Limiting changes to routing table and resolver with vpnc-script(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

I've just begun using OpenConnect from a Linux server and I have to
admit that I was pleasantly surprised that I got things up and running
so quickly. As a programmer and not a network engineer, it was easy to
get lost in the sea of FooSwan and BarSwan the last time I tried to
figure out how to connect to a remote VPN. My customer using Cisco
AnyConnect gave me some new avenues to try to "just get connected". You
have done great work, here, and I thank you.

What is frustrating, though, is that vpnc-script ends up setting-up all
of the routes that are suggested by the VPN server. As it happens, I
need to contact exactly one port on one host via the VPN, and I don't
need DNS or anything like that, so I was hoping there was a way to limit
the amount of routing and resolver "damage" that the VPN server's
laundry list of routes would do.

I did notice that there is a vpnc-script-ssh and the documentation
sounds encouraging: use that script instead and then you can use ssh
tunnels and such to poke individual connections through the VPN
connection. Yay! Unfortunately, when I use vpnc-script-ssh, I get an
error saying that the netns command is failing possible due to missing
kernel support.

Here's my kernel info:
Linux dev.chadis.com 2.6.32-312-ec2 #24-Ubuntu SMP Fri Jan 7 18:30:50
UTC 2011 x86_64 GNU/Linux

This is on Debian Wheezy (current stable), and I built OpenConnect from
source rather than install the Debian package which has something like
10,000 dependent packages including Gnome Streaming Media Framework and
a whole bunch of other utter garbage. The build went well after
installing some -dev packages and everything else seems to be working
just fine.

The vpnc-scripts have indeed come from the Debian package repository so
I would imagine that they have been customized if necessary for my local
environment.

If I run "ip netns list" or "ip netns monitor", I don't get any errors.
"list" gives no output and "monitor" just sits there, presumably
monitoring :)

Any ideas of what might be the problem with netns for me?

Are there ways to limit what the "standard" vpnc-script will change --
e.g. don't change resolver settings and limit static routes to some
particular host or netmask or something?

Thanks very much,
-chris



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux