vpnc and determining correct routes



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hiho,

My university uses Cisco Concentrators for VPN which I connect to using
vpnc. There are basically two different kinds of VPN connections to my
university, a "split network" and a full VPN, with the latter setting
the default route to the VPN gateway and the former only routing traffic
to the university's network through the VPN and leaving the default
route untouched. This works perfectly when invoking vpnc from the
commandline. vpnc automatically determines the correct routes that it
gets from the concentrator (at least I suspect that the concentrator
provides this info as there are no routes specified in the profile files).
However, when connecting to the VPN using NM's vpnc plugin, it always
sets the default route to the VPN, no matter if I chose the full profile
or the "split net" profile. I have to explicitly configure NM so that it
only routes connections to a specific IP network through the VPN gateway
("Only use VPN connection for these addresses" in VPN config dialog).
As vpnc itself states not to set any routes, I tried to figure out how
the routes are set when invoking vpnc directly. In current versions of
vpnc, there is a shell script called vpnc-script which is executed by
vpnc after the tunnel has been set up. Before the script is executed,
vpnc changes the environment for the script, passing it variables that
makes it possible to determine which routes should be set.
I'd like to have is this functionality in NM's vpnc plugin, as I imagine
that people who want to "just use"[tm] NM without digging up configs and
asking their operators might want to have the correct routes set by
default (well, at least I want them to be set by default :-)).
To get the routing information from vpnc, I see two options:
1. Let the vpnc plugin create a temporary shell script that gets called
by vpnc in the same way vpnc-script is called and let this script make
the variables available in a more flexible manner (file containig config
in /var/run, fifos or the like).
2. Hack vpnc to export the desired information not only to child
processes, but also via dbus, files in /var/run or something similar.

Personally, I don't like both solutions very well. The first would treat
vpnc more as a black box, however. A third solution (would be 1.5, to be
exact) would be not to write a shell script with all its portability
restrictions but a real C program that also could export the options via
dbus. In vpnc, the script is invoked by a call to system(). Using a C
program would not be nice, but it would enable us to provide a usable
interface to NM/the plugin.
Have there been any thoughts regarding this issue or does anyone know a
way to get vpnc's environment to get the information directly without
the above hacks?


Regards,
Thomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFPI/ixVmZpTAq4IgRAju4AJ9z9fOp0XtMrhcG3pOWR/JaFqGE3wCfa23r
ehTyPIYKNHjrgx5heq9LxtU=
=Zr9b
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]