Ubuntu
network-manager-vpnc package

  1. Bug #364844
  2. Comment #22

Comment 22 for bug 364844

Revision history for this message
Juliano Ravasi (jravasi) wrote :

Mathieu,

I don't think 0.0.0.0 will ever appear as a VPN tunnel endpoint in any sane environment, oh please. You are ignoring how VPNC works. VPNC creates point-to-point connections, and routes the traffic through the tunnel. The netmask is not used for the endpoint, but for the route created afterwards. If you check /etc/vpnc/vpnc-script (which is the default setup script used by vpnc-connect, and which NetworkManager overrides), it has these commands:

  # Point to point interface require a netmask of 255.255.255.255 on some systems
  ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up

  if [ -n "$INTERNAL_IP4_NETMASK" ]; then
    set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
  fi

Note that the endpoint address netmask is _always_ 255.255.255.255, a.k.a. /32. The set_network_route function above only sets the endpoint route, not the default route (another function does that). For your convenience (IPROUTE=ip):

  set_network_route() {
    NETWORK="$1"
    NETMASK="$2"
    NETMASKLEN="$3"
    $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
    $IPROUTE route flush cache
  }

When INTERNAL_IP_NETMASK is not set, this function is not called, which makes sense exactly when the internal netmask is /32 (there is no point in such route, since it is always local).

When using vpnc-connect, which uses the script above, the tunnel works properly; while when using NetworkManager, which overrides the script above with the problematic binary I'm suggesting the patch, it doesn't.

There is a misunderstanding in variable names between vpnc and network-manager-vpnc. INTERNAL_IP4_NETMASK from VPNC is not to be used in the endpoint address, while NetworkManager uses the value passed in NM_VPN_PLUGIN_IP4_CONFIG_PREFIX for such thing. The nm-vpnc helper seems more broken than it looks like, but since there are reports of it working in some cases, I went through the safe route and only set it to the correct value when NETMASK is missing.

The issue has not been resolved, as you can see from the comments above, and I ran into exactly the same issue now in my fully updated Natty installation. So, please, undo the "Fix Released" status, since it requires, at minimum, more investigation.

As I understand, network-manager-vpnc is a plugin separate from network-manager. I already sent the patch to Dan Williams, who is listed in the MAINTAINERS file for the package, but it is taking some time to have it replied.