic |
| Author |
Message |
jani80k
n00b
Joined: 07 Aug 2003
Posts: 40
|
 Posted: Mon Jul 25, 2005 9:03 am Post subject: Routing problem with Cisco VPN Client. |
 |
|
I´ve got a NAT (via ppp0) router in my students' flat-sharing community to provide Internet to the 4 students that live here.
A big problem when it comes to sending email is, that our university only allows clients to send mail via their smtp server from their net (134.169.0.0 brd 255.255.0.0).
Unfotunately, we´re not part of their net as most of the students - since they´re using dial-up dsl connections (common in germany) - aren´t. We can only send mail when we are at university or through a crappy webinterface that is very basic and doesn´t allow gpg-signing of msgs etc.
A possible solution that came to my mind is the cisco-vpnclient, that has been introduced to users by the university lately. I could start the vpnclient on my router and get an ip from the ippool of the university. I could redirect all packets that are targeted to the net of our university through the vpn tunnel. This way I could be able to send mail and actually _use_ my email account.
So I installed the vpnclient and started it. The tunnel sets up fine. I have a new device "cipsec0" that got an ip from the pool of ips of my university. Unfotunately, surfing from the hosts in our lan now wouldn´t work anymore. When I stop the vpnclient, it would work again.
I think it has something to do with the route, the vpnclient is setting when it starts.
Before (inet access from lan working):
| Code: | root@wgserver:~# route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
82.82.132.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ra0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 82.82.132.1 0.0.0.0 UG 0 0 0 ppp0
|
After (client started, inet access from lan not working):
| Code: | root@wgserver:~# route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
82.82.132.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
134.169.2.2 82.82.132.1 255.255.255.255 UGH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
134.169.240.0 0.0.0.0 255.255.240.0 U 0 0 0 cipsec0
134.169.0.0 134.169.248.7 255.255.0.0 UG 0 0 0 cipsec0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ra0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 82.82.132.1 0.0.0.0 UG 0 0 0 ppp0
|
As far as my knowledge goes, I have to first tell the kernel to not use the cipsec0 route by default, but the ppp0 one as it used to (route(?)). And secondly, I have to redirect alle the packets that are targeted to 134.169.0.0 through the cipsec0 device (iptables(?)).
Is my assumption right? Does anyone know how to solve this problem?
Thx in advance.
jANI (and his flat-mates) 
_________________
...Linux is for free, if your time has no value. |
|
| Back to top |
|
 |
dev-urandom
Apprentice
Joined: 24 Jun 2005
Posts: 260
Location: Huh?
|
| Posted: Mon Jul 25, 2005 10:03 am Post subject: |
|
|
The Cisco VPn client is a piece of sh** to be frank.
The cipsec0 interface didn't let me attach me attach tcpdump/ethereal the last time i had a routing issue.
That said, the problem to your solution should be very simple (I hope so  )
| Code: | | vi /etc/opt/cisco-vpnclient/Profiles/<profilename>.pcf |
Change | Code: | | EnableLocalLAN=1 from EnableLocalLAN=0 |
If that doesn't work, I don't think anything much can help you out.
BTW, do you folks have a PPTP VPN connection? Try that if you still can't make much way.
_________________
/earth: file system full. |
|
| Back to top |
|
|
tutaepaki
Apprentice
Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
|
| Posted: Mon Jul 25, 2005 11:32 am Post subject: |
|
|
Settings like the routes and local lan access are usually set at the VPN concentrator, and if you are using the cisco vpn client, it will enforce whatever is set by the concentrator.
You might find vpnc a better option. You've got to set up all the routes etc yourself, but it means you get much better control. I've found vpnc to be far more reliable on gentoo too, the cisco client tended to break every time I did anything. |
|
| Back to top |
|
|
dev-urandom
Apprentice
Joined: 24 Jun 2005
Posts: 260
Location: Huh?
|
| Posted: Thu Jul 28, 2005 7:28 am Post subject: |
|
|
Ah, yes some one who was lucky enough... My mileage with vpnc was very poor. I use the latest unstable version of the cisco client and have had no problems.
| tutaepaki wrote: | Settings like the routes and local lan access are usually set at the VPN concentrator, and if you are using the cisco vpn client, it will enforce whatever is set by the concentrator.
You might find vpnc a better option. You've got to set up all the routes etc yourself, but it means you get much better control. I've found vpnc to be far more reliable on gentoo too, the cisco client tended to break every time I did anything. |
_________________
/earth: file system full. |
|
| Back to top |
|
|
jani80k
n00b
Joined: 07 Aug 2003
Posts: 40
|
| Posted: Sat Jul 30, 2005 11:35 am Post subject: |
|
|
ok guys...
i am using vpnc now and i dont have any problems at all any more. everything works fine.
i had to get the 0.3.3-ebuild from bugs.gentoo.org though, beacuse i needed split routing support.
at first i thought that it was impossible for me to use any other client than the cisco one because the administrator wouldnt tell me the group password. but than i found a password decoder here.
the cisco client sucks. vpnc rocks.
jANI
_________________
...Linux is for free, if your time has no value. |
|
| Back to top |
|
|
|
Networking & Security
