On Thu, Sep 20, 2007 at 11:24:27PM -0500, Aaron Hsu wrote:
> I have not really had the time to follow the vpnc porting efforts lately, but
> I believe I recalled someone mentioning that vpnc failed to maintain a
> connection? I wanted to report that I experience the same thing, where vpnc
> just stops forwarding connections or something. I can kill vpnc and restart
> it, and this works, but then eventually, that stops working and I have to
> reconfigure the network devices, and then start vpnc again.
>
> I cannot tell whether this is caused by my Universities vpn or not. :-/
>
> Are there any problems still outstanding?
i'm running this patch for 3weeks in production for a connection to a
client. it is much better as the 3.3.0 in ports.
i have still disconnects, but it terminates the process. in the old
version the process was not terminated and just did not forward packets.
imho it is also much more stable.
the patch attached also runs on amd64.
it seams that the network configure script has issues in restoring the
routing table if more than 1 ip address is assigned to an interface.
i think someone can commit this port.
thomas
diff -r -N /usr/ports/security/vpnc/Makefile
/usr/ports/mystuff/security/vpnc/Makefile
5,6c5,6
< DISTNAME= vpnc-0.3.3
< PKGNAME= ${DISTNAME}p1
---
> DISTNAME= vpnc-0.5.1
> PKGNAME= ${DISTNAME}
24a25,29
> CFLAGS= -O3
> .if ${MACHINE_ARCH} == "amd64"
> CFLAGS= -O0
> .endif
>
27a33
> @sed -e "s,%%PREFIX%%,${PREFIX},g" ${FILESDIR}/split.sh >
> ${WRKBUILD}/split.sh
35a42
> ${INSTALL_DATA} ${WRKBUILD}/split.sh ${PREFIX}/share/examples/vpnc
diff -r -N /usr/ports/security/vpnc/distinfo
/usr/ports/mystuff/security/vpnc/distinfo
1,5c1,5
< MD5 (vpnc-0.3.3.tar.gz) = 51GM/yEyb+frl5W2DCWuag==
< RMD160 (vpnc-0.3.3.tar.gz) = /8sin7jKwY+NbeoOZ/iM7EIPMdo=
< SHA1 (vpnc-0.3.3.tar.gz) = lVWeHFsfS8eNwaC5+V4aLWWoTAo=
< SHA256 (vpnc-0.3.3.tar.gz) = vkqOh7BEy5k0nnHmh5RGc53VN9veE+mexhgX7WdgW9c=
< SIZE (vpnc-0.3.3.tar.gz) = 59939
---
> MD5 (vpnc-0.5.1.tar.gz) = eo6U2+lPOaT9ibcuASX2bw==
> RMD160 (vpnc-0.5.1.tar.gz) = dt1aOji9IQnPjh+62F4nYuhImDI=
> SHA1 (vpnc-0.5.1.tar.gz) = 78cdugOqQJRa815LB02Z+SL/f/0=
> SHA256 (vpnc-0.5.1.tar.gz) = 9jZgvQILvmo56OtnrWDFTXGQRsYZimg0Nx0JiUf5ou0=
> SIZE (vpnc-0.5.1.tar.gz) = 91496
diff -r -N /usr/ports/security/vpnc/files/split.sh
/usr/ports/mystuff/security/vpnc/files/split.sh
0a1,19
> #!/bin/sh
>
> # this effectively disables changes to /etc/resolv.conf
> INTERNAL_IP4_DNS=
>
> # This sets up split networking regardless
> # of the concentrators specifications.
> # You can add as many routes as you want,
> # but you must set the counter $CISCO_SPLIT_INC
> # accordingly
> CISCO_SPLIT_INC=1
> CISCO_SPLIT_INC_0_ADDR=10.0.0.0
> CISCO_SPLIT_INC_0_MASK=255.255.0.0
> CISCO_SPLIT_INC_0_MASKLEN=16
> CISCO_SPLIT_INC_0_PROTOCOL=0
> CISCO_SPLIT_INC_0_SPORT=0
> CISCO_SPLIT_INC_0_DPORT=0
>
> . /etc/vpnc/vpnc-script
diff -r -N /usr/ports/security/vpnc/patches/patch-Makefile
/usr/ports/mystuff/security/vpnc/patches/patch-Makefile
2,6c2,6
< --- Makefile.orig Sun May 1 22:30:35 2005
< +++ Makefile Fri Nov 4 00:03:54 2005
< @@ -22,9 +22,9 @@ ETCDIR=/etc/vpnc
< SBINDIR=$(PREFIX)/sbin
< MANDIR=$(PREFIX)/share/man
---
> --- Makefile.orig Thu Sep 6 16:05:15 2007
> +++ Makefile Wed Sep 19 06:05:20 2007
> @@ -49,12 +49,9 @@ RELEASE_VERSION := $(shell cat VERSION)
> #OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
> #OPENSSLLIBS = -lcrypto
9,13c9,16
< -CFLAGS=-W -Wall -O -g '-DVERSION="$(shell cat VERSION)"' $(shell
libgcrypt-config --cflags)
< -LDFLAGS=-g $(shell libgcrypt-config --libs)
< +CC?=gcc
< +CFLAGS+=-W -Wall '-DVERSION="$(shell cat VERSION)"' $(shell libgcrypt-config
--cflags)
< +LDFLAGS+=$(shell libgcrypt-config --libs)
---
> -CFLAGS ?= -O3 -g
> -CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings
> -CFLAGS += $(shell libgcrypt-config --cflags)
> +CC ?= gcc
> +CFLAGS += -W -Wall '-DVERSION="$(shell cat VERSION)"' $(shell
> libgcrypt-config --cflags)
> CPPFLAGS += -DVERSION=\"$(VERSION)\" $(OPENSSL_GPL_VIOLATION)
> -LDFLAGS ?= -g
> LDFLAGS += $(shell libgcrypt-config --libs) $(OPENSSLLIBS)
15,16c18
< ifeq ($(shell uname -s), Linux)
< SYSDEP=sysdep-linux.o
---
> ifeq ($(shell uname -s), SunOS)
diff -r -N /usr/ports/security/vpnc/patches/patch-tunip_c
/usr/ports/mystuff/security/vpnc/patches/patch-tunip_c
1,21d0
< $OpenBSD: patch-tunip_c,v 1.3 2005/11/11 19:38:07 sturm Exp $
< --- tunip.c.orig Thu May 5 12:25:00 2005
< +++ tunip.c Fri Nov 4 00:09:30 2005
< @@ -436,7 +436,7 @@ int update_sa_addr(struct sa_desc *p)
< if (new_addr.sin_addr.s_addr != p->source.sin_addr.s_addr) {
< char addr1[16];
< p->source.sin_addr = new_addr.sin_addr;
< - strcpy(addr1, inet_ntoa(p->dest.sin_addr));
< + strlcpy(addr1, inet_ntoa(p->dest.sin_addr), sizeof(addr1));
< syslog(LOG_NOTICE,
< "local address for %s is %s", addr1,
inet_ntoa(p->source.sin_addr));
< return 1;
< @@ -844,7 +844,7 @@ static void vpnc_main_loop(struct peer_d
< || from.sin_addr.s_addr !=
peer->remote_sa->dest.sin_addr.s_addr) {
< /* remote end changed address */
< char addr1[16];
< - strcpy(addr1,
inet_ntoa(peer->remote_sa->dest.sin_addr));
< + strlcpy(addr1,
inet_ntoa(peer->remote_sa->dest.sin_addr), sizeof(addr1));
< syslog(LOG_NOTICE,
< "spi %u: remote address changed from %s
to %s",
< peer->remote_sa->spi, addr1,
inet_ntoa(from.sin_addr));
diff -r -N /usr/ports/security/vpnc/patches/patch-vpnc-script
/usr/ports/mystuff/security/vpnc/patches/patch-vpnc-script
2,6c2,4
< --- vpnc-script.orig Thu Nov 3 23:39:23 2005
< +++ vpnc-script Thu Nov 3 23:51:02 2005
< @@ -70,7 +70,7 @@ do_ifconfig() {
< ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp
"$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1412 up
< }
---
> --- vpnc-script.orig Thu Sep 6 22:05:15 2007
> +++ vpnc-script Thu Sep 13 21:53:21 2007
> @@ -108,7 +108,7 @@ destroy_tun_device() {
7a6,7
> # =========== route handling ====================================
>
11c11
< sed 's/cache//;s/metric[0-9]\+ [0-9]\+//g'
---
> sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit
> [0-9]\+//g'
13,64c13,26
< @@ -117,7 +117,11 @@ if [ -n "$IPROUTE" ]; then
< }
< else
< get_default_gw() {
< - netstat -r -n | grep '^0.0.0.0' | awk '{print $2}'
< + if [ "$OS" = "OpenBSD" ]; then
< + netstat -r -n | grep '^default' | awk '{print $2}'
< + else
< + netstat -r -n | grep '^0.0.0.0' | awk '{print $2}'
< + fi
< }
<
< set_vpngateway_route() {
< @@ -215,15 +219,21 @@ do_connect() {
< echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ;
done
< echo
< fi
< -
< +
< + if [ ! -d /var/run/vpnc ]; then
< + mkdir /var/run/vpnc || exit $?
< + fi
< +
< do_ifconfig
< set_vpngateway_route
< if [ -n "$CISCO_SPLIT_INC" ]; then
< - for ((i = 0 ; i < CISCO_SPLIT_INC ; i++ )) ; do
< + i=0
< + while [ $i -lt $CISCO_SPLIT_INC ]; do
< eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
< eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
< eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
< set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
< + i=`expr $i + 1`
< done
< for i in $INTERNAL_IP4_DNS ; do
< set_network_route "$i" "255.255.255.255" "32"
< @@ -239,11 +249,13 @@ do_connect() {
<
< do_disconnect() {
< if [ -n "$CISCO_SPLIT_INC" ]; then
< - for ((i = 0 ; i < CISCO_SPLIT_INC ; i++ )) ; do
< + i=0
< + while [ $i -lt $CISCO_SPLIT_INC ]; do
< eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
< eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
< eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
< del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
< + i=`expr $i + 1`
< done
< for i in $INTERNAL_IP4_DNS ; do
< del_network_route "$i" "255.255.255.255" "32"
---
> @@ -195,6 +195,13 @@ else # use route command
> case "$OS" in
> Linux|NetBSD) # and probably others...
> # routes are deleted automatically on device shutdown
> + return
> + ;;
> + OpenBSD)
> + # delete only routes that are present
> + if [ `route -n get $1|grep $2|wc -l` -ne 0 ]; then
> + route $route_syntax_del -net "$NETWORK"
> $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
> + fi
> return
> ;;
> esac
diff -r -N /usr/ports/security/vpnc/patches/patch-vpnc_c
/usr/ports/mystuff/security/vpnc/patches/patch-vpnc_c
2,4c2,4
< --- vpnc.c.orig Fri Nov 4 00:09:49 2005
< +++ vpnc.c Fri Nov 4 00:11:03 2005
< @@ -196,10 +196,11 @@ static void addenv(const void *name, con
---
> --- vpnc.c.orig Mon Sep 10 15:39:48 2007
> +++ vpnc.c Wed Sep 12 16:47:27 2007
> @@ -159,10 +159,11 @@ static void addenv(const void *name, const char *value
diff -r -N /usr/ports/security/vpnc/patches/patch-vpnc_conf
/usr/ports/mystuff/security/vpnc/patches/patch-vpnc_conf
0a1,10
> $OpenBSD$
> --- vpnc.conf.orig Thu Sep 13 22:40:00 2007
> +++ vpnc.conf Thu Sep 13 22:39:04 2007
> @@ -4,3 +4,6 @@ IPSec secret <group-psk>
> IKE Authmode hybrid
> Xauth username <username>
> Xauth password <password>
> +
> +# run script to manipulate dns and routing settings
> +#Script /etc/vpnc/split.sh
diff -r -N /usr/ports/security/vpnc/pkg/PLIST
/usr/ports/mystuff/security/vpnc/pkg/PLIST
10a11,13
> share/examples/vpnc/split.sh
> @mode 0755
> @sample ${SYSCONFDIR}/vpnc/split.sh
