On Wed, 2015-08-05 at 14:34 +0100, David Woodhouse wrote: > On Wed, 2015-08-05 at 16:19 +0300, Matti Koskimies wrote: > > Connecting using the GUI still doesn't work, although I get a lot > > further now. Connecting and authentication works, and everything > > looks OK in NM. The routing table looks similar to the one I get > > using my workaround. But there's no networking unless I set the > > setting "Use this connection only for resources on its network" > > under "Routes" in "IPv4 Settings", but then I can connect only to > > the same networks as without the VPN. > > OK, so connecting *does* work but your routes are still not right. > > The oddly named 'Use this connection only for resources on its > network' option basically means "Do not set the default route". But > you *want* the default route, so you shouldn't be setting that. > > Let's take a look at what's happening without that option set. You > say that the routing table looks similar to the one you get using > your workaround — which is promising. But you have "no networking". > Which is ambiguous. > > Can you reach hosts on the VPN if you ping them by their IP address? > Is it only DNS that isn't working? Can you show the full output of > connecting manually with openconnect with '-v' added to the command > line so we can see the routes and DNS it's supposed to be setting up? > What do you have in /etc/resolv.conf when you've connected with > NetworkManager?
Pinging doesn't work, but I don't expect it to in our network. Instead, I used netcat for "port pinging" the ssh port: $ nc -znvw1 172.24.38.144 22 Connection to 172.24.38.144 22 port [tcp/*] succeeded! $ Despite this, the ssh command just hangs. DNS works fine. /etc/resolv.conf looks like this: # Generated by NetworkManager search hava.x edelkey.net fujitsu.fi finland.nordic.x nameserver 213.214.132.52 nameserver 213.214.132.53 nameserver 141.192.17.57 # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver 141.192.34.95 And here is output of openconnect -v (I changed the hostname to vpnhost and domainname to domain.net in the output): $ sudo /usr/sbin/openconnect -v --pid-file=/var/run/openconnect.pid - -usergroup=$USERGROUP --user=$VPNUSER --passwd-on-stdin $SERVER <<< $PASSWORD POST https://vpnhost.domain.net/restricted Attempting to connect to server 141.192.6.11:443 SSL negotiation with vpnhost.domain.net Connected to HTTPS on vpnhost.domain.net Got HTTP response: HTTP/1.0 302 Temporary moved Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 06 Aug 2015 11:09:22 GMT Location: /+webvpn+/index.html Set-cookie: tg=0restricted.domain.net; path=/; secure HTTP body length: (0) GET https://vpnhost.domain.net/restricted Attempting to connect to server 141.192.6.11:443 SSL negotiation with vpnhost.domain.net Connected to HTTPS on vpnhost.domain.net Got HTTP response: HTTP/1.0 302 Temporary moved Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 06 Aug 2015 11:09:22 GMT Location: /+webvpn+/index.html Set-cookie: tg=0restricted.domain.net; path=/; secure HTTP body length: (0) GET https://vpnhost.domain.net/+webvpn+/index.html SSL negotiation with vpnhost.domain.net Connected to HTTPS on vpnhost.domain.net Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Please enter your username and password. POST https://vpnhost.domain.net/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:C8331473C89261DFF59575EAFD9098B29AB 802A2&m:vpngina&lu:/+CSCOT+/translation -table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles/restricted .xml&fh:32C99195C3547387FE7C3CF6E1DA7237F5B6E604; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 141.192.170.246 X-CSTP-Netmask: 255.255.255.255 X-CSTP-DNS: 213.214.132.52 X-CSTP-DNS: 213.214.132.53 X-CSTP-NBNS: 141.192.34.95 X-CSTP-NBNS: 141.192.17.57 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 5400 X-CSTP-Disconnected-Timeout: 5400 X-CSTP-Default-Domain: domain.net X-CSTP-Split-Exclude: 141.192.0.0/255.255.0.0 X-CSTP-Split-Exclude: 213.138.130.128/255.255.255.224 X-CSTP-Split-Exclude: 213.214.130.0/255.255.254.0 X-CSTP-Split-Exclude: 172.16.156.0/255.255.255.0 X-CSTP-Split-Exclude: 172.16.155.0/255.255.255.0 X-CSTP-Split-Exclude: 172.16.139.0/255.255.255.0 X-CSTP-Split-Exclude: 172.16.133.0/255.255.255.192 X-CSTP-Split-Exclude: 172.16.128.0/255.255.248.0 X-CSTP-Split-Exclude: 213.138.130.0/255.255.255.128 X-CSTP-Split-Exclude: 140.150.0.0/255.255.0.0 X-CSTP-Split-Exclude: 172.19.202.218/255.255.255.255 X-CSTP-Split-Exclude: 172.19.219.18/255.255.255.255 X-CSTP-Split-Exclude: 133.164.0.0/255.255.0.0 X-CSTP-Split-Exclude: 213.214.137.160/255.255.255.252 X-CSTP-Split-Exclude: 213.214.133.48/255.255.255.255 X-CSTP-Keep: true X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-PAC-URL: http://fwrap.domain.net/vpnhost.pac X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: D8183E91DE844D1D387C04C4B5205514009A52580161E5422C260DD8BAA719EA X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 3600 X-CSTP-MTU: 1200 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.0)-(RSA)-(ARCFOUR-128)-(SHA1) DTLS option X-DTLS-Session-ID : D8183E91DE844D1D387C04C4B5205514009A52580161E5422C260DD8BAA719EA DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 3600 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS initialised. DPD 30, Keepalive 20 Connected tun0 as 141.192.170.246, using SSL Send DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES -128-CBC)-(SHA1). Send DTLS Keepalive Send CSTP Keepalive Send DTLS DPD Send CSTP DPD Got DTLS DPD response Got CSTP DPD response -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
