Re: vpnc and determining correct routes

From: Dan Williams <dcbw redhat com>
To: Stefan Schmidt <stefan datenfreihafen org>
Cc: networkmanager-list gnome org
Subject: Re: vpnc and determining correct routes
Date: Mon, 23 Oct 2006 09:43:06 -0400

On Mon, 2006-10-23 at 15:01 +0200, Stefan Schmidt wrote:
> Hello.
> 
> On Mon, 2006-10-23 at 11:48, Thomas Liebetraut wrote:
> > 
> > My university uses Cisco Concentrators for VPN which I connect to using
> > vpnc.
> 
> Same university, network department. :)
> 
> > vpnc automatically determines the correct routes that it
> > gets from the concentrator (at least I suspect that the concentrator
> > provides this info as there are no routes specified in the profile files).
> 
> Right cisco vpn pushes them out to the clients. Because of this fact,
> I would prefer to let vpnc pushes the routes via dbus and nm can
> decide how to handle. Perhaps somebody like to overwrite this route
> given by his company.

Right; there's a proliferation of options here.  We have a few
situations:

- Admins route all traffic through VPN, user wishes to override (vpnc
plugin already handles this case)

- Admins push split networks, but user wishes to override one or more

What's needed here is an extension of the current routing preferences.
We likely need two lists, one for "route only these netblock over the
VPN explicitly" and a second for "never route these netblocks over the
VPN".

The next problem is split DNS; do people care about that?  Ideally we
only query the VPN nameservers for names in a certain domain (passed
vpnc as CISCO_DEF_DOMAIN).  Sometimes though, admins don't push the
default domain and you have to manually fill it in for a split network
setup.  But that requires using named as a local caching nameserver,
which people, for some inconceivable reason, are very vocally against.
So right now all DNS queries go over the VPN.

So basically, we have to modify the user interface to:

- Add a "Never route these over VPN" entry
- Add an "Override default domain name" entry
- Modify the vpnc service daemon to push split networks to NM
- Make NM do split DNS if requested

This stuff won't get into 0.6.4, but I'd certainly accept patches for
0.7/HEAD.  If I could find time to work on it in between dbus-ifying
wpa_supplicant, the new config framework, and multiple active devices,
I'd take a look at it :)

Dan

> 
> regards
> Stefan Schmidt
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list

Follow-Ups:
- Re: vpnc and determining correct routes
  - From: Stefan Schmidt
- Re: vpnc and determining correct routes
  - From: Derek Atkins

References:
- vpnc and determining correct routes
  - From: Thomas Liebetraut
- Re: vpnc and determining correct routes
  - From: Stefan Schmidt

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]