| View previous topic :: View next topic |
| Author |
Message |
synack1337
n00b
Joined: 17 Mar 2004
Posts: 5
|
 Posted: Wed Mar 31, 2004 10:16 pm Post subject: |
 |
|
othrer than a workaround, sadly no.
I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule. and everything works now.
I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x. Not sure of the best way to go about it..
-"snizack" |
|
| Back to top |
|
 |
kamilian
n00b
Joined: 23 Jun 2003
Posts: 59
Location: Sydney, Australia
|
| Posted: Thu Apr 01, 2004 12:22 pm Post subject: |
|
|
On the topic of the Cisco VPN Client, has anyone else had this problem show up? Better yet, anyone know how to fix it? (The best I could find for something similar was to install lib-compat and I have lib-compat-1.3 installed).
| Code: | Cobra root # vpnclient connect ic
Cisco Systems VPN Client Version 4.0.3 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.3-gentoo-r1 #1 Sun Feb 22 16:29:28 GMT 2004 i686
cvpnd: relocation error: cvpnd: symbol _res, version GLIBC_2.0 not defined in file libc.so.6 with link time reference |
Could this be an issue with 2.6 kernel headers? NPTL? Other?
I have both 2.6 kernel headers installed and nptl enabled in glibc.
| Code: | Cobra root # etcat -v linux-headers
* sys-kernel/linux-headers-2.6.0 :
[ I] 2.6.0 (0) OVERLAY |
| Code: | Cobra root # etcat -u glibc
U I [ Found these USE variables in : sys-libs/glibc-2.3.2-r3 ]
+ + nls : unknown
- - pic : unknown
- - build : !!internal use only!! ....
+ + nptl : unknown |
My relevant emerge info:
| Code: | Cobra root # emerge --info
Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r3, 2.6.3-gentoo-r1)
=================================================================
System uname: 2.6.3-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
CFLAGS="-march=pentium4 -mmmx -msse -msse2 -mfpmath=sse -Os -pipe" |
_________________
May contain traces of nuts. |
|
| Back to top |
|
|
X-Frog
n00b
Joined: 15 Feb 2004
Posts: 10
Location: Montreal, Qc, Canada
|
| Posted: Wed Apr 07, 2004 2:25 pm Post subject: |
|
|
| synack1337 wrote: | othrer than a workaround, sadly no.
I was able to get proper checksum'd udp packets by compiling iptables into the kernel and doing an any any outbound rule. and everything works now.
I guess this should be mentioned to one of the maintainers for either the net code or driver code for 3c59x on 2.6.x. Not sure of the best way to go about it..
-"snizack" |
And it works!
Thank you!
I didn't have iptables installed (kernel modules, yes, but not iptables itself) and my DNS resolution wasn't working as well as my connections to our KVM IP (all UDP).
Now everything is ok! |
|
| Back to top |
|
|
synack1337
n00b
Joined: 17 Mar 2004
Posts: 5
|
| Posted: Wed Apr 07, 2004 10:36 pm Post subject: |
|
|
Glad it worked for you.
Now we need to get this in front of of a maintainer so we dont need iptables. |
|
| Back to top |
|
|
blscreen
Tux's lil' helper
Joined: 04 Mar 2003
Posts: 118
Location: Innsbruck
|
| Posted: Thu Apr 08, 2004 3:10 am Post subject: |
|
|
| Because of the problems with the Cisco VPN client and recent kernels I switched to the opensource client vpnc. It uses the kernel TUN/TAP device and works great for me. |
|
| Back to top |
|
|
theche
Guru
Joined: 26 Feb 2004
Posts: 512
|
| Posted: Thu Apr 15, 2004 3:08 pm Post subject: |
|
|
| where's the option for enabling the TUN/TAP device driver?? |
|
| Back to top |
|
|
blscreen
Tux's lil' helper
Joined: 04 Mar 2003
Posts: 118
Location: Innsbruck
|
| Posted: Fri Apr 16, 2004 11:19 am Post subject: |
|
|
In 2.6.x:
Device Drivers -> Networking support -> Network device support -> Universal TUN/TAP device driver support |
|
| Back to top |
|
|
theche
Guru
Joined: 26 Feb 2004
Posts: 512
|
| Posted: Fri Apr 16, 2004 11:29 pm Post subject: |
|
|
| Code: | root@marco mac # vpnc
vpnc: error while loading shared libraries: libgcrypt.so.1: cannot open shared object file: No such file or directory
|
what am i doing wrong??
I did
ACCEPT_KEYWORDS="~x86" emerge vpnc, edited the /etc/vpnc.conf to fit to my university's vpn network... |
|
| Back to top |
|
|
blscreen
Tux's lil' helper
Joined: 04 Mar 2003
Posts: 118
Location: Innsbruck
|
| Posted: Sat Apr 17, 2004 8:53 am Post subject: |
|
|
Seems like some dependency problem. Try to first emerge sync, reemerge dev-libs/libgcrypt and then net-misc/vpnc.
libgcrypt should have been merged together with vpnc though. |
|
| Back to top |
|
|
theche
Guru
Joined: 26 Feb 2004
Posts: 512
|
| Posted: Sat Apr 17, 2004 12:50 pm Post subject: |
|
|
exactly...
didn't work
same error.
should I start vpnc as root or as an user? whe doing so:
| Code: | bash-2.05b$ vpnc
Secure memory is not locked into core
vpnc: IKE DH Group "dh2 " unsupported
|
don't know how to interprete this
my vpnc.conf:
| Code: |
more /etc/vpnc.conf
Interface name vpn0
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway vpn.uni-mannheim.de
IPSec ID <+++>
IPSec secret <+++>
Xauth username<+++>
|
IKEDHGroup: what values are possible??
Last edited by theche on Sun Apr 18, 2004 12:23 pm; edited 1 time in total |
|
| Back to top |
|
|
blscreen
Tux's lil' helper
Joined: 04 Mar 2003
Posts: 118
Location: Innsbruck
|
| Posted: Sat Apr 17, 2004 8:52 pm Post subject: |
|
|
This doesn't seem to be related to any of the errors you receive, but I just tried vpnc on a gentoo box the first time (the other was debian), and devfsd made a wrong symlink /dev/net/tun->/dev/net/misc/net/tun which doesn't exist and should be /dev/misc/net/tun instead.
If this is true for you, you should add the following lines early in your /etc/devfsd.conf end send a SIGHUP to devfsd:
| Code: | REGISTER ^misc/net/tun$ CFUNCTION GLOBAL unlink net/tun
REGISTER ^misc/net/tun$ CFUNCTION GLOBAL symlink /dev/$devname net/tun
UNREGISTER ^misc/net/tun$ CFUNCTION GLOBAL unlink net/tun |
| theche wrote: | | should I start vpnc as root or as an user? |
Definitely as root.
Sorry, can't help you with the IKE DH problem... possible values are dh1,dh2 and dh5.
Here is my config:
| Code: | Interface name tun0
IKE DH Group dh2
Perfect Forward Secrecy nopfs
IPSec gateway ipsec-rz.vpn.uni-freiburg.de
IPSec ID <blanked>
IPSec secret <blanked>
Xauth username <blanked>
|
As for the libgcrypt problem: maybe
| Code: | | strace vpnc &> /root/vpnc-strace |
can give you a hint about what's going on there. |
|
| Back to top |
|
|
theche
Guru
Joined: 26 Feb 2004
Posts: 512
|
| Posted: Sun Apr 18, 2004 12:51 pm Post subject: |
|
|
eigentlich könnten wir deutsch reden...oder?
I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver??
| Code: |
output strace: (ausschnitt)
open("/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/lib/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/lib/i686/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/usr/lib/mmx/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/mmx", 0xbfffed58) = -1 ENOENT (No such file or directory)
open("/usr/lib/libgcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
|
stimmt schon die verzeichnisse sind in dieser weise wirklich nicht da...
| Code: |
find / -name *libgcrypt*:
/usr/bin/libgcrypt-config
/usr/lib/libgcrypt.so.11
/usr/lib/libgcrypt.so
/usr/lib/libgcrypt.so.7
/usr/lib/libgcrypt-pthread.so.11
/usr/lib/libgcrypt.la
/usr/lib/libgcrypt.a
/usr/lib/libgcrypt.so.11.0.0
/usr/lib/libgcrypt-pthread.so.11.0.0
/usr/lib/libgcrypt-pthread.so
/usr/lib/libgcrypt-pthread.so.7
/usr/lib/libgcrypt-pthread.la
/usr/lib/libgcrypt-pthread.a
|
sind wohl woanders und libgcrypt.so.1 seh ich auch nicht.
'are somewhere else and libgcrypt.so.1 doesn't appear
what shall I do?
symlinks? |
|
| Back to top |
|
|
blscreen
Tux's lil' helper
Joined: 04 Mar 2003
Posts: 118
Location: Innsbruck
|
| Posted: Sun Apr 18, 2004 5:06 pm Post subject: |
|
|
| theche wrote: | | eigentlich könnten wir deutsch reden...oder? |
I think we should stick to english, as some users searching the forum might have similar problems 
| theche wrote: | | I dont't know whether there is a symlink...the directory net in /dev/ doesn't exist...and in /dev/misc/ there is no directory net...perhaps I messed something up with the TUN/TAP device driver?? |
Is the module loaded? Are you using devfs? Otherwise you have to create the node. Check dmesg for a line | Code: | | Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky |
Without the propper character device, which is major 10 and minor 200, nothing is going to work.
I can give you some info about my setup, hope it helps:
| Code: | # qpkg -l vpnc
net-misc/vpnc-0.2_pre7 *
CONTENTS:
/usr
/usr/bin
/usr/bin/vpnc
/usr/bin/vpnc-connect
/usr/bin/vpnc-disconnect
/usr/share
/usr/share/doc
/usr/share/doc/vpnc-0.2_pre7
/usr/share/doc/vpnc-0.2_pre7/ChangeLog.gz
/usr/share/doc/vpnc-0.2_pre7/README.gz
/usr/share/doc/vpnc-0.2_pre7/TODO.gz
/usr/share/doc/vpnc-0.2_pre7/VERSION.gz
/etc
/etc/vpnc.conf
# ldd /usr/bin/vpnc
linux-gate.so.1 => (0xffffe000)
libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x4002a000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x40084000)
libc.so.6 => /lib/libc.so.6 (0x40088000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401b4000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# qpkg -l libgcrypt
dev-libs/libgcrypt-1.1.92 *
CONTENTS:
/usr
/usr/bin
/usr/bin/libgcrypt-config
/usr/lib
/usr/lib/libgcrypt.so.11.0.0
/usr/lib/libgcrypt.so.11 -> libgcrypt.so.11.0.0 1082225985
/usr/lib/libgcrypt.so -> libgcrypt.so.11.0.0 1082225985
/usr/lib/libgcrypt.la
/usr/lib/libgcrypt.a
/usr/lib/libgcrypt-pthread.so.11.0.0
/usr/lib/libgcrypt-pthread.so.11 -> libgcrypt-pthread.so.11.0.0 1082225985
/usr/lib/libgcrypt-pthread.so -> libgcrypt-pthread.so.11.0.0 1082225985
/usr/lib/libgcrypt-pthread.la
/usr/lib/libgcrypt-pthread.a
/usr/lib/libgcrypt.so.7 -> libgcrypt.so.11 1082225985
/usr/lib/libgcrypt-pthread.so.7 -> libgcrypt-pthread.so.11 1082225985
/usr/include
/usr/include/gcrypt.h
/usr/include/gcrypt-module.h
/usr/share
/usr/share/aclocal
/usr/share/aclocal/libgcrypt.m4
/usr/share/info
/usr/share/info/gcrypt.info.gz
/usr/share/doc
/usr/share/doc/libgcrypt-1.1.92
<snip some more docs here>
/usr/lib/libgcrypt-pth.so.7 -> libgcrypt-pth.so.11 1082225985
<snip strace output>
open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3 <- This is how it should be ;)
<snip>
USE="X aalib alsa apm arts avi berkdb cdr crypt cups directfb dvd encode esd fbcon foomaticdb gdbm gif gphoto2 gpm gtk gtk2 imlib java jpeg libg++ libwww mad matrox mikmod motif mozilla mpeg nas ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sasl scanner sdl slang spell ssl stroke svga tcltk tcpd tetex truetype usb video_cards_matrox x86 xinerama xml2 xmms xv zlib"
|
For some reason your vpnc is compiled with the wrong library versions. You could file a bugreport or try to compile it from the original package manually. |
|
| Back to top |
|
|
theche
Guru
Joined: 26 Feb 2004
Posts: 512
|
| Posted: Mon Apr 19, 2004 11:00 am Post subject: |
|
|
Universal TUN TAP driver is in the kernel (no module)
in dmesg appears the corresponding entry
yes, I do use devfs
| Quote: |
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Without the propper character device, which is major 10 and minor 200, nothing is going to work.
|
??
I dont have crypt in USE <--?
and the rest is silence 'cause I don't know what to do with this kind of information
how do I 'file' a bug report? |
|
| Back to top |
|
|
LostControl
l33t
Joined: 02 Mar 2004
Posts: 885
Location: La Glane, Suisse
|
| Posted: Tue Apr 20, 2004 6:23 pm Post subject: |
|
|
Has anyone tried to use cisco-vpnclient-3des-4.0.3b-r3 with kernel 2.6.6-rc1 ?
Everything works using kernel 2.6.5 but no success with 2.6.6-rc1  Maybe something changes in the new kernel which brokes cisco-vpnclient-3des !? As for 2.6.2... |
|
| Back to top |
|
|
Corpse2
n00b
Joined: 14 Jan 2004
Posts: 60
|
| Posted: Wed Apr 21, 2004 11:23 pm Post subject: |
|
|
I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel.  I think it's the patched version metioned before.
Only one problem, I don't know why it works all of a sudden while it wouldn't work at first.  I've been fooling around first with a few different versions and vpnc without luck. But there is one thing I remember that I did: I found somewhere in another tread something about which things are needed in the kernel, some things in cryptography that are needed by IPsec and some other things.
| Quote: | | In order to make the IPsec work with the 2.6 Kernel, you need PF Key, AHS Transformations, ESP Transformations, IPsec user config interface, and all the cryptos... |
Concerning the crypto's, the help of these items mention a few times something about IPSec, those are the ones you need I think. I don't think I chose any others.
Altough I still have one problem  , when connected I can't figure out how to define routes (for the client). when you do a it ends with the configured routes, containing only zeroes 
Or is it possible to route traffic to the hidden cipsec0? (ifconfig -a shows it) |
|
| Back to top |
|
|
vdp
n00b
Joined: 10 Apr 2004
Posts: 15
|
| Posted: Thu Apr 22, 2004 2:22 am Post subject: |
|
|
| Corpse2 wrote: | I managed to get the vpnclient-linux-4.0.3.B-k9.tar.gz working on my 2.6.5-rc1 kernel. I think it's the patched version metioned before.
...
Altough I still have one problem , when connected I can't figure out how to define routes (for the client). when you do a it ends with the configured routes, containing only zeroes
Or is it possible to route traffic to the hidden cipsec0? (ifconfig -a shows it) |
This is the normal behavior - I have version 4.0.1a working on another machine with kernel 2.4.x and it does the same thing.
I have slightly different problem - when I use eth0, the vpn client works fine; when I try to use the wlan0 interface, i cannot exchange large amounts of data, and rdesktop times out. This is with wlan-ng 0.2.1-pre20 and kernel 2.6.5-rc1 |
|
| Back to top |
|
|
kevin_barsby
n00b
Joined: 23 Apr 2004
Posts: 50
Location: UK
|
| Posted: Fri Apr 23, 2004 4:39 am Post subject: Kernel 2.6.5-gentoo-rc1 and vpnclient-4.0.3.B-k9 |
|
|
Firstly I'm a noob to Gentoo forums so please forgive any lapses of netiquette.
I've just emerged the latest (4.0.3.B) ebuild of vpnclient and apart from having to rebuild the digest it compiled and installed ok.
I seem to be having the DNS problem some people have mentioned, i.e. I can run the module and connect quite happily, but couldn't get anywhere on the network, I tried pinging the machine I was connected to and that seemd ok, I guess if I'd tried going elsewhere on the network by ip address only that would have worked too.
How have people got around this problem? I read somewhere compiling in IP tables and creating an ANY->ANY rule would fix this, is this still people's favoured solution.
Cheers
Kev |
|
| Back to top |
|
|
kevin_barsby
n00b
Joined: 23 Apr 2004
Posts: 50
Location: UK
|
| Posted: Wed Apr 28, 2004 10:58 pm Post subject: A little more information... |
|
|
I spent a frustrating morning trying various solutions on this and other forums. The upshot is everything I tried seemed to take a step back from where I am currently.
I have:
Kernel - 2.6.5
vpnclient - 4.0.3-B-K9 (vanilla patched via the Gentoo ebuild)
It starts, connects quite happily but DNS seems to be broken. Everything is fine by IP address.
Current workaround is to lob all the servers I need into /etc/hosts
The solutions / workarounds I've tried are:
- Compiling in iptables and setting up ANY->ANY OUTPUT rule: This resulted in the situation where the module would load, but any attempt to connect failed, module seems to hang for a bit then times out
- Various Kernel switches (I didn't have the IPSEC stuff in the kernel, I do now) : Made no difference
- Regressing to Kernel 2.6.1: No difference
I haven't tried a 2.4 kernel yet, but that is going to require a system rebuild which I don't really have time for ATM.
Has anyone got any suggestions? |
|
| Back to top |
|
|
AlterEgo
Veteran
Joined: 25 Apr 2002
Posts: 1619
|
| Posted: Tue May 11, 2004 7:09 pm Post subject: |
|
|
I'm trying to get net-misc/cisco-vpnclient-3des-4.0.3b-r4
working on 2.6.6.
i get stuck at: /etc/init.d/vpnclient start
* Starting Cisco VPN Client...
* Failed to load module cisco_ipsec
Can someone give me a lsmod of the modules needed?
[edit]
Just tested in 2.6.5: it does work there 
Last edited by AlterEgo on Tue May 11, 2004 9:48 pm; edited 1 time in total |
|
| Back to top |
|
|
Berni
n00b
Joined: 25 Aug 2003
Posts: 71
|
| Posted: Tue May 11, 2004 7:24 pm Post subject: |
|
|
| What does dmesg tell (or your syslog)? Did you enable the crypt modules+tun modules in your kernel config? |
|
| Back to top |
|
|
kevin_barsby
n00b
Joined: 23 Apr 2004
Posts: 50
Location: UK
|
| Posted: Tue May 11, 2004 9:22 pm Post subject: New kernel 2.6.6 |
|
|
I noticed in the new 2.6.6 kernel changelog there are some patches to crc related stuff from people whose email address reads (@cisco.com).
I haven't tried it yet, but I'll post here if it fixes the dns problem |
|
| Back to top |
|
|
enkil
Tux's lil' helper
Joined: 27 Apr 2004
Posts: 115
Location: Bern, Switzerland
|
| Posted: Thu May 13, 2004 8:54 pm Post subject: |
|
|
@AlterEgo: I had the same problems using Kernel 2.6.6, too, but I use vpnclient-version 4.0.4(A).
Problem seems to be the following code in the init-script:
| Code: |
/sbin/insmod ${PC}/${VPNMOD} >/dev/null 2>&1
|
I looked at cisco's original init-script that was packed with the client and modified the gentoo-init-script (cisco's doesn't look nice ). I'm not sure about licensing-stuff concerning init-scripts, so i don't post a patch here...
You just have to do a insmod this way:
${VPNMOD} is mostly cisco_ipsec, just change it to cisco_ipsec.ko
Works fine for me...
My .diff would do a better job |
|
| Back to top |
|
|
AlterEgo
Veteran
Joined: 25 Apr 2002
Posts: 1619
|
| Posted: Fri May 14, 2004 8:08 am Post subject: |
|
|
That did not help me 
/lib/modules/2.6.6/CiscoVPN/cisco_vpn is not a .ko file after emerging.
I also cannot get the modules insmodded manually.
I use the same config as 2.6.5, where it works flawlessly. |
|
| Back to top |
|
|
enkil
Tux's lil' helper
Joined: 27 Apr 2004
Posts: 115
Location: Bern, Switzerland
|
| Posted: Fri May 14, 2004 8:40 am Post subject: |
|
|
I think it should be a .ko-file...
| Code: |
ls /lib/modules/2.6.6/CiscoVPN/
cisco_ipsec.ko
|
I would suggest, that you try to install the vpnclient manually... Just unpack it and run the vpn_install-script...
<edit>
almost forgot: If you use Kernel 2.6.x and vpnclient < 4.0.4(A) and install it manually, don't forget to patch the interceptor.c using:
/usr/portage/net-misc/cisco-vpnclient-3des/files/register_netdevice.patch |
|
| Back to top |
|
|
|
Networking & Security
