Re: vpnc and determining correct routes

From: Derek Atkins <warlord MIT EDU>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: vpnc and determining correct routes
Date: Tue, 24 Oct 2006 11:07:52 -0400

Dan Williams <dcbw redhat com> writes:

>> That's not true.  SplitDNS works just fine in 0.6; the problem
>> is that vpnc doesn't pass the "additional DNS options" out, and
>> NM can't override it, so there's no way to add "additional"
>> SplitDNS domains to the configuration.
>
> Ok; maybe it does work, but I was under the strong impression that we
> would have to do more to support this in a non-hackish manner.  AFAIK
> the code blows away the current named configuration (if you're using a
> caching nameserver) and writes the VPn configuration in wholesale, so
> you loose your local network DNS config.

It does, but when the VPN goes away I do get my local configuration
back.  At least this is true in /etc/resolv.conf.

> What's supposed to happen is:
>
> 1) NM gets the local DNS information (server, searches) from DHCP
> 2) NM gets the VPN DNS information (server, searches) from the VPN
> server/concentrator

This latter step is problematic because vpnc doesn't export this
information (at least the "searches" list are not exported properly
from vpnc).

> 3) NM sends the "default" zone to named with the local DNS information
> 4) NM sends an "overlay" zone to named which specifies that the VPN dns
> server is supposed to be used for each zone from the VPN searches list
>
> The overlay stuff was never implemented in NM, and split DNS certainly
> doesn't work with the glibc resolver unless I'm gravely mistaken,
> because the glibc resolver doesn't have a rich enough /etc/resolv.conf
> format nor the code to support different DNS servers for specific
> searches.
>
> In the end, what we _should_ be allowed to do, is to route *.redhat.com
> over the Red Hat VPN server-provided nameserver, and everything else to
> my local DHCP-provided nameserver.

That makes sense...  My problem is that I want to route *.redhat.com
over the Red Hat VPN but vpnc is telling me that my domain is
corp.redhat.com; so only *.corp.redhat.com is being routed over
the VPN.

I haven't been able to figure out how to capture the vpnc debug output
to try to figure out if this information is actually being sent down
or not..  Because if it IS then I can modify VPNC to export it..
Although I also didn't notice (in NM 0.6.x) where I could set the DNS
Domain Search list in the dbus API.

Do you know if nm-vpnc-service is eating the vpnc debug output?

> Dan

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord MIT EDU                        PGP key available

Follow-Ups:
- Re: vpnc and determining correct routes
  - From: Dan Williams

References:
- vpnc and determining correct routes
  - From: Thomas Liebetraut
- Re: vpnc and determining correct routes
  - From: Stefan Schmidt
- Re: vpnc and determining correct routes
  - From: Dan Williams
- Re: vpnc and determining correct routes
  - From: Derek Atkins
- Re: vpnc and determining correct routes
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]