potential juniper/network-manager issue
Cameron
cam at neo-zeon.de
Fri Dec 18 09:37:58 PST 2015
Hello,
Recently, we switched to a new juniper server with new settings and ran
into an issue. I don't know which setting(s) are different as this box
is not my responsibility.
While I was able to connect and authenticate with the juniper server
100% of the time, I was unable to do anything else 95% of the time. tun0
was up, and it certainly seemed like I was connected, but I couldn't
reach anything.
I found that the juniper VPN still worked 100% of the time on both a
Debian server and a FreeBSD server that I have, but not any of my
desktop linux systems... I was finally able to determine that the
difference was in the routing table. Adding that route manually caused
the VPN to finally work for me again.
The missing route in question:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
By putting debugging statements into the vpnc-script, I finally
determined that the route was being added, and then was almost always
being removed almost immediately after the route was added. I determined
that no code in the vpnc-script was responsible for removing the route.
I finally took a guess that maybe it was network-manager. I stopped the
network-manager service, and my routing table was correct every time I
connected to the juniper VPN.
However, leaving network-manager off for me was not really a solution.
As a superior workaround, I created a post connect hook
'/etc/vpnc/post-connect.d/replace' with the following contents:
/sbin/ip route replace default dev tun0
(don't forget to chmod +x this script).
I don't think anything can be done for openconnect to address this issue
as it seems to be on the network-manager side, but I thought I'd share
this in case anyone else runs into this. I also suspect that this isn't
specific to openconnect's juniper functionality.
Thanks!
-Cameron
More information about the openconnect-devel
mailing list