vpnc dead peer detection disconnects immediately

I'm also having this same issue.

However, mine will stay connected for < 30 seconds. Tho it seems it depends on the amount of data. Its about long enough for me to ssh into a host and su to root, and then it stops responding, and this error is in /var/log/syslog

Mar 18 19:43:28 carnage vpnc[11612]: connection terminated by dead peer detection

Uname: Linux carnage 2.6.20-12-generic #2 SMP Sun Mar 18 03:07:14 UTC 2007 i686 GNU/Linux

Date: Sun Mar 18 19:45:57 MDT 2007

I got the same issue.
There is no workarround for this.

>uname -a
Linux phobos 2.6.20-11-generic #2 SMP Thu Mar 15 08:03:07 UTC 2007 i686

+1

I downgraded to 0.3.3 to get things working again.

$ uname -a
Linux strongbadia 2.6.20-11-generic #2 SMP Thu Mar 15 03:43:56 UTC 2007 x86_64 GNU/Linux

Yet another vote for this being a problem. I'm on Feisty with all of the latest packages as of this morning. I get disconnected withing 60 seconds every time.

Deven Phillips, CISSP, CCNA
Systems Administrator
Metal Sales Manufacturing Corp.

Same problem here, 5 to 30 seconds until disconnect.

$ apt-show-versions vpnc
vpnc/feisty uptodate 0.4.0-2ubuntu1

$ uname -a
Linux AngryButler68 2.6.20-13-386 #2 Sun Mar 25 00:18:53 UTC 2007 i686 GNU/Linux

I'm marking this confirmed since couple of users reported this. I use vpnc on daily basis and this kind of thing never hapend.

Ante,

    Are you using the 4.x vpnc?

Deven

Additional Information:

Version installed: vpnc-0.4.0-2ubuntu1

Connecting to PIX 515 using Group Auth and XAuth.

Log message: vpnc[13375]: connection terminated by dead peer detection

See attachment for output from "vpnc-connect --debug 3 --no-detach <Profile>"

I also have the same problem. It lasts about 30 seconds and dies every time.
I have all the latest Feisty updates as of 03/29/2007

wharvey@nforce41:~$ apt-show-versions vpnc
vpnc/feisty uptodate 0.4.0-2ubuntu1

A few weeks ago everything worked fine.

To the same server:
WindowsXP default VPNC client works fine.
Cisco Client for my Mac works fine.
Default Mac client won't connect at all.

I don't know how to install an older version except doing the way I just did:

Added into /etc/apt/source.list:

deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe

Started Synaptics, searched for 'vpnc' and deinstalled my current version. Then I chose the menu Package and from there chose 'Force Version' to install v0.3.3+SVN.

This solved the problem, I now have a stable connection.

What devices are everyone connecting to. Could this problem be specific to
the PIX? Are any VPN concentrator users having this issue?

Deven Phillips, CISSP, CCNA

On 4/3/07, ThomasNovin <email address hidden> wrote:
>
> I don't know how to install an older version except doing the way I just
> did:
>
> Added into /etc/apt/source.list:
>
> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
>
> Started Synaptics, searched for 'vpnc' and deinstalled my current
> version. Then I chose the menu Package and from there chose 'Force
> Version' to install v0.3.3+SVN.
>
> This solved the problem, I now have a stable connection.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

The one I was connecting to was a Cisco Pix 515. Which I know is very
old. Its been since swapped with a newer ASA, but I have yet to test to
see if I'm still having problems with the ASA. But after seeing someone
else having problems also with an older PIX, I've wondered myself if its
just a problem with connecting to them.

DevenPhillips wrote:
> What devices are everyone connecting to. Could this problem be specific to
> the PIX? Are any VPN concentrator users having this issue?
>
> Deven Phillips, CISSP, CCNA
>
> On 4/3/07, ThomasNovin <email address hidden> wrote:
>> I don't know how to install an older version except doing the way I just
>> did:
>>
>> Added into /etc/apt/source.list:
>>
>> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
>> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
>>
>> Started Synaptics, searched for 'vpnc' and deinstalled my current
>> version. Then I chose the menu Package and from there chose 'Force
>> Version' to install v0.3.3+SVN.
>>
>> This solved the problem, I now have a stable connection.
>>
>> --
>> vpnc dead peer detection disconnects immediately
>> https://bugs.launchpad.net/bugs/93413
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>

PIX 515 isn't all that old. We just bought ours about 1.5 years ago.

Deven Phillips, CISSP, CCNA

On 4/3/07, Mitch <email address hidden> wrote:
>
> The one I was connecting to was a Cisco Pix 515. Which I know is very
> old. Its been since swapped with a newer ASA, but I have yet to test to
> see if I'm still having problems with the ASA. But after seeing someone
> else having problems also with an older PIX, I've wondered myself if its
> just a problem with connecting to them.
>
> DevenPhillips wrote:
> > What devices are everyone connecting to. Could this problem be specific
> to
> > the PIX? Are any VPN concentrator users having this issue?
> >
> > Deven Phillips, CISSP, CCNA
> >
> > On 4/3/07, ThomasNovin <email address hidden> wrote:
> >> I don't know how to install an older version except doing the way I
> just
> >> did:
> >>
> >> Added into /etc/apt/source.list:
> >>
> >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >>
> >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> >> version. Then I chose the menu Package and from there chose 'Force
> >> Version' to install v0.3.3+SVN.
> >>
> >> This solved the problem, I now have a stable connection.
> >>
> >> --
> >> vpnc dead peer detection disconnects immediately
> >> https://bugs.launchpad.net/bugs/93413
> >> You received this bug notification because you are a direct subscriber
> >> of the bug.
> >>
> >
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

i have issue on 501, 506, 515 until I roll back to vpnc 3.3

>From: Mitch <email address hidden>
>Reply-To: Bug 93413 <email address hidden>
>To: <email address hidden>
>Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
>immediately
>Date: Tue, 03 Apr 2007 16:47:45 -0000
>
>The one I was connecting to was a Cisco Pix 515. Which I know is very
>old. Its been since swapped with a newer ASA, but I have yet to test to
>see if I'm still having problems with the ASA. But after seeing someone
>else having problems also with an older PIX, I've wondered myself if its
>just a problem with connecting to them.
>
>DevenPhillips wrote:
> > What devices are everyone connecting to. Could this problem be specific
>to
> > the PIX? Are any VPN concentrator users having this issue?
> >
> > Deven Phillips, CISSP, CCNA
> >
> > On 4/3/07, ThomasNovin <email address hidden> wrote:
> >> I don't know how to install an older version except doing the way I
>just
> >> did:
> >>
> >> Added into /etc/apt/source.list:
> >>
> >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >>
> >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> >> version. Then I chose the menu Package and from there chose 'Force
> >> Version' to install v0.3.3+SVN.
> >>
> >> This solved the problem, I now have a stable connection.
> >>
> >> --
> >> vpnc dead peer detection disconnects immediately
> >> https://bugs.launchpad.net/bugs/93413
> >> You received this bug notification because you are a direct subscriber
> >> of the bug.
> >>
> >
>
>--
>vpnc dead peer detection disconnects immediately
>https://bugs.launchpad.net/bugs/93413
>You received this bug notification because you are a direct subscriber
>of the bug.

_________________________________________________________________
The average US Credit Score is 675. The cost to see yours: $0 by Experian.
http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE

So, it appears that the issue may be specific to the PIX devices.

Deven

On 4/3/07, Lee Connell <email address hidden> wrote:
>
> i have issue on 501, 506, 515 until I roll back to vpnc 3.3
>
> >From: Mitch <email address hidden>
> >Reply-To: Bug 93413 <email address hidden>
> >To: <email address hidden>
> >Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
> >immediately
> >Date: Tue, 03 Apr 2007 16:47:45 -0000
> >
> >The one I was connecting to was a Cisco Pix 515. Which I know is very
> >old. Its been since swapped with a newer ASA, but I have yet to test to
> >see if I'm still having problems with the ASA. But after seeing someone
> >else having problems also with an older PIX, I've wondered myself if its
> >just a problem with connecting to them.
> >
> >DevenPhillips wrote:
> > > What devices are everyone connecting to. Could this problem be
> specific
> >to
> > > the PIX? Are any VPN concentrator users having this issue?
> > >
> > > Deven Phillips, CISSP, CCNA
> > >
> > > On 4/3/07, ThomasNovin <email address hidden> wrote:
> > >> I don't know how to install an older version except doing the way I
> >just
> > >> did:
> > >>
> > >> Added into /etc/apt/source.list:
> > >>
> > >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > >>
> > >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> > >> version. Then I chose the menu Package and from there chose 'Force
> > >> Version' to install v0.3.3+SVN.
> > >>
> > >> This solved the problem, I now have a stable connection.
> > >>
> > >> --
> > >> vpnc dead peer detection disconnects immediately
> > >> https://bugs.launchpad.net/bugs/93413
> > >> You received this bug notification because you are a direct
> subscriber
> > >> of the bug.
> > >>
> > >
> >
> >--
> >vpnc dead peer detection disconnects immediately
> >https://bugs.launchpad.net/bugs/93413
> >You received this bug notification because you are a direct subscriber
> >of the bug.
>
> _________________________________________________________________
> The average US Credit Score is 675. The cost to see yours: $0 by Experian.
>
> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I do not appear to have the problem on at least one ASA Version 7.1(2), but
do seem to have a problem on multiple pix's.

On 4/3/07, DevenPhillips <email address hidden> wrote:
>
> So, it appears that the issue may be specific to the PIX devices.
>
> Deven
>
> On 4/3/07, Lee Connell <email address hidden> wrote:
> >
> > i have issue on 501, 506, 515 until I roll back to vpnc 3.3
> >
> > >From: Mitch <email address hidden>
> > >Reply-To: Bug 93413 <email address hidden>
> > >To: <email address hidden>
> > >Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
> > >immediately
> > >Date: Tue, 03 Apr 2007 16:47:45 -0000
> > >
> > >The one I was connecting to was a Cisco Pix 515. Which I know is very
> > >old. Its been since swapped with a newer ASA, but I have yet to test
> to
> > >see if I'm still having problems with the ASA. But after seeing
> someone
> > >else having problems also with an older PIX, I've wondered myself if
> its
> > >just a problem with connecting to them.
> > >
> > >DevenPhillips wrote:
> > > > What devices are everyone connecting to. Could this problem be
> > specific
> > >to
> > > > the PIX? Are any VPN concentrator users having this issue?
> > > >
> > > > Deven Phillips, CISSP, CCNA
> > > >
> > > > On 4/3/07, ThomasNovin <email address hidden> wrote:
> > > >> I don't know how to install an older version except doing the way I
> > >just
> > > >> did:
> > > >>
> > > >> Added into /etc/apt/source.list:
> > > >>
> > > >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > > >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > > >>
> > > >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> > > >> version. Then I chose the menu Package and from there chose 'Force
> > > >> Version' to install v0.3.3+SVN.
> > > >>
> > > >> This solved the problem, I now have a stable connection.
> > > >>
> > > >> --
> > > >> vpnc dead peer detection disconnects immediately
> > > >> https://bugs.launchpad.net/bugs/93413
> > > >> You received this bug notification because you are a direct
> > subscriber
> > > >> of the bug.
> > > >>
> > > >
> > >
> > >--
> > >vpnc dead peer detection disconnects immediately
> > >https://bugs.launchpad.net/bugs/93413
> > >You received this bug notification because you are a direct subscriber
> > >of the bug.
> >
> > _________________________________________________________________
> > The average US Credit Score is 675. The cost to see yours: $0 by
> Experian.
> >
> >
> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE
> >
> > --
> > vpnc dead peer detection disconnects immediately
> > https://bugs.launchpad.net/bugs/93413
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I'm having this same problem. Some code from /var/log/syslog (not too much):

Apr 5 13:45:51 ltsp-2 vpnc[30422]: connection terminated by dead peer detection

That's all that is relevant. I'm connecting to a Cisco 3060 Concentrator. Not PIX at all.

I have the same problem. vpnc disconnects in less than a minute in feisty.

With the feisty release only a week away what should we do to resolve this bug?

The Debian bug report lists a fix to be removing the patch 06_stolen_from_head.dpatch
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416180)

Another option would be to revert back to VPNC 3.3

Luca, Can you point this in the right direction?

Hi,

it does not seem to be specific to pix asa. I got the same problem here with a Cisco 1812 Router.

No, the bug is not PIX specific. The problem appears to be with the Dead Peer Detection code in vpnc. I have spoken with people on the vpnc development team and they are looking for people to help in debugging the problem. I would recommend rolling back to 0.3.3 for Feisty final release though.... This bug is not going to be fixed in time for release.

Deven Phillips, CISSP, CCNA

I have similar problems with the vpnc package.

Rolling back to 0.3.3 is not an option for me, because my environment requires the 'vendor' option which is introduced in 0.4.0.

Compiling 0.4.0 from source solves the problem for me.

In my opinion the best solution is to remove the patch and package vpnc as is.

I have currently rolled back to 0.3.3 but I'm willing to help out with fixing 0.4.0. While I can't offer unrestricted access to our production PIX, I'm quite happy to supply debug output where it will help. Note that I'm not really familiar with the Debian/Ubuntu build process, so I'd need to get up to speed on that first and also take some advice on what sensitive bits (usernames, passwords, etc) I'd need to be wary of in the output.

I'm seeing this problem as well ... and would be willing to help troubleshoot as much as needed. However, I'm at the same point as James Tait (I'd need very specific instructions on what to do and what to look for).

I'm connecting to a PIX 515...

Same problem, connecting to a PIX. Is there a smooth way around this problem while this is fixed in Ubuntu?

I've solved it by rebuilding without the patch:

cd /usr/src
sudo apt-get source vpnc
cd vpnc-0.4.0/debian/patches

sudo gedit 00list

remove the line 06_stolen_from_head

cd ../..
sudo debian/rules binary

cd ..

sudo apt-get remove vpnc
sudo dpkg -i vpnc_0.4.0-2ubuntu1_i386.deb

if you had installed network-manager-vpnc you'll have to reinstall it

be careful when upgrading the system, don't update vpnc or you will get the patched version

I'm working on a patch to allow a config option to disable RFC3706 Dead Peer Detection. All being well should be available in the next day or so.

I'm attaching above-mentioned patch for someone with greater knowledge than me to test.

The patch is completely untested as I currently have no idea about building and packaging in Ubuntu. I'm sure I'll get up to speed eventually, but in the meantime if someone else is able to apply the patch and make any required changes to get it working then it can be tested, rather than waiting for me to learn what I need to learn to test it myself.

Comment 26 by artt fixes problems for me as well. Connecting to a Cisco here...

can't apt-get source vpnc

Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to find a source package for vpnc

<b>my /etc/apt/source.list</b>
deb http://us.archive.ubuntu.com/ubuntu feisty universe
deb http://wine.budgetdedicated.com/apt feisty main
deb http://th.archive.ubuntu.com/ubuntu/ feisty main restricted
deb-src http://th.archive.ubuntu.com/ubuntu/ feisty main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://th.archive.ubuntu.com/ubuntu/ feisty-updates main restricted
deb-src http://th.archive.ubuntu.com/ubuntu/ feisty-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
# deb http://th.archive.ubuntu.com/ubuntu/ edgy universe
#deb-src http://th.archive.ubuntu.com/ubuntu/ edgy universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://th.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse
#deb-src http://th.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu feisty-security main restricted
deb-src http://security.ubuntu.com/ubuntu feisty-security main restricted
deb http://security.ubuntu.com/ubuntu edgy-security universe
#deb-src http://security.ubuntu.com/ubuntu edgy-security universe
deb http://archive.ubuntu.com/ubuntu/ feisty-proposed restricted main multiverse universe
deb http://archive.ubuntu.com/ubuntu/ feisty-backports restricted main multiverse universe

aoyoyo, I think you need to add universe to the deb-src line, thus:

deb-src http://th.archive.ubuntu.com/ubuntu/ feisty main restricted universe

Hi James,

You have something else. I got this error.

aoyoyo@aoyoyo-laptop:/usr/src$ sudo apt-get source vpnc
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Could not open file /var/lib/apt/lists/th.archive.ubuntu.com_ubuntu_dists_feisty_universe_source_Sources - open (2 No such file or directory)

I think you have to do an

apt-get update

before you can access the repository

functioning. thanks a lot artt.

SOLUTION
https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/93413/comments/26
WORKS
even on x86_64 - just change
"sudo dpkg -i vpnc_0.4.0-2ubuntu1_i386.deb"
to
"sudo dpkg -i vpnc_0.4.0-2ubuntu1_amd64.deb"

* artt, you saved my life! :-) *

Yesterday, I upgraded from Ubuntu 6.10 to 7.04 and today I had problem to connect to internet via school's WiFi network and VPN, sice I found the solution.

It was hard to find ("to google") this solution, so here are some "key words" to help the solution:
===================
...
VPNC started in foreground...
lifetime status: 3 of 7200 seconds used, 0|0 of 0 kbytes used
...
lifetime status: 31 of 7200 seconds used, 36|15 of 0 kbytes used
dead peer detected, terminating
S7.10
S8
===================
vpnc
disconnect
dead peer detected, terminating
===================

I also concur with the results. artt's removal of the 06 patch fixes the client for me.

But doesn't removing the 06 patch completely disable DPD and some other functionality even for those devices with which it works?

Downloaded the vpnc sources and removed the 06 line as stated. I got a error trying to compile the Debian way, so I just removed the vpnc packages then just make, make install and my vpnc is now working perfectly again.

I think this is pretty serious big, and seems fairly simple to fix, at least temporarily, why is it not getting done?

thanks to all in the forum,

As of yesterday, the configuration option to disable Dead Peer Detection in vpnc is in the CVS repository for vpnc. Can we get an updated Ubuntu package soon?

If I understand DevenPhillips' last message correctly, this is no longer required, but I'm attaching the corrected, tested patch to allow disabling of Dead Peer Detection.

I have an AMD64 package available if others would like to test it.

If you wish to build your own package:

  - place this file in vpnc-0.4.0/debian/patches
  - cd vpnc-0.4.0
  - echo 09_config_disable_dpd.dpatch >> debian/patches/00list
  - sudo debian/rules binary

I'm also affected by this bug.
But I'm not yet sure how to fix it.

Disabling the 06_stolen_from_head patch disables more changes than necessary but should also work for network-manager-vpnc users.

Adding the option to disable dpd is the better fix but only useful for those using vpnc-connect. network-manager-vpnc users are left out (or at least I didn't find a option to specify additional parameters).

I think there are two issues here -- the first, that DPD doesn't work in some circumstances, can be worked around with the ability to disable DPD in those circumstances. In fact perhaps it should be disabled by default so that those with appliances with which DPD would cause problems get the better experience, i.e. not getting disconnected after a few seconds, by default. If their appliance supports DPD, they can always enable it, then disable it again if it doesn't work. The correct solution is to fix the DPD feature in VPNC, but since details are currently sparse on what causes the problem, the option to enable/disable DPD is a useful middle ground.

The second issue is that if this option is added to vpnc, network-manager-vpnc won't support it. I think that needs to be filed as a separate bug against network-manager-vpnc if and when the feature makes it into vpnc proper. Perhaps the network manager plugin architecture needs to be able to auto-sense available options for its VPN plugins in some way. Either way, I think network manager's lack of support for certain options is a network manager problem and should be filed there. I'm not familiar with the network manager code, but then I'm not familiar with the vpnc code either. I'd be willing to take a look and see if we can help improve vpnc in this way. I, like many users I expect, prefer the convenience of connecting to the VPN via the network manager applet and I think it gives a better user experience.

Comment 26 result to me.

If you will try don't forget to install dpatch if get an error when do sudo debina/rules binary

Thanks m8

This should be fixed because now we have always update manager ask for update...

Fix this please

James,

I opened a new bug report (Bug #112406) on the second (UI) part. However, fixing this will presumably take up some time.

This issue, though, should be fixed real soon now (tm), since it renders network-manager-vpnc useless for many business (here, ma'am) users useless.

I propose to raise the importance one level. Please add the upstream dpatch to finally solve this irritating problem.

Hi,

Comment 26 fixes for me also- Ubuntu 7.04 2.6.20-15-generic.

FYI, I'm now using network-manager-vpnc and ran into this issue: https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/92570. The new .deb supplied in comment 19 has both fixed (worked-around) my dead-peer-detection issue and has fixed the network-manager-vpnc issue in bug report; I haven't yet established if the issuer of the .deb in comment 19 has also commented out "06_stolen_from_head" from 00list.

Just realised that I was taling rubbish in my previous post!

To confirm: steps in comment 26 above fixes/works-around my dead peer detection issue when connecting to a PIX 515E.

Bug: https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/92570 is totally unrelated and the new .deb supplied in comment #19 of that bug report fixes an issue in package network-manager-vpnc and not package vpnc.

I would only add that in order to prevent Update manager from ranting about upgrding vpnc after following advice in 26 , just dowload the deb (it can be found in /var/cache/apt/archives after install or reinstall, extract it using dpkg-deb -x int a Directory, extract its control files by dpkg-deb -e, put created directory called DEBIAN into Directory, alter (change version to omthing higher than is currently in ubuntu, the best is t oraise the last number by one, or ad a dot and then 1, I think) file called control in DEBIAN directory and build the package with dpkg-deb -b. Then install it. At least that worked for me.

OK folks, how do we need to move forward on this?

  - Firstly, should the patch I submitted be "reversed" so that DPD disabled is the default behaviour and users can enable DPD by using an "Enable Dead Peer Detection" config option?

  - I guess whichever way it goes I'll need to edit documentation to describe the new option.

  - Do I need to just attach the dpatch file, as I have done, or do I need to attach a new .diff.gz for the package?

  - Do I need to submit it to Debian instead?

  - Do I need to upload a working .deb?

Since we now have a working fix for this problem, it would be good to get it committed so we can start to look at the issue of supporting the new options from network-manager-vpnc.

I connect to a pix, in windows i need cisco vpn client, now in ubuntu and the reverse thing (post 26) solve my connection problem

Now everything works great. I vote too go back :D

I vote that we implement the patch to be able to disable DPD. The patch is
currently available in the repository for vpnc. I think this is the best
solution. Unfortunately, as mentioned in previous posts, this breaks
compatibility with the graphical tools. Personally, I think that going
forward is a better step than backward.

Deven

On 5/8/07, Panda_N_Shark <email address hidden> wrote:
>
> I connect to a pix, in windows i need cisco vpn client, now in ubuntu
> and the reverse thing (post 26) solve my connection problem
>
> Now everything works great. I vote too go back :D
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

@DevenPhillips

I only think that people with need to connect to universities connect throw a pix, and to do that i think the solution in post 26 is the best, or solve the problem that new patch create, because graphical is more easy to new commers to ubuntu.

Just my 2 cents.

Also, the broken code should be rather fixed upstream, disabling it during compiling is only a workaround, not a solution. I would also call for downgrading for the reasons mentioned above (plus the pacakge is tested - however, we need to look if there were any bugs solved by 3.3>4.0 upgrade in Ubuntu.)

Panda_N_Shark said:

> I only think that people with need to connect to universities
> connect throw a pix,

I disagree. I know more people who connect to business networks through PIX appliances than University networks. The technology is equally applicable in either situation.

> and to do that i think the solution in post 26 is the best,

I still feel, as Deven Phillips neatly summarised, that this would be a step backward. I'm not sure if it breaks compatibility with network-manager-vpnc or if network-manager-vpnc just doesn't support the new config option -- I haven't checked, although I suspect the latter -- but either way I would suggest that this would be a bug in network-manager-vpnc rather than in vpnc itself.

> or solve the problem that new patch create, because graphical is more
> easy to new commers to ubuntu.

Agreed, and this is the reason Bug #112406 was opened by Alexander Papaspyrou. However, there's little point working towards implementing UI support for a new feature in vpnc if that feature is never going to be implemented.

TomasHnyk said 53 minutes ago: (permalink)

> Also, the broken code should be rather fixed upstream,

Agreed, but I'm not involved with the upstream project (can someone point me at their home page and CVS?) and not familiar with how Ubuntu patches are propagated upstream. I'm new to all of this. I seem to remember seeing in changelogs that patches have been applied at the Ubuntu level, then later reverted when the upstream project has applied them. Maybe that is what needs to happen here, I don't know -- hence my questions above.

> disabling it
> during compiling is only a workaround, not a solution.

Absolutely agreed, which is why I submitted the patch for the config option. Technically, IMO, this is still a work-around but a cleaner solution than disabling DPD for everyone.

> I would also call
> for downgrading for the reasons mentioned above (plus the pacakge is
> tested - however, we need to look if there were any bugs solved by
> 3.3>4.0 upgrade in Ubuntu.)

Not bug fixes as such, but:

  * New upstream release
    + GNU/kFreeBSD related fixes (closes: #400740)
    + Supports phase2 rekeying (closes: #411108)
    + auto-creating /var/run/vpnc (closes: #403783)
  * Old config handling extensions replaced with wrappers to upstream
    vpnc-script function variables which are declared official now
    (closes: #399131)
  * more connect/shutdown hooks (closes: #366257)
  * not depending on iproute, though old extensions may not work without it
    but users are warned in that case (closes: #393848)

I'd suggest that there are enough feature enhancements in there to support sticking with the current version, which was considered good enough for release with Feisty.

I'm not just pushing this solution because I want to see my patch included, I have nothing to lose by its rejection, I just think it's the best solution so far proposed.

James,

I second that. On purpose, I left the description of the newly opened network-manager-vpnc bug open as open can. I think this config stuff should handled in a more general way by the UI part and its plugins, and not by vpnc itself.

And yes, it might happen that certain config options are not available in the gui, albeit included in the underlying command line tool. I'm pretty sure that this happens not only here. However, I don't see a real problem for vpnc here.

I would suggest to disable it DPD until a UI config option is available, regardless when this will be the case. Rendering vpnc useless for many people just for the sake of UI consistency doesn't sound sensible to me.

This is also reported in Debian (I added the link)

As for the development, they know about it, from their website (http://www.unix-ag.uni-kl.de/~massar/vpnc/) "Known Bugs vpnc looses connection with some targets, even before the rekey-timer expires most probably due bugs with keepalive, dead-peer-detection or something else..."

There is also a development mailing list, http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/
This bugreport gets mentioned at least twice there: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-April/001474.html and
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-April/001470.html
but it does not seem to get really much attention.

This http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-April/001498.html seems to be a patch that does the same as James Tait's, but I am no coder so I cannot tell. If they do the same, I guess it would be better to use that rather than yours, could you please look at it (and if it is different, try ti submit it there, so that everybody can benefit from it, not just Ubuntu)

Now, there is a lot of new features so downgrading is not an option. However, I think that applying the patch is too much hassle, since it needs changes in other package (network-manager-vpnc) as well. And even if it were fixed there, how should people know they need to disable DPD? I think that it will be much easier to just revert the 06_stolen_from_head.dpatch to get this repaired for Feisty. We now only need someone (probably from MOTU) with enough privileges to push this further, I am afraid.

The vpnc patch pointed out by TomasHnyk (thanks for the pointers!) is actually a better solution than I'd proposed -- allowing users to configure the DPD timeout with a default value of 300 seconds, rather than a hard-coded timeout. Setting the timeout to 0 disables DPD. Much cleaner.

I wonder if that could be rolled into the 06_stolen_from_head.dpatch since that is where the DPD code from HEAD is included in the Ubuntu package. I may well take a look at that this afternoon if I get the time. Incorporating such a change into network-manager-vpnc should be relatively trivial.

This https://wiki.ubuntu.com/MOTU/SRU documents the procedure to get an bug-fix into a stable release. There are three possible conditions of which at least one needs to be met in order to commit a bug-fix. For this, "Bugs which represent severe regressions from the previous release of Ubuntu" might apply. I do not know how great a percentage of users of vpnc is affected, but since this bug get comments from 10+ people affected, I think this condition is met.

From what I understand, this also mean that the bug open for network-manager-vpnc will not get fixed for Feisty. For Gutsy it could be solved if upstream commited the changes (or if someone else wrote a patch that would be merged with Gutsy's version of the package) but I am afraid they would (and I think correctly) say that this needs to be solved in vpnc itself so I doubt they would add the configuration option.
Therefore, I think the best way to solve this (until it gets "properly" solved in upstream) is to revert the patch (06_stolen_from_head) (actually, an ideal would be if someone reviewed the patch and removed only those parts that directly cause this bug).

Well, now, according to the procedure, a MOTU is needed for agreeing with the fix.

For Gutsy, this wil hopefully get included as well, but there is time for that at least until August 16th, the https://wiki.ubuntu.com/UpstreamVersionFreeze.

I consulted #ubuntu-motu and merged the upstream change referenced above. The only change I made was to set the DPD idle timeout to 0 by default, to disable DPD unless explicitly set by the user. This means users don't get disconnected by DPD as the default behaviour.

great, so, will it get in Feisty, then? If any testing is needed, let me know.

Thanks for the debdiff James.

I've removed the unrelated change to vpnc-script from the dpatch and added a comment about the changed default value for --dpd-idle to the changelog.

I've uploaded it then to feisty-proposed and gutsy. It should appear in feisty-proposed in a few days. I'll announce when it's in feisty-proposed and can be tested.

I think I should clarify my previous, probably too brief, comment.

I asked on #ubuntu-motu for guidance on how to proceed with this ticket. It was agreed that 06_stolen_from_head.dpatch was too large to back out, so the http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-April/001498.html patch (r170) was applied and added to debian/patches as 09_dpd_timer_disable.dpatch, with a small change to set the DPD idle timeout default value to "0" for reasons already explained.

TomasHnyk said on 2007-05-12:

> great, so, will it get in Feisty, then? If any testing is needed, let me know.

Michael Bienia has uploaded it to feisty-proposed, so my understanding is that yes, it will eventually get into Feisty.

Michael Bienia said on 2007-05-13:

> Thanks for the debdiff James.

No problem, thanks for talking me through the process and doing the SRU.

> I've removed the unrelated change to vpnc-script from the dpatch and
> added a comment about the changed default value for --dpd-idle to the
> changelog.

Yes, thanks for that. I guess it was getting late when I glanced over the debdiff and I completely missed the vpnc-script change. FWIW, I'm still running the package with that change in, with no ill effects, but I'm really not sure what it does so I agree with the decision to back it out. Thanks for updating the changelog as well -- I knew I was forgetting something!

hm, there is nothing (as of now) in proposed: http://archive.ubuntu.com/ubuntu/dists/feisty-proposed/universe/binary-i386/Packages.gz

Accepted into feisty-proposed. Please go ahead with testing and update the bug tasks and their status for gutsy and feisty (See https://wiki.ubuntu.com/MOTU/SRU).

I see the new version in Gutsy, but not in feisty-proposed. I'm hoping this will automatically happen by setting the status to Fix Committed as per https://wiki.ubuntu.com/MOTU/SRU.

The new package is now available for testing from feisty-proposed.

Please comment if the proposed package works for you or not.

Tested now with vpnc-0.4.0-2ubuntu1.1. The dead peer problem is fixed but my connection has died twice after approx. 20 minutes. I will try to revert to version 0.3.3+SVN to see if it is stable there.

Works for me in Feisty.

Problem solve for me.

Ubuntu feisty connect to a pix

Thanks

The problem with 20 minutes was not related, I had the same problem in 0.3.3+SVN. Fix is OK.

Works for me, at least as much as I can say after 1,5 hour long testing.

I've unsubscribed ubuntu-universe-sponsors, as no further Ubuntu uploads are currently required for this bug. If an alternate solution requires sponsorship in the future, please resubscribe. Thank you.

The fixed package works for me too.

The package has been available a week for testing and I count (including me) 5 "works for me" and no regressions. This should be enough to get the package moved to feisty-updates.
Thanks for the testing.

Copied to feisty-updates.

Just another confirmation: works for me.
Kubuntu 7.04 amd64
vpnc 0.4.0-2ubuntu1.1
It has been the best version so far.
The previous version 0.4.0-2ubuntu1 disconnected in a minute.
vpnc in Dapper and Edgy disconnected in 10-15 minutes.
Current version does not disconnect - I have tested it for 40 minutes.

I'm trying out the suggestion posted here:

https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/93413/comments/26

I must be missing a package. When I try this step:

sudo debian/rules binary

I get the following output:

dh_testdir
# Add here commands to compile the package.
/usr/bin/make
make[1]: libgcrypt-config: Command not found
make[1]: Entering directory `/usr/src/vpnc-0.4.0'
gcc -W -Wall -O0 -Wmissing-declarations -Wwrite-strings -g -DVERSION=\"0.4.0\" -c -o tunip.o tunip.c
tunip.c:84:20: error: gcrypt.h: No such file or directory
In file included from vpnc.h:24,
                 from tunip.c:87:
tunip.h:42: error: expected specifier-qualifier-list before ‘gcry_cipher_hd_t’
tunip.c: In function ‘encap_rawip_recv’:
tunip.c:189: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:190: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:191: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:192: error: ‘struct ike_sa’ has no member named ‘bufsize’
tunip.c: In function ‘encap_udp_recv’:
tunip.c:218: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:219: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:220: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:221: error: ‘struct ike_sa’ has no member named ‘bufsize’
tunip.c: In function ‘encap_any_decap’:
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:232: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c: In function ‘tun_send_ip’:
tunip.c:245: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:246: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:254: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c: In function ‘hmac_compute’:
tunip.c:283: error: ‘gcry_md_hd_t’ undeclared (first use in this function)
tunip.c:283: error: (Each undeclared identifier is reported only once
tunip.c:283: error: for each function it appears in.)
tunip.c:283: error: expected ‘;’ before ‘md_ctx’
tunip.c:289: warning: implicit declaration of function ‘gcry_md_open’
tunip.c:289: error: ‘md_ctx’ undeclared (first use in this function)
tunip.c:289: error: ‘GCRY_MD_FLAG_HMAC’ undeclared (first use in this function)
tunip.c:291: warning: implicit declaration of function ‘gcry_md_setkey’
tunip.c:293: warning: implicit declaration of function ‘gcry_md_write’
tunip.c:294: warning: implicit declaration of function ‘gcry_md_final’
tunip.c:295: warning: implicit declaration of function ‘gcry_md_read’
tunip.c:295: warning: assignment makes pointer from integer without a cast
tunip.c:304: warning: implicit declaration of function ‘gcry_md_close’
tunip.c: In function ‘encap_esp_encapsulate’:
tunip.c:328: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:328: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:328: error: ‘struct ike_sa’ has ...

Alarik Myrin
Why don't you just use the updated package? It should be in feisty-updates by now.

Ah yes, there it is, thank you.

Alarik

The fix works.

Only want to point out that for some reason by default feisty-updates was not enabled (this is a clean install of 7.04 AMD64)

I had to enable it in Synaptic / Settings / Repositories in the "Updates" tab

I think I had to do the same think, though I do not remember since I tweaked the sources.list by hand anyway.

Could you please fill this as another bug? Search if it has not been reported before though. It might be by design but that would be strange since that would mean we do not trust our own updates...

I filed bug 119248 for the "feisty-updates not enabled by default"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/119248

Hate to say but I still get the "no response from target" message with 0.4.0ubuntu1.1 (yes I'm sure it's 1.1 and not 1).
Downgraded to 0.3.3 and it is working fine.
(then I upgraded back to 0.4.0-1.1 which failed again, and then back to 0.3.3 which worked fine)

(sorry, I'm a sort of newbie and couldn't find any log file)

tanas: do you ever connect? If not, you are probably not facing this bug.
If you indeed connect and disconnect exactly after 30 seconds, you probably are facing this bug - but that should not be possible, heh:-).

I was indeed connected with 0.3.3.
vpnc said I was connected;
During the connection I checked my IP, and it was no longer the one I had before, but the IP from the VPN Server I was connected to;
I was able to connect to online services that depend on the vpn connection (intranet for instance);

With 0.4.0 I get the "no response" message after 14 or 15 seconds (not 30... possibly a new bug?) after I entered the password

Are you trying from the command line? Do you ever get an IP from the VPN server? (with current version)

Yep, from the command line (sudo vpnc-connect)

I dont know if I get the VPN server IP.. just have 15 seconds to
check.. Is there any way to check that?

well, the simplest probably is to open another gnome-terminal and periodically run ifconfig - if you do not see something there, it is unlikely you are dealing with this bug (open anoter bug, maybe try to go upstream first - link to vpnc mailing list is somewhere above)

Uhm, I am behind a firewall, so ifconfig just gives the usual 192.168...
I tried a more primitive method: connecting with vpnc during a download. The download rate never decreased (which I guess it would if I were connected to the vpn server).
So I guess it is indeed a new bug

thanks anyway!

it does not matter if you are behind a firewall, vpn gives you a new IP address anyway. a new interface called tun or tap is created usually.

Sorry, I meant behind a router.
I tried my primitive test (downloading while connecting) using 0.3.3
and the download was interrupted immediately after introducing the
login.

On 25/06/07, TomasHnyk <email address hidden> wrote:
> it does not matter if you are behind a firewall, vpn gives you a new IP
> address anyway. a new interface called tun or tap is created usually.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I'm having this problem (disconnecting after 30s) with up-to-date feisty with feisty-updates in use.

It is fixed in version vpnc-0.4.0-2ubuntu1.1 (notice the .1 at the end)

Go to Synaptic and check what version is it that you have installed and what version is available for install.

Also check your repositories list.

I guess that message was just intended for Lynoure, because I have the
problem with the 1.1 package as well (but not with the 0.3.3)

On 06/07/07, ih <email address hidden> wrote:
> It is fixed in version vpnc-0.4.0-2ubuntu1.1 (notice the .1 at the end)
>
> Go to Synaptic and check what version is it that you have installed and
> what version is available for install.
>
> Also check your repositories list.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Hmm... Maybe it's a different problem or manifestation of said problem.

I definitely had the problem and it was definitely fixed for me with the 1.1 release (of 0.4). I am using it pretty much every day for extended periods of time. I had only one case when conenctivity disappeared, but network manager was still showing me as connected.

I can second tanas's experience. Connection break-down after about 30 seconds with the lates vpnc, but not with 0.3.3

I am so sorry for the report above. On a clean Feisty installation
(same computer, same server) I was able to connect using vpnc
0.4.0ubuntu1.1 to my Cisco VPN Server.
I can however garantee that the problem I had before (also with
feisty) was consistent: 0.4.0-1.1 didn't work but 0.3.3 did. I tried
several times, totally removing ("Complete removal" option on
synaptics) everything related to vpnc between different attempts.

I have the same problem with 0.4.0ubunutu1.1 . It connects fine and is alive for sometime but disconnects suddenly without any notification. Here is the debug output
---------------------------------------------------------------------------
length: 0014
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
d.spi_length: 04
d.num_spi: 0002
d.spi: de42663b
d.spi: 2d7d6df3
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
d.spi_length: 10
d.num_spi: 0001
d.spi: d71ee671 b4ba9d01 41a8f878 11098722
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
PARSE_OK

NAT-T mode, adding non-esp marker
S8
--------------------------------------

Any suggestions

Try fooling with the value for --dpd-idle

  --dpd-idle <0,10-86400>
  DPD idle timeout (our side) <0,10-86400>
      Send DPD packet after not receiving anything for <idle> seconds.
      Use 0 to disable DPD completely (both ways).
    Default: 300

i.e.

In your config file have the line:

DPD idle timeout (our side) 0

(to disable it)

how to do this with network-manager-vpnc?

For network-manager-vpnc you can either patch the program:

--- nm-vpnc-service.c.org 2008-05-01 21:40:38.000000000 +0200
+++ nm-vpnc-service.c 2008-05-01 20:58:24.000000000 +0200
@@ -379,6 +379,8 @@ static gint nm_vpnc_start_vpnc_binary (N
  g_ptr_array_add (vpnc_argv, (gpointer) (*vpnc_binary));
  g_ptr_array_add (vpnc_argv, (gpointer) "--non-inter");
  g_ptr_array_add (vpnc_argv, (gpointer) "--no-detach");
+ g_ptr_array_add (vpnc_argv, (gpointer) "--dpd-idle");
+ g_ptr_array_add (vpnc_argv, (gpointer) "0");
  g_ptr_array_add (vpnc_argv, (gpointer) "-");
  g_ptr_array_add (vpnc_argv, NULL);

or (simpler but possibly less flexible) replace /usr/bin/vpnc with a short script which adds --dpd-idle 0 to the command line. I took the former approach, you can make up the latter...

da isses nimm option 2.

am besten du speicherst ein kleines script in /usr/local/bin ab

etwa der art:
#!/bin/bash
sudo vpnc-disconnect
sudo vpnc-connect outside --dpd-idle 0

knarf schrieb:
> For network-manager-vpnc you can either patch the program:
>
> --- nm-vpnc-service.c.org 2008-05-01 21:40:38.000000000 +0200
> +++ nm-vpnc-service.c 2008-05-01 20:58:24.000000000 +0200
> @@ -379,6 +379,8 @@ static gint nm_vpnc_start_vpnc_binary (N
> g_ptr_array_add (vpnc_argv, (gpointer) (*vpnc_binary));
> g_ptr_array_add (vpnc_argv, (gpointer) "--non-inter");
> g_ptr_array_add (vpnc_argv, (gpointer) "--no-detach");
> + g_ptr_array_add (vpnc_argv, (gpointer) "--dpd-idle");
> + g_ptr_array_add (vpnc_argv, (gpointer) "0");
> g_ptr_array_add (vpnc_argv, (gpointer) "-");
> g_ptr_array_add (vpnc_argv, NULL);
>
> or (simpler but possibly less flexible) replace /usr/bin/vpnc with a
> short script which adds --dpd-idle 0 to the command line. I took the
> former approach, you can make up the latter...
>
>

a more logical aproach:

mv /usr/sbin/vpnc /usr/sbin/vpnc2
vi /usr/sbin/vpnc #new file with content:

#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cat | /usr/sbin/vpnc2 --non-inter --no-detach --dpd-idle 0 -

chmod +x /usr/sbin/vpnc

A similar aproach, I used that work whit kvpnc is:

sudo mv /usr/sbin/vpnc /usr/sbin/vpnc2
sudo nano /usr/sbin/vpnc

Put this lines in file:
#!/bin/bash --dpd-idle 0 $*

sudo chmod +x /usr/sbin/vpnc

It is a similar solution, but don't hang kvpnc.

Excuse me, i lost same thing:

A similar aproach, I used that work whit kvpnc is:

sudo mv /usr/sbin/vpnc /usr/sbin/vpnc2
sudo nano /usr/sbin/vpnc

Put this lines in file:
#!/bin/bash
/usr/sbin/vpnc2 --dpd-idle 0 $*

sudo chmod +x /usr/sbin/vpnc

It is a similar solution, but don't hang kvpnc.

With Hardy (8.04) and KVPNC from the repository I was experiencing a similar problem.

I could get connected with our Cisco VPN, but then after a few seconds the connection would go down and shortly after that would not reconnect until I Quit KVPNC.

I played around with some timing and in Network/General I noticed the Use connection status check and that the interval was initially set to a relatively small value (I think it was 5 or 10). This happened to be the same interval that I was seeing the failure from the ping being sent out

After turning on level 3 logging I noticed that the failure was tied to a "ping" message being sent out. The message was error: Ping to IPAddr within 1 checks every 5s has been failed!

I then kicked the interval up to 20 seconds, and I could now stay connected for 20 seconds! But every 20 seconds it would report failure, drop the connection and reconnect. But in this case it appeared that it did not get into the state where I would have to quit KVPNC and restart it in order to connect again.

For good measure I changed the interval to 40 seconds, and now every 40 seconds it reports the Ping failure, drops the connection and reconnects.

So, next I disabled the connection status check to test and see what would happen.

Now the connection has been up for over 42 Minutes (not seconds) and as far as I can see the connection is still fine and dandy. I can function via ssh and also a fish:// session in Konqueror for browsing and copying files.

Has anyone seen this problem (with the Ping used to do the connection status check failing), and if so did you find a solution to the problem? If not, and you are having regular drops of the connection you might want to try disabling the connection status check and see if that makes a difference.

Of course I would like to have the connection status check working, but disabling the connection status check at least appears to allow me to use KVPNC to access my work network for the moment.

I should also note that I have had this problem with Kubuntu 7.04 before but never had the time to ferret out what might be going on, and I had a build of the Cisco Linux VPN client that I could use on 7.04.

OK, What I suspected (and kind of confirmed) was that whatever is being used as the address to ping when the connection status check is enabled but the specific IP address is unchecked doesn't work in all cases.

To test my theory I turned the connection status check back on, also checked the use specific address and entered an IP address of a machine behind the VPN that I knew I could ping.

That worked for 5+ hours yesterday, and for over an hour today. Then I started to get failures and again (K)VPNC was doing auto retries and got into a mode where it would not see the network without Quiting KVPNC and restarting it. Then it was fine for a few minutes and repeated. I expect that the machine behind the VPN was unable to respond to the ping request in a timely fashion. Since I turned off the connection status check again no problems with the connection going down.

But I wanted to report that it appears that you need to use the specific IP address option with the connection status check if you are having a similar problem. Now to find a machine behind the VPN that doesn't get bogged down, or increase the timeout for the ping test if that is possible.

Burt