Hello, Am Montag, 2. März 2015, 21:01:48 schrieb Mick: > On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: > > Hello, > > > > this is not a Gentoo problem per se, but i'm getting it under Gentoo. > > > > Runninng KDE + Networkmanager > > (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin > > (net-misc/networkmanager-vpnc-0.9.10.0). > > > > I have set up a VPN connection to a AVM FritzBox (which is using - as far > > as i can evaluate - a Cisco like IPSec tunnel). > > > > This is running very well, but after exactly 1 hour the connection is > > dropped. I can reconnect, but it also lasts 1 hour. > > > > After som crawlng though the net it seems that a key validity runs ot of > > time at the client side. I t looks like this one > > > > https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 > > > > The nmcli output for this connection reads like this (some obfusicated): > > ------------------------ cut ----------------------------- > > ========================================================================= > > == ==== Details des Verbindungsprofils (XX) > > ========================================================================= > > == ==== connection.id: XX > > connection.uuid: > > > > 11111111111111-2222-33333333333333333 connection.interface-name: > > -- > > > > connection.type: vpn > > connection.autoconnect: no > > connection.timestamp: 1425319416 > > connection.read-only: no > > connection.permissions: > > connection.zone: > > connection.master: -- > > connection.slave-type: -- > > connection.secondaries: > > connection.gateway-ping-timeout: 0 > > ------------------------------------------------------------------------- > > -- ---- ipv4.method: auto > > ipv4.dns: > > ipv4.dns-search: > > ipv4.addresses: > > ipv4.routes: > > ipv4.ignore-auto-routes: yes > > ipv4.ignore-auto-dns: no > > ipv4.dhcp-client-id: -- > > ipv4.dhcp-send-hostname: yes > > ipv4.dhcp-hostname: -- > > ipv4.never-default: yes > > ipv4.may-fail: no > > ------------------------------------------------------------------------- > > -- ---- ipv6.method: ignore > > ipv6.dns: > > ipv6.dns-search: > > ipv6.addresses: > > ipv6.routes: > > ipv6.ignore-auto-routes: no > > ipv6.ignore-auto-dns: no > > ipv6.never-default: no > > ipv6.may-fail: yes > > ipv6.ip6-privacy: 0 (deaktiviert) > > ipv6.dhcp-hostname: -- > > ------------------------------------------------------------------------- > > -- ---- vpn.service-type: > > > > org.freedesktop.NetworkManager.vpnc vpn.user-name: > > -- > > > > vpn.data: Local Port = 0, IKE DH Group = > > dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec > > ID = u...@host.loc, IPSec gateway = open.nsupdate.info, Xauth username = > > u...@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec > > secret- flags = 1, NAT Traversal Mode = natt > > vpn.secrets: > > > > ------------------------ cut ----------------------------- > > > > Any hints ? > > > > regards > > > > Petric > > Going from memory here, but I recall that the VPNC client had problems > rekeying SAs in Phase 2. I seem to recall there was bug but can't recall > if it was ever patched. > > Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: > > http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html > > I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this > includes any necessary patches. You could check the changelog.
The homepage on vpnc in chapter TODO tells: "phase2-rekeying is now supported as of svn revision 126!" Changelog states for 0.5.2: "Fix Phase 2 rekeying, by various authors" I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the last 7 years. > BTW, have you tried more actively developed VPN software like strongswan > (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to > see if you're getting the same problem? I think that they should work > with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. strongswan is in the stable tree but not the networkmanager plugin. I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the dependency to libgnomeui. I do not have gnome installed (and don't intend to do so). My desktop is a kde one. Anyone has a ebuild/package not requiring gnome ? regards Petric