vpnc connects, but does not work

perryh at pluto.rain.com perryh at pluto.rain.com
Wed Dec 24 11:38:18 UTC 2008 

I have installed vpnc to connect to an employer's Cisco VPN
system, and it seems to make the connection, but after connecting
I can't ping the gateway nor anything beyond it.  The symptom
seems to resemble what is described in the Routing section of
http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn.pdf, but since that
is using a completely different setup on the FreeBSD side I have
no idea whether the remedy described there is applicable (nor,
if it is, how to determine the addresses to use in this case).

Does this look at all familiar to anyone?  I didn't find anything
that seemed applicable in recent ports@ or questions@ archives.
(I have XX'd out potentially-sensitive material in the following.)

  # /usr/local/sbin/vpnc
  Enter password for XXX at XXX.XXX.com:
  Connect Banner:
  | *** XXX, Inc. Authorized Use Only ***

  add host YYY.YYY.127.228: gateway 192.168.200.254
  add net ZZZ.ZZZ.0.0: gateway ZZZ.ZZZ.233.42
<snipped 56 other "add net" lines, all with the same
 gateway address, none to any ZZZ.ZZZ address until:>
  add net ZZZ.ZZZ.57.128: gateway ZZZ.ZZZ.233.42
  add net ZZZ.ZZZ.57.133: gateway ZZZ.ZZZ.233.42
  VPNC started in background (pid: 24776)...

The addresses in those last two "add net" lines seem to be the
nameservers:

  $ cat /etc/resolv.conf
  #@VPNC_GENERATED@ -- this file is generated by vpnc
  # and will be overwritten by vpnc 
  # as long as the above mark is intact
  nameserver ZZZ.ZZZ.57.128
  nameserver ZZZ.ZZZ.57.133
  search XXX.com

which leads me to wonder whether they really ought to be "add host"
-- for that matter it's not clear they're needed at all since they
should be covered by the "add net ZZZ.ZZZ.0.0" -- but I guess that
may not make much difference when I can't even ping my own gateway
(tun0) address :(

  $ ping ZZZ.ZZZ.233.42
  PING ZZZ.ZZZ.233.42 (ZZZ.ZZZ.233.42): 56 data bytes
  ^C
  --- ZZZ.ZZZ.233.42 ping statistics ---
  4 packets transmitted, 0 packets received, 100% packet loss

  $ ping ZZZ.ZZZ.57.128
  PING ZZZ.ZZZ.57.128 (ZZZ.ZZZ.57.128): 56 data bytes
  ^C
  --- ZZZ.ZZZ.57.128 ping statistics ---
  10 packets transmitted, 0 packets received, 100% packet loss

  $ ping ZZZ.ZZZ.57.133
  PING ZZZ.ZZZ.57.133 (ZZZ.ZZZ.57.133): 56 data bytes
  ^C
  --- ZZZ.ZZZ.57.133 ping statistics ---
  27 packets transmitted, 0 packets received, 100% packet loss

  $ ifconfig -a
  xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          options=9<RXCSUM,VLAN_MTU>
          inet6 fe80::2b0:d0ff:fe28:ad4f%xl0 prefixlen 64 scopeid 0x1
          inet 192.168.200.61 netmask 0xffffff00 broadcast 192.168.200.255
          ether 00:b0:d0:28:ad:4f
          media: Ethernet autoselect (10baseT/UTP)
          status: active
  plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
          inet6 ::1 prefixlen 128
          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
          inet 127.0.0.1 netmask 0xff000000
  tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1412
          inet6 fe80::2b0:d0ff:fe28:ad4f%tun0 prefixlen 64 scopeid 0x4
          inet ZZZ.ZZZ.233.42 --> ZZZ.ZZZ.233.42 netmask 0xffffffff
          Opened by PID 24635

Meanwhile I _can_ ping YYY.YYY.127.228, which I guess is the
concentrator's public IP address:

  $ ping YYY.YYY.127.228
  PING YYY.YYY.127.228 (YYY.YYY.127.228): 56 data bytes
  64 bytes from YYY.YYY.127.228: icmp_seq=0 ttl=116 time=53.226 ms
  64 bytes from YYY.YYY.127.228: icmp_seq=1 ttl=116 time=52.982 ms
  64 bytes from YYY.YYY.127.228: icmp_seq=2 ttl=116 time=53.130 ms
  ^C
  --- YYY.YYY.127.228 ping statistics ---
  3 packets transmitted, 3 packets received, 0% packet loss
  round-trip min/avg/max/stddev = 52.982/53.113/53.226/0.100 ms

  $ netstat -r -n
  Routing tables

  Internet:
  Destination        Gateway            Flags    Refs      Use  Netif Expire
  default            192.168.200.254    UGS         0  2209723    xl0
<snip lines corresponding to snipped "add net" lines above>
  127.0.0.1          127.0.0.1          UH          0        2    lo0
  ZZZ.ZZZ            ZZZ.ZZZ.233.42     UGS         0        0   tun0
  ZZZ.ZZZ.57.128/32  ZZZ.ZZZ.233.42     UGS         0       19   tun0
  ZZZ.ZZZ.57.133/32  ZZZ.ZZZ.233.42     UGS         0       18   tun0
  ZZZ.ZZZ.233.42     ZZZ.ZZZ.233.42     UH         59       20   tun0
  YYY.YYY.127/27     ZZZ.ZZZ.233.42     UGS         0        0   tun0
  YYY.YYY.127.96/27  ZZZ.ZZZ.233.42     UGS         0        0   tun0
  YYY.YYY.127.224/27 ZZZ.ZZZ.233.42     UGS         0        0   tun0
  YYY.YYY.127.228    192.168.200.254    UGHS        0      106    xl0
  192.168.200        link#1             UC          0        0    xl0
  192.168.200.254    00:09:5b:a1:c8:9e  UHLW        3  4318078    xl0   1148
  192.168.200.255    ff:ff:ff:ff:ff:ff  UHLWb       1        3    xl0

More information about the freebsd-ports mailing list