On Wed, Mar 13, 2013 at 1:55 PM, shouldbe q931 <shouldbeq931 at gmail.com> wrote: > On Tue, Mar 12, 2013 at 2:37 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> On Tue, 2013-02-19 at 09:50 +0000, shouldbe q931 wrote: >>> >>> I know that I could set the default route manually, but wondered if I >>> misconfigured something, or had hit a bug. >>> >>> I've gone back through the mailing list archives to July 2012, but >>> couldn't see anything that might reference this. >> >> The behaviour of vpnc-script goes something like this: >> >> If there are 'split include' routes listed, set those routes only. >> Else, set the default route (ignoring 'split exclude'). >> >> The fact that it ignores 'split excludes' is a bug, but nobody's ever >> cared because fairly much nobody ever uses them AFAICT. >> >> Your routing *does* have split includes... but only for Legacy IP. I >> suppose we're supposed to route those Legacy IP ranges *and* the default >> IPv6 route through the VPN? >> >> Looking at the current version of the vpnc-script, it looks like it >> *ought* to get this right. Since $CISCO_IPV6_SPLIT_INC isn't (well, >> shouldn't be) set, it should set the default route. >> >> Firstly, can you check that your vpnc-script is up to date. Download the >> latest version which is linked from >> http://www.infradead.org/openconnect/vpnc-script.html and try using that >> (make it executable and use the --vpnc-script argument). >> >> -- >> dwmw2 > > Yes, the split include is for IPv4, and but IPv6 should be for all traffic. > > If it would be useful, I can also test removing the split include. > > I am not using (and have never seen used) split exclude. > > The vpnc-script changelog on ubuntu lists the below as the most recent change > --------------------------------------- > vpnc-scripts (0.1~git20120602-2) unstable; urgency=low > > * Add Vcs-* fields for the collab-maint git repository. > * Move iproute from Depends to Recommends, vpnc-script can work > around it if not available. > > -- Mike Miller <mtmiller at ieee.org> Wed, 06 Jun 2012 06:58:46 -0400 > --------------------------------------- > > I renamed the version from the repo, and copied the one from infradead > into usr/share/vpnc-scripts/vpnc-script > > I'll test this evening when I'm "outside" the network. > > Cheers > > Arne Calling openconnect manually with the updated vpnc-script, IPv6 works as expected and DNS works as expected, if I use NetworkManager to initiate the VPN, IPv6 has the same problem, and the DNS servers are not set Using NetworkManager --------------------------------------- netstat -6 -r Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:470:9652:3::/64 :: U 256 0 0 vpn0 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 vpn0 ::/0 :: !n -1 1 9 lo ::1/128 :: Un 0 1 1 lo 2001:470:9652:3::1/128 :: Un 0 1 0 lo fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 vpn0 ::/0 :: !n -1 1 9 lo netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.10.1 0.0.0.0 UG 0 0 0 eth1 10.201.253.0 * 255.255.255.0 U 0 0 0 vpn0 link-local * 255.255.0.0 U 0 0 0 eth1 192.168.10.0 * 255.255.255.0 U 0 0 0 eth1 192.168.53.0 * 255.255.255.0 U 0 0 0 vpn0 192.168.54.0 * 255.255.255.0 U 0 0 0 vpn0 213.122.155.21 192.168.10.1 255.255.255.255 UGH 0 0 0 eth1 nslookup www.infradead.org Server: 127.0.1.1 Address: 127.0.1.1#53 ** server can't find www.infradead.org: NXDOMAIN traceroute6 2a00:1450:400b:c02::63 connect: Network is unreachable --------------------------------------- calling openconnect via command line --------------------------------------- sudo openconnect -vvv asa.domain.com Attempting to connect to 213.122.155.21:443 SSL negotiation with asa.domain.com Server certificate verify failed: signer not found Certificate from VPN server "asa.domain.com" failed verification. Reason: signer not found Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on asa.domain.com GET https://asa.domain.com/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 14 Mar 2013 19:25:39 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with asa.domain.com Server certificate verify failed: signer not found Connected to HTTPS on asa.domain.com GET https://asa.domain.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Username:testuser Password: POST https://asa.domain.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:184B2305E903B0BA7D5807A9665AE3EDEB4FBD8D&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:BE3E6EA0056DCDC3AD683DE2441C2E7315606731; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1406, snd mss 1406, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 192.168.54.4 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Address: 2001:470:9652:3::1 X-CSTP-Netmask: 2001:470:9652:3::1/64 X-CSTP-DNS: 192.168.53.42 X-CSTP-DNS: 10.201.253.41 X-CSTP-NBNS: 192.168.53.42 X-CSTP-NBNS: 10.201.253.41 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: domain.com X-CSTP-Split-Include: 192.168.53.0/255.255.255.0 X-CSTP-Split-Include: 10.201.253.0/255.255.255.0 X-CSTP-Split-DNS: domain.com X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: true X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1373 X-DTLS-MTU: 1418 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 DTLS option X-DTLS-Session-ID : 51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-MTU : 1418 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS connected. DPD 30, Keepalive 20 Connected tun0 as 192.168.54.4 + 2001:470:9652:3::1, using SSL Sending uncompressed data packet of 51 bytes Sending uncompressed data packet of 62 bytes Sending uncompressed data packet of 51 bytes Sending uncompressed data packet of 62 bytes Sending uncompressed data packet of 51 bytes Sending uncompressed data packet of 51 bytes Sending uncompressed data packet of 62 bytes Sending uncompressed data packet of 62 bytes No work to do; sleeping for 6000 ms... No work to do; sleeping for 16000 ms... Received uncompressed data packet of 126 bytes Sending uncompressed data packet of 154 bytes No work to do; sleeping for 20000 ms... Established DTLS connection (using OpenSSL) netstat -6 -r Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:470:9652:3::/64 :: U 256 0 0 tun0 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 tun0 ::/0 :: U 1 0 0 tun0 ::/0 :: !n -1 1 15 lo ::1/128 :: Un 0 1 1 lo 2001:470:9652:3::1/128 :: Un 0 1 0 lo fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 tun0 ::/0 :: !n -1 1 15 lo netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.10.1 0.0.0.0 UG 0 0 0 eth1 10.201.253.0 * 255.255.255.0 U 0 0 0 tun0 dc-1.domain.com * 255.255.255.255 UH 0 0 0 tun0 link-local * 255.255.0.0 U 0 0 0 eth1 192.168.10.0 * 255.255.255.0 U 0 0 0 eth1 192.168.53.0 * 255.255.255.0 U 0 0 0 tun0 dc-2.xclaimproj * 255.255.255.255 UH 0 0 0 tun0 sslc.xclaimproj * 255.255.255.255 UH 0 0 0 vpn0 192.168.54.0 * 255.255.255.0 U 0 0 0 tun0 asa.domain.com 192.168.10.1 255.255.255.255 UGH 0 0 0 eth1 nslookup www.infradead.org Server: 192.168.53.42 Address: 192.168.53.42#53 Non-authoritative answer: www.infradead.org canonical name = casper.infradead.org. Name: casper.infradead.org Address: 85.118.1.10 traceroute6 2a00:1450:400b:c02::63 traceroute to 2a00:1450:400b:c02::63 (2a00:1450:400b:c02::63) from 2001:470:9652:3::1, 30 hops max, 24 byte packets 1 2001:470:9652:1::254 (2001:470:9652:1::254) 56.876 ms 48.295 ms 96.59 ms 2 thermionic-1.tunnel.tserv5.lon1.ipv6.he.net (2001:470:1f08:1623::1) 72.007 ms 114.474 ms 67.415 ms 3 gige-g4-8.core1.lon1.he.net (2001:470:0:67::1) 74.81 ms 87.64 ms 65.825 ms 4 2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1) 62.54 ms 63.825 ms 63.326 ms 5 2001:4860::1:0:15f (2001:4860::1:0:15f) 66.591 ms 65.824 ms 78.254 ms 6 2001:4860::8:0:2dde (2001:4860::8:0:2dde) 68.538 ms 66.952 ms 73.13 ms 7 2001:4860::1:0:3a11 (2001:4860::1:0:3a11) 132.633 ms 107.85 ms 73.917 ms 8 2001:4860::2:0:3d87 (2001:4860::2:0:3d87) 73.528 ms 72.326 ms 120.891 ms 9 * *^C --------------------------------------- Cheers Arne
