[vpnc-devel] SPAM-LOW: Re: Alternate routes
Tomas.Kopal at eccam.com
Mon Feb 4 19:52:30 CET 2008
On 4.2.2008 18:40, Bryan Stevenson wrote:
> I don't have a vpnc.conf file in /etc/vpnc.....but I did create one and
> tried it with 2 times....each with a different line
> Try 1 the file contents were:
> Script /etc/vpnc/local-setup
> 2nd try:
Well, vpnc can be started in two ways, either you provide all the
connection details as parameters on the command line, or you provide a
configuration file with all the details. The /etc/vpnc/vpnc.conf is (one
of) default places where parameters are taken from if not specified
otherwise. You may or may not have this file, depending on how you run vpnc.
>> look something like:
>> # This is a wrapper for the vpnc-script overriding some variables
>> # for my local VPN connection
>> # this effectively disables changes to /etc/resolv.conf
>> # This sets up split networking regardless of the concentrators
>> # You can add as many routes as you want, but you must set the
>> # accordingly
>> # run the original script
>> . /etc/vpnc/vpnc-script
>> Change the aaa.aaa.aaa.aaa to the IP address of the network behind
>> VPN (e.g. 192.168.0.0), bbb.bbb.bbb.bbb is the netmask of the network
>> behind VPN (e.g. 255.255.0.0) and cc is the length of the netmask
>> (number of valid bits in the network address, e.g. 16 in this case).
>> Hope this helps.
> When connected to the VPN, the destination IP was : 184.108.40.206
> So I used 220.127.116.11 for CISCO_SPLIT_INC_0_ADDR (as the first 3
> octets matter and the last can change)
> the netmask was 255.255.255.255 so I used 255.255.255.0 (same reason as
> For CISCO_SPLIT_INC_0_MASKLEN I used 24 (for the first 3 octets).
> There was no noticeable change in VPN behavior...still unable to send
> mail when connected.
You can't just look at the interface and use what you find there. The IP
address/mask corresponds to the network you are connecting to, not the
interface you are using to connect. For the correct network address you
should ask network administrator of the VPN server you are connecting to.
In short, if you want to access let's say IP addresses 18.104.22.168 to
22.214.171.124 over the VPN and the rest using your normal internet
connection, then you would use network address 126.96.36.199 as a
network address and 255.255.252.0 as a netmask and 22 as netmask length.
You can compute it as:
- netmask length is the biggest number of bits which are common to all
IP addresses you want to access over the VPN.
- IP nework address is all the common bits of all IP addresses accessed
over VPN (i.e netmask length bits) with the rest of bits zeroed out
- netmask is netmask number of bits set to 1 and rest set to 0
Please read up some documents about IP addressing and routing (e.g.
http://tldp.org/LDP/nag2/x-087-2-issues.routing.html) how all this works.
> BTW I set the chmod for the local-setup and vpnc.conf files to 755
The conf file does not have to have execute bit set, it's a config file.
But the script should be...
> I should mention that I am using KVPNC 0.90 with VPNC 0.40-3ubuntu2
> So I suppose it's possible that script alterations made by KVPNC could
> be effecting things??
I am not using KVPNC, so I can't help here. But the fact that you don't
have /etc/vpnc/vpnc.conf seems to indicate that kvpnc is using different
way to configure vpnc, I would guess command line parameters.
As kvpnc is probably not using even the "standard" vpnc startup scripts,
the described configuration won't work for you without some heavy
tweaking, which would be hard to get right. It would be probably best if
you find the "kvpnc" way of doing split networking, my description is
for invoking vpnc directly from shell.
More information about the vpnc-devel