Re: vpnc and determining correct routes

From: Dan Williams <dcbw redhat com>
To: Derek Atkins <warlord MIT EDU>
Cc: networkmanager-list gnome org
Subject: Re: vpnc and determining correct routes
Date: Tue, 24 Oct 2006 11:31:24 -0400

On Tue, 2006-10-24 at 11:07 -0400, Derek Atkins wrote:
> Dan Williams <dcbw redhat com> writes:
> 
> >> That's not true.  SplitDNS works just fine in 0.6; the problem
> >> is that vpnc doesn't pass the "additional DNS options" out, and
> >> NM can't override it, so there's no way to add "additional"
> >> SplitDNS domains to the configuration.
> >
> > Ok; maybe it does work, but I was under the strong impression that we
> > would have to do more to support this in a non-hackish manner.  AFAIK
> > the code blows away the current named configuration (if you're using a
> > caching nameserver) and writes the VPn configuration in wholesale, so
> > you loose your local network DNS config.
> 
> It does, but when the VPN goes away I do get my local configuration
> back.  At least this is true in /etc/resolv.conf.
> 
> > What's supposed to happen is:
> >
> > 1) NM gets the local DNS information (server, searches) from DHCP
> > 2) NM gets the VPN DNS information (server, searches) from the VPN
> > server/concentrator
> 
> This latter step is problematic because vpnc doesn't export this
> information (at least the "searches" list are not exported properly
> from vpnc).
> 
> > 3) NM sends the "default" zone to named with the local DNS information
> > 4) NM sends an "overlay" zone to named which specifies that the VPN dns
> > server is supposed to be used for each zone from the VPN searches list
> >
> > The overlay stuff was never implemented in NM, and split DNS certainly
> > doesn't work with the glibc resolver unless I'm gravely mistaken,
> > because the glibc resolver doesn't have a rich enough /etc/resolv.conf
> > format nor the code to support different DNS servers for specific
> > searches.
> >
> > In the end, what we _should_ be allowed to do, is to route *.redhat.com
> > over the Red Hat VPN server-provided nameserver, and everything else to
> > my local DHCP-provided nameserver.
> 
> That makes sense...  My problem is that I want to route *.redhat.com
> over the Red Hat VPN but vpnc is telling me that my domain is
> corp.redhat.com; so only *.corp.redhat.com is being routed over
> the VPN.
> 
> I haven't been able to figure out how to capture the vpnc debug output
> to try to figure out if this information is actually being sent down
> or not..  Because if it IS then I can modify VPNC to export it..
> Although I also didn't notice (in NM 0.6.x) where I could set the DNS
> Domain Search list in the dbus API.

The NM vpnc bits should check for CISCO_DEF_DOMAIN.  There isn't a UI
option to override that yet, though likely there should be.  Some admins
don't set that.

Dan

> Do you know if nm-vpnc-service is eating the vpnc debug output?
> 
> > Dan
> 
> -derek

Follow-Ups:
- Re: vpnc and determining correct routes
  - From: Derek Atkins

References:
- vpnc and determining correct routes
  - From: Thomas Liebetraut
- Re: vpnc and determining correct routes
  - From: Stefan Schmidt
- Re: vpnc and determining correct routes
  - From: Dan Williams
- Re: vpnc and determining correct routes
  - From: Derek Atkins
- Re: vpnc and determining correct routes
  - From: Dan Williams
- Re: vpnc and determining correct routes
  - From: Derek Atkins

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]