potential juniper/network-manager issue

Cameron cam at neo-zeon.de
Fri Dec 18 09:37:58 PST 2015


Hello,

Recently, we switched to a new juniper server with new settings and ran 
into an issue. I don't know which setting(s) are different as this box 
is not my responsibility.

While I was able to connect and authenticate with the juniper server 
100% of the time, I was unable to do anything else 95% of the time. tun0 
was up, and it certainly seemed like I was connected, but I couldn't 
reach anything.

I found that the juniper VPN still worked 100% of the time on both a 
Debian server and a FreeBSD server that I have, but not any of my 
desktop linux systems... I was finally able to determine that the 
difference was in the routing table. Adding that route manually caused 
the VPN to finally work for me again.

The missing route in question:
Destination     Gateway         Genmask         Flags Metric Ref Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0 0        0 tun0

By putting debugging statements into the vpnc-script, I finally 
determined that the route was being added, and then was almost always 
being removed almost immediately after the route was added. I determined 
that no code in the vpnc-script was responsible for removing the route.

I finally took a guess that maybe it was network-manager. I stopped the 
network-manager service, and my routing table was correct every time I 
connected to the juniper VPN.

However, leaving network-manager off for me was not really a solution. 
As a superior workaround, I created a post connect hook 
'/etc/vpnc/post-connect.d/replace' with the following contents:
/sbin/ip route replace default dev tun0

(don't forget to chmod +x this script).

I don't think anything can be done for openconnect to address this issue 
as it seems to be on the network-manager side, but I thought I'd share 
this in case anyone else runs into this. I also suspect that this isn't 
specific to openconnect's juniper functionality.

Thanks!

-Cameron





More information about the openconnect-devel mailing list