You are not logged in.

Pages: 1

#1 2013-08-23 08:41:37

btorb
Member
Registered: 2012-08-06
Posts: 28

VPN client issues, networkmanager doesn't work & DNS routing issues

First an apologie for the vague subject, but the subject at least matches my problems.

I recently re-installed Arch from scratch on my T420s laptop from scratch using the august image. The only issue I encounter is a vague problem with VPN while I try to connect to a VPN network. the network is a cisco anyconnect.

1. So I installed network-manager-openconnect (just as on my other laptop which also runs arch). I use the nm-applet interface. After adding a profile, it seems to connect, the icon on the nm-applet changes to the VPN one. But, I cannot connect to anything!

journalctl -f gives me the following outout

Aug 23 10:26:47 bt420s NetworkManager[237]: <info> Starting VPN service 'openconnect'...
Aug 23 10:26:47 bt420s NetworkManager[237]: <info> VPN service 'openconnect' started (org.freedesktop.NetworkManager.openconnect), PID 5442
Aug 23 10:26:47 bt420s NetworkManager[237]: <info> VPN service 'openconnect' appeared; activating connections
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> VPN plugin state changed: starting (3)
Aug 23 10:26:52 bt420s kernel: IPv6: ADDRCONF(NETDEV_UP): vpn0: link is not ready
Aug 23 10:26:52 bt420s NetworkManager[237]: <warn> /sys/devices/virtual/net/vpn0: couldn't determine device driver; ignoring...
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> VPN connection 'VPN connection 1' (Connect) reply received.
Aug 23 10:26:52 bt420s openconnect[5449]: Attempting to connect to server [removed_for_confidentiality]:443
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: waiting for carrier
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: carrier acquired
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: carrier lost
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: waiting for carrier
Aug 23 10:26:52 bt420s openconnect[5449]: SSL negotiation with [removed_for_confidentiality]
Aug 23 10:26:52 bt420s openconnect[5449]: Connected to HTTPS on [removed_for_confidentiality]
Aug 23 10:26:52 bt420s openconnect[5449]: Got CONNECT response: HTTP/1.1 200 OK
Aug 23 10:26:52 bt420s openconnect[5449]: CSTP connected. DPD 30, Keepalive 30
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: carrier acquired
Aug 23 10:26:52 bt420s kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vpn0: link becomes ready
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> VPN connection 'VPN connection 1' (IP Config Get) reply received.
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> VPN connection 'VPN connection 1' (IP4 Config Get) reply received.
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> VPN Gateway: 192.[removed_for_confidentiality]
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> Tunnel Device: vpn0
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> IPv4 configuration:
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   Internal Address: 128.[removed_for_confidentiality]
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   Internal Prefix: 24
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   Internal Point-to-Point Address: 128.[removed_for_confidentiality]
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   Maximum Segment Size (MSS): 0
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   Forbid Default Route: no
Aug 23 10:26:52 bt420s NetworkManager[237]: <info>   DNS Domain: '(none)'
Aug 23 10:26:52 bt420s NetworkManager[237]: <info> No IPv6 configuration
Aug 23 10:26:52 bt420s openconnect[5449]: Connected vpn0 as 128.[removed_for_confidentiality], using SSL
Aug 23 10:26:52 bt420s dhcpcd[249]: vpn0: soliciting an IPv6 router
Aug 23 10:26:52 bt420s openconnect[5449]: Established DTLS connection (using GnuTLS)
Aug 23 10:26:53 bt420s NetworkManager[237]: nm_system_add_ip4_vpn_gateway_route: assertion `parent_config != NULL' failed
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> VPN connection 'VPN connection 1' (IP Config Get) complete.
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> Policy set 'VPN connection 1' (vpn0) as default for IPv4 routing and DNS.
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> Removing DNS information from /usr/bin/resolvconf
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> VPN plugin state changed: started (4)
Aug 23 10:26:53 bt420s dbus[242]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Aug 23 10:26:53 bt420s dbus-daemon[242]: dbus[242]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedes...r.service'
Aug 23 10:26:53 bt420s systemd[1]: Starting Network Manager Script Dispatcher Service...
Aug 23 10:26:53 bt420s dbus-daemon[242]: dbus[242]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 23 10:26:53 bt420s dbus[242]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Aug 23 10:26:53 bt420s systemd[1]: Started Network Manager Script Dispatcher Service.
Aug 23 10:26:53 bt420s NetworkManager[237]: keyfile: updating /etc/NetworkManager/system-connections/VPN connection 1

My main concern goes to the "DNS Domain: '(none)'" and the "nm_system_add_ipv_vpn_gateway_route [...] failed"
Anyone any idea? On my other laptop it works like a charm (I solely use Openbox WM, no DE)

2. I tried to connect with openconnect directly

sudo openconnect <my_vpn_sever_somewhere>

This option works.... a little bit. I can connect to machines on the VPN network and I seem to be able to connect to *some* websites. It occurs to me a can connect to website in the cache, or website whose name is already resolved. Websites that i haven't accessed before in firefox seem not to work (although, the content is new, so not from the cache). to me it seems like a major routing problem but I do not have the knowlegde even to know where to start looking to solve this issue.

Directly invoking openconnect does not generate to much log. But below is the complete output from journalctl -f


Aug 23 10:36:42 bt420s sudo[5850]: btorb : TTY=pts/3 ; PWD=/home/btorb ; USER=root ; COMMAND=/usr/bin/openconnect vpn.[removed_for_confidentiality]
Aug 23 10:36:42 bt420s sudo[5850]: pam_unix(sudo:session): session opened for user root by btorb(uid=0)
Aug 23 10:36:52 bt420s NetworkManager[237]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
Aug 23 10:36:52 bt420s dhcpcd[249]: tun0: soliciting an IPv6 router

#Added: here it works, I can connect with ssh to machines if i give their IP. I can also visit some websites
# Now i kill the openconnect, by control-C in that terminal

Aug 23 10:37:19 bt420s dhcpcd[249]: tun0: carrier lost
Aug 23 10:37:19 bt420s dhcpcd[249]: tun0: removing interface
Aug 23 10:37:19 bt420s sudo[5850]: pam_unix(sudo:session): session closed for user root

Any ideas?

Last edited by btorb (2013-08-23 08:42:00)

Offline

#2 2013-08-23 11:17:11

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: VPN client issues, networkmanager doesn't work & DNS routing issues

I hve not used openconnect, but the following from your log reads related:

btorb wrote:

Aug 23 10:26:53 bt420s NetworkManager[237]: nm_system_add_ip4_vpn_gateway_route: assertion `parent_config != NULL' failed
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> VPN connection 'VPN connection 1' (IP Config Get) complete.
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> Policy set 'VPN connection 1' (vpn0) as default for IPv4 routing and DNS.
Aug 23 10:26:53 bt420s NetworkManager[237]: <info> Removing DNS information from /usr/bin/resolvconf

After the connect, have a look how /etc/resolv.conf  and the default route (ip r) look like. Which entries are in the resolv file? Then have a look at NM-applet settings for the DNS settings.
Given that log, you should at least be able to workaround the issue by manually adding the DNS you want to use (e.g. the VPN gateway IP plus any others you like) and forbidding changes 

# chattr +i /etc/resolv.conf

Offline

#3 2013-08-23 14:43:56

btorb
Member
Registered: 2012-08-06
Posts: 28

Re: VPN client issues, networkmanager doesn't work & DNS routing issues

Ok, i can see some clear differences in both /etc/resolv.conf and in the default rout.

As said, with openconnect i get a connection, but not all websites can be visited (which sounds weird to me too, but it is the case!). After connecting with openconnect, /etc/resolv.conf becomes

# Generated by resolvconf
domain home
nameserver 195.130.131.133
nameserver 195.130.130.5

which is exactly the same as before connecting with the VPN network, "ip r" gives the following:

default dev tun0  scope link 
default via 192.168.0.1 dev enp0s25  metric 202 
128.178.195.0/24 dev tun0  scope link 
192.33.201.42 via 192.168.0.1 dev enp0s25  src 192.168.0.226 
192.168.0.0/24 dev enp0s25  proto kernel  scope link  src 192.168.0.226  metric 202 
192.168.0.226 via 127.0.0.1 dev lo  metric 202

When I connect with nm-applet, the story is quite different. /etc/resolv.conf

# Generated by NetworkManager

So clearly no DNS servers are listed

And "ip r"

default dev vpn0  proto static 
default via 192.168.0.1 dev enp0s25  metric 202 
128.178.195.0/24 dev vpn0  proto kernel  scope link  src 128.178.195.98 
192.168.0.0/24 dev enp0s25  proto kernel  scope link  src 192.168.0.226  metric 202 
192.168.0.226 via 127.0.0.1 dev lo  metric 202

Shouldn't I normally get another DNS server assigned after connecting to the VPN network? (I don't have my other laptop with Arch anymore, so I cannot benchmark these outcomes). And, A mjaor difference seems to be the use of the "tun0" device by openconnect, while networkmanager uses the "vpn0".

Any ideas? (openconnect works for the most part, but not completely as described in post #1, so just switching to giving the openconnect command is not a direct solution)

Offline

#4 2013-08-23 23:49:47

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: VPN client issues, networkmanager doesn't work & DNS routing issues

What about the VPN connection in networkmanager? I suppose it is set to automatic DNS. But you can specify DNS servers in the applet on top for each connection. Clearly the empty resolv.conf is just what NM's log says "removing DNS", which is a bit odd, yes. It should not be empty, if you add DNS servers manually there. What happens if you just add the ones you get on the console and add an openDNS or google's or another?

Offline

#5 2013-08-25 06:28:07

btorb
Member
Registered: 2012-08-06
Posts: 28

Re: VPN client issues, networkmanager doesn't work & DNS routing issues

As said in the first post, I do use NetworkManager (I just also tried manually with openconnect). So yes, it must be a routing problem. I'll check if I can change the DNS servers to the ones I get when manually connecting.

However, and unsure if this is the best place to mention this, right now I encounter a strange problem when using NetworkManager. If I connect to a WPA_PSK encrypted wireless network, the symbol of nm-applet remain as if "connecting" (the swirling dots). I *do have* a connection, but nm-applet thinks it is still connecting. As a consequence, I cannot even try to connect to the VPN network through NetworkManager as these options are disabled while "connecting".

(I'm on a trip, so forgive my slow responses). any idea is welcome!

Offline

Pages: 1

Board footer

Powered by FluxBB