[Still unresolved] Trouble connecting VPN over WiFi

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

Please someone help me.
I have Gentoo 3.6.6 x86_64 Intel(R) Core(TM) i5-2520M CPU installed on Thinkpad x220. I have Intel Corporation Centrino Advanced-N 6205 (rev 34) wifi adapter with Kernel driver in use: iwlwifi.

I installed Cisco VPN to connect to work network, it connects beautifully with eth0, wifi or hspa connection, but i have no traffic when connecting VPN via WiFi.
Example: i can ssh to servers @work with VPN connected via HSPA or Eth0, but can't when VPN connected via WiFi.

I tried different wifi networks - at home, at work - still no traffic.

Help, i don't understand what's the trick!
Thanks

P.S. i'm not sure is it networking or hardware issue

NeddySeagoon · Posted: Sat Nov 10, 2012 3:11 pm Post subject:

oizzzo,

Welcome to Gentoo.

Tell us about your firewall. CISCO VPN uses udp port 4500 and another, which I forget. You need those ports open.
I have the reverse set up to you. VPN is blocked on my wired network as it can be used to route around the firewall but allowed on Wireless, since Wireless is not permitted to initiate connections to wired.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

Emmm, what firewall?

I have iptables installed, but it is stopped and i am not using it...

Your VPN connection is secure.

VPN tunnel information.
Client address: 192.168.4.2
Server address: xxx.xxx.xxx.xxx
Encryption: 256-bit AES
Authentication: HMAC-SHA
IP Compression: LZS
NAT passthrough is active on port UDP 24733
Local LAN Access is disabled

still not working over wifi

NeddySeagoon · Posted: Sun Nov 11, 2012 11:24 am Post subject:

oizzzo,

Please post your routing table when the VPN is not working. Also the output of

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

NeddySeagoon thank you for trying to help me.

I use NetworkManager to manage connections, and at work i can't connect to VPN if i am in corporate LAN, so i need to disconnect eth0 before connecting VPN, it's by design. Also i don't think there are subnet trouble because for test i changed home subnet to 40.40.40.0/24, and still no traffic with VPN.

ip route show

NeddySeagoon · Posted: Sun Nov 11, 2012 2:24 pm Post subject:

oizzzo,

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

Ok, now i'm at home, and have here 40.40.40.0/24 subnet, TP-Link router with WiFi.

Now i'm connected with cable, eth0 and VPN is up and running.

NeddySeagoon · Posted: Sun Nov 11, 2012 3:22 pm Post subject:

oizzzo,

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

With VPN over eth0 i can ping google.com, but with VPN over WiFi i can't.

In resolv.conf all is ok, after connecting to VPN it pushes there work internal dns servers. Same is with VPN over Eth0 or HSPA

NeddySeagoon · Posted: Sun Nov 11, 2012 3:51 pm Post subject:

oizzzo,

Never mind the VPS for now. wlan0 needs work on its own before it can support a VPN tunnel.
If resolv.conf contains your work DNS servers then name resolution will not work at all until VPS is up.

Has wlan0 ever worked, ever?
With or without VPN?

Lets look at wlan0. What does lspci or lsusb say about it?
Please pastebin you entire dmesg output so I can see wlan0 being started.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

resolv.conf changes when VPN is connected, it is normal, vpn connection propagates new DNS servers when connected.

When VPN is not active

NeddySeagoon · Posted: Sun Nov 11, 2012 4:34 pm Post subject:

oizzzo,

Your USB subsysem isn't very happy - dmesg is full of errors. I don't think it affects wlan0 though.

You also have several kernel Ooops ... that a bad sign. It may or may not affect wlan0. An Oops indicates and error condition just short of a kernel panic.
The kernel was able to carry on.

We will not see anything useful in dmesg until the USB errors and kernel Oops are fixed.

Looking at earlier posts, your routing tables are identical, with the exception that wlan0 takes the place of eth0.
With VPN enabled can you pint your gateway?

Set up wilfi but not VPN, in a terminal, run ping 40.40.40.1, which is your local gateway. This should work regardless of VPN or not.
Now start VPN - do the pings stop ?
If so your WiFi went down for some reason. The reason might be in dmesg if you are quick.

In another terminal ping 192.168.4.2, which is your end of the VPN tunnel. If that fails, is cipsec0 with IP 192.168.4.2 in ifconfig ?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

I'll try to fix dmesg USB and kernel problems, but you are right, it can't affect.

I can ping my local gw without VPN connected and can ping with VPN connected now, it's much better.

NeddySeagoon · Posted: Sun Nov 11, 2012 5:28 pm Post subject:

oizzzo,

The WiFi driver has no knowledge of the data it carries, so its unlikely to be a driver issue.
Ping to your own gateway works, so data is getting to your next physical hop.

VPN packets pass through the routing table twice, once to the VPN tunnel, then again after encryption to be sent over the physical link.
The same happens in reverse at the other end.

I wonder if its a packet fragment size problem?
What happens if you set the MTU to 1024 for the VPN links?
This will avoid the network system breaking up packets that are too big to go in one piece following encryption. You can also try 512 but thats getting towards the silly small end for packet size.
Smaller packets mean more overhead, so its important to make the size as big as works reliably.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

How can i change MTU for VPN traffic and why i need to change it? I mean there is something strange just with WiFi, not VPN connection.

NeddySeagoon · Posted: Sun Nov 11, 2012 6:09 pm Post subject:

oizzzo,

With network manager, I don't know how you set the MTU.

Different transports have different MTU.
Wired ethernet is 1500 bytes
PPPoE is 1492 as its ethernet wrapped in ethernet.
My WiFi claims 1492 as it eventually goes over my PPPoE to the outside world
My USB 3G modem claims 1500

Your

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

Ok, i played with MTU, tried to set 1300, 1492, auto, no change.

NeddySeagoon · Posted: Sun Nov 11, 2012 6:51 pm Post subject:

oizzzo,

That shows that something is going backwards and forwards over VPN.
I don't know the details any further, maybe google can help if you search for Received an invalid or malformed IKE packet
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

No, it seems that when i connect VPN over WiFi ipSec module cannot decrypt packets.

Anyone please help!

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

So, i bought Trendnet TEW642UB, added needed kernel drivers for Realtek chipset, rebooted, disabled integrated Intel WiFi card and connected to my home Wifi with Trendnet TEW642UB.

VPN worked, i can ping and ssh to work.

I think there are some strange shit with Intel Next-Gen drivers in kernel.

oizzzo · n00b Joined: 10 Nov 2012 Posts: 12

Tried today different kernels, it doesn't worked with stable 3.5.7 but it worked with stable 3.0.17-r2

Should i report bug to kernel list/bugzilla?

NeddySeagoon · Posted: Fri Nov 16, 2012 7:55 pm Post subject:

oizzzo,

Report a bug to bugs.gentoo.org
Before you open a new bug, see if there is already a bug you can contribute to.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.