[vpnc-devel] SPAM-LOW: Re: Alternate routes

Tomas Kopal Tomas.Kopal at eccam.com
Mon Feb 4 19:52:30 CET 2008 

Hello Bryan,

On 4.2.2008 18:40, Bryan Stevenson wrote:
> I don't have a vpnc.conf file in /etc/vpnc.....but I did create one and
> tried it with 2 times....each with a different line
>
> Try 1 the file contents were:
> Script /etc/vpnc/local-setup
>
> 2nd try:
> /etc/vpnc/local-setup
>
>   
Well, vpnc can be started in two ways, either you provide all the 
connection details as parameters on the command line, or you provide a 
configuration file with all the details. The /etc/vpnc/vpnc.conf is (one 
of) default places where parameters are taken from if not specified 
otherwise. You may or may not have this file, depending on how you run vpnc.
>> look something like:
>>
>> #!/bin/sh
>> # This is a wrapper for the vpnc-script overriding some variables
>> needed
>> # for my local VPN connection
>>
>> # this effectively disables changes to /etc/resolv.conf
>> INTERNAL_IP4_DNS=
>>
>> # This sets up split networking regardless of the concentrators 
>> specifications.
>> # You can add as many routes as you want, but you must set the
>> counter 
>> $CISCO_SPLIT_INC
>> # accordingly
>> CISCO_SPLIT_INC=1
>> CISCO_SPLIT_INC_0_ADDR=aaa.aaa.aaa.aaa
>> CISCO_SPLIT_INC_0_MASK=bbb.bbb.bbb.bbb
>> CISCO_SPLIT_INC_0_MASKLEN=cc
>> CISCO_SPLIT_INC_0_PROTOCOL=0
>> CISCO_SPLIT_INC_0_SPORT=0
>> CISCO_SPLIT_INC_0_DPORT=0
>>
>> # run the original script
>> . /etc/vpnc/vpnc-script
>>
>> Change the aaa.aaa.aaa.aaa to the IP address of the network behind
>> the 
>> VPN (e.g. 192.168.0.0), bbb.bbb.bbb.bbb is the netmask of the network 
>> behind VPN (e.g. 255.255.0.0) and cc is the length of the netmask 
>> (number of valid bits in the network address, e.g. 16 in this case).
>>
>> Hope this helps.
>>
>> Tomas
>>     
>
> When connected to the VPN, the destination IP was : 192.197.150.122
> So I used 192.197.150.0 for CISCO_SPLIT_INC_0_ADDR (as the first 3
> octets matter and the last can change)
>
> the netmask was 255.255.255.255 so I used 255.255.255.0 (same reason as
> above)
>
> For CISCO_SPLIT_INC_0_MASKLEN I used 24 (for the first 3 octets).
>
> There was no noticeable change in VPN behavior...still unable to send
> mail when connected.
>
>   
You can't just look at the interface and use what you find there. The IP 
address/mask corresponds to the network you are connecting to, not the 
interface you are using to connect. For the correct network address you 
should ask network administrator of the VPN server you are connecting to.
In short, if you want to access let's say IP addresses 192.197.148.1 to 
192.197.151.255 over the VPN and the rest using your normal internet 
connection, then you would use network address 192.197.148.0 as a 
network address and 255.255.252.0 as a netmask and 22 as netmask length.
You can compute it as:
 - netmask length is the biggest number of bits which are common to all 
IP addresses you want to access over the VPN.
 - IP nework address is all the common bits of all IP addresses accessed 
over VPN (i.e netmask length bits) with the rest of bits zeroed out
 - netmask is netmask number of bits set to 1 and rest set to 0

Please read up some documents about IP addressing and routing (e.g. 
http://tldp.org/LDP/nag2/x-087-2-issues.routing.html) how all this works.

> BTW I set the chmod for the local-setup and vpnc.conf files to 755
>
>   
The conf file does not have to have execute bit set, it's a config file. 
But the script should be...

> I should mention that I am using KVPNC 0.90 with VPNC 0.40-3ubuntu2
>
> So I suppose it's possible that script alterations made by KVPNC could
> be effecting things??
>   

I am not using KVPNC, so I can't help here. But the fact that you don't 
have /etc/vpnc/vpnc.conf seems to indicate that kvpnc is using different 
way to configure vpnc, I would guess command line parameters.
As kvpnc is probably not using even the "standard" vpnc startup scripts, 
the described configuration won't work for you without some heavy 
tweaking, which would be hard to get right. It would be probably best if 
you find the "kvpnc" way of doing split networking, my description is 
for invoking vpnc directly from shell.


Regards

Tomas

More information about the vpnc-devel mailing list