[opensuse-factory] Tumbleweed - Review of the week 2018/13 - openSUSE Factory

newer
[opensuse-factory] Leap 15.0 Build...

[opensuse-factory] Tumbleweed - Review of the week 2018/13

older
[opensuse-factory] New Tumbleweed...

Dominique Leuenberger / DimStar

31 Mar 2018 31 Mar '18

11:20

Dear Tumbleweed users and hackers, Looking at the snapshots (and the non-released snapshots) one could believe we entered spring break already. There have been only 3 snapshots released this week, a few more tested and discarded, for different reasons. The released snapshots were 0320, 0324 and 0326 and brought you these updates: * Mozilla Firefox 59.0 * KDE applications 17.12.3 * KDE Frameworks 5.44.0 * Postfix 3.3.0 * PostgreSQL 10.3 * Linux kernel 4.15.11 & 4.15.13 * libtirpc1.0.3: special note here: there were changes in how ports are being assigned, which impacts NIS servers, or rather communication with them. See linux-nfs.org[0] and RedHat Bug[1] for more information. The future snapshots will bring these updates/changes: * Mesa 18.0 final * KDE Plasma 5.12.4 * LibreOffice 6.0.3.1 * Kubic will switch to a multi-step installation process * Samba4.8 * Kernel config change: support signed modules; loading modules with none/invalid signatures will be possible, but result in warnings. * Automake 1.16: as usual, a bunch of builds will fail, mostly for patching the build system and then relying on an implicit automake call, which only works as long as the automake version did not change. * vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now. * LLVM 6.0 * cmake 3.11.0 Cheers, Dominique [0] https://bugzilla.linux-nfs.org/show_bug.cgi?id=320 (invalid cert) [1] https://bugzilla.redhat.com/show_bug.cgi?id=1560736

Attachments:

signature.asc (application/pgp-signature — 195 bytes)

Show replies by date

Jan Engelhardt

31 Mar 31 Mar

12:10

On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...

* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Brüns

15:21

On Samstag, 31. März 2018 14:10:47 CEST Jan Engelhardt wrote:

...

On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

I would like to second that - this is the IPsec variant found on e.g. the very popular "FritzBox!" xDSL Routers and Cable modems, which likely account for at least 30% of the home router market in Germany. Being no longer able to connect to my home network via VPN would be a major step back. Kind regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019

Frank Krüger

15:33

New subject: [opensuse-factory] Dropping VPNC (was: Tumbleweed - Review of the week 2018/13)

Am 31.03.2018 um 17:21 schrieb Stefan Brüns:

...

On Samstag, 31. März 2018 14:10:47 CEST Jan Engelhardt wrote:

...
On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

I would like to second that - this is the IPsec variant found on e.g. the very popular "FritzBox!" xDSL Routers and Cable modems, which likely account for at least 30% of the home router market in Germany. Being no longer able to connect to my home network via VPN would be a major step back.

Kind regards,

Stefan

Dropping vpnc in favour of openvpn (likewise in Leap 15.0 I guess) would leave me with some non-working connections via VPN. To my knowledge, openvpn does not support a complete IPSec VPN. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Neal Gompa

15:34

New subject: [opensuse-factory] Dropping VPNC (was: Tumbleweed - Review of the week 2018/13)

On Sat, Mar 31, 2018 at 11:33 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...

Am 31.03.2018 um 17:21 schrieb Stefan Brüns:

...
On Samstag, 31. März 2018 14:10:47 CEST Jan Engelhardt wrote:

...
On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

I would like to second that - this is the IPsec variant found on e.g. the very popular "FritzBox!" xDSL Routers and Cable modems, which likely account for at least 30% of the home router market in Germany. Being no longer able to connect to my home network via VPN would be a major step back.

Kind regards,

Stefan

Dropping vpnc in favour of openvpn (likewise in Leap 15.0 I guess) would leave me with some non-working connections via VPN. To my knowledge, openvpn does not support a complete IPSec VPN.

My work VPN only works with vpnc (through NetworkManager-vpnc), so dropping it would break my VPN. -- 真実はいつも一つ！/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

16:03

New subject: [opensuse-factory] Dropping VPNC

Am 31.03.2018 um 17:34 schrieb Neal Gompa:

...

On Sat, Mar 31, 2018 at 11:33 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 31.03.2018 um 17:21 schrieb Stefan Brüns:

...
On Samstag, 31. März 2018 14:10:47 CEST Jan Engelhardt wrote:

...
On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

I would like to second that - this is the IPsec variant found on e.g. the very popular "FritzBox!" xDSL Routers and Cable modems, which likely account for at least 30% of the home router market in Germany. Being no longer able to connect to my home network via VPN would be a major step back.

Kind regards,

Stefan

Dropping vpnc in favour of openvpn (likewise in Leap 15.0 I guess) would leave me with some non-working connections via VPN. To my knowledge, openvpn does not support a complete IPSec VPN.

According to https://openvpn.net/index.php/component/content/article/55-about-openvpn.htm... openvpn is not compatible with IPSec. So vpnc is still needed. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

16:21

New subject: [opensuse-factory] Dropping VPNC

31.03.2018 19:03, Frank Krüger пишет:

...

Am 31.03.2018 um 17:34 schrieb Neal Gompa:

...
On Sat, Mar 31, 2018 at 11:33 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 31.03.2018 um 17:21 schrieb Stefan Brüns:

...
On Samstag, 31. März 2018 14:10:47 CEST Jan Engelhardt wrote:

...
On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

I would like to second that - this is the IPsec variant found on e.g. the very popular "FritzBox!" xDSL Routers and Cable modems, which likely account for at least 30% of the home router market in Germany. Being no longer able to connect to my home network via VPN would be a major step back.

Kind regards,

Stefan

Dropping vpnc in favour of openvpn (likewise in Leap 15.0 I guess) would leave me with some non-working connections via VPN. To my knowledge, openvpn does not support a complete IPSec VPN.

According to https://openvpn.net/index.php/component/content/article/55-about-openvpn.htm...

openvpn is not compatible with IPSec. So vpnc is still needed.

Something like libreswan may work (it apparently also has NM plugin): https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_s... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Michal Hlavac

3 Apr 3 Apr

19:43

New subject: [opensuse-factory] Dropping VPNC

yes, but there is no libreswan package in Tumbleweed. It will be good to provide alternative solution before removing vpnc. Add some time to port their old vpnc profiles to this newer alternative. Same as firewalld vs SuSEfirewall2. m. On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...

Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_s...

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Michal Kubecek

19:48

New subject: [opensuse-factory] Dropping VPNC

On Tue, Apr 03, 2018 at 09:43:23PM +0200, Michal Hlavac wrote:

...

On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...
Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_s...

yes, but there is no libreswan package in Tumbleweed.

There is strongswan, though. Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

19:53

New subject: [opensuse-factory] Dropping VPNC

Am 03.04.2018 um 21:48 schrieb Michal Kubecek:

...

On Tue, Apr 03, 2018 at 09:43:23PM +0200, Michal Hlavac wrote:

...
On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...
Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_s...

yes, but there is no libreswan package in Tumbleweed.

There is strongswan, though.

Which does not work with the Fritz!Box VPN (IPSec XAuth PSK) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

21:01

New subject: [opensuse-factory] Dropping VPNC

Am 03.04.2018 um 21:53 schrieb Stefan Seyfried:

...

Am 03.04.2018 um 21:48 schrieb Michal Kubecek:

...
On Tue, Apr 03, 2018 at 09:43:23PM +0200, Michal Hlavac wrote:

...
On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...
Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_s...

yes, but there is no libreswan package in Tumbleweed.

There is strongswan, though.

Which does not work with the Fritz!Box VPN (IPSec XAuth PSK)

By the way, Leap 15.0 Build 187.1 does not contain vpnc (anymore?): https://bugzilla.opensuse.org/show_bug.cgi?id=1087734 Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Michal Kubecek

4 Apr 4 Apr

05:38

New subject: [opensuse-factory] Dropping VPNC

On Tuesday, 3 April 2018 21:53 Stefan Seyfried wrote:

...

Am 03.04.2018 um 21:48 schrieb Michal Kubecek:

...
On Tue, Apr 03, 2018 at 09:43:23PM +0200, Michal Hlavac wrote:

...
On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...
Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_ VPN3000)_server>> yes, but there is no libreswan package in Tumbleweed.

There is strongswan, though.

Which does not work with the Fritz!Box VPN (IPSec XAuth PSK)

How about racoon (ipsec-tools package)? It should support XAuth PSK, according to racoon.conf(5). Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

12:02

New subject: [opensuse-factory] Dropping VPNC

Am 04.04.2018 um 07:38 schrieb Michal Kubecek:

...

On Tuesday, 3 April 2018 21:53 Stefan Seyfried wrote

...
Which does not work with the Fritz!Box VPN (IPSec XAuth PSK)

How about racoon (ipsec-tools package)? It should support XAuth PSK, according to racoon.conf(5).

If it has no NetworkManager integration, it "does not work"™ for me. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Neal Gompa

12:33

New subject: [opensuse-factory] Dropping VPNC

On Wed, Apr 4, 2018 at 1:38 AM, Michal Kubecek <mkubecek@suse.cz> wrote:

...

On Tuesday, 3 April 2018 21:53 Stefan Seyfried wrote:

...
Am 03.04.2018 um 21:48 schrieb Michal Kubecek:

...
On Tue, Apr 03, 2018 at 09:43:23PM +0200, Michal Hlavac wrote:

...
On sobota, 31. marca 2018 18:21:03 CEST Andrei Borzenkov wrote:

...
Something like libreswan may work (it apparently also has NM plugin):

https://libreswan.org/wiki/Libreswan_as_client_to_a_Cisco_(ASA_or_ VPN3000)_server>> yes, but there is no libreswan package in Tumbleweed.

There is strongswan, though.

Which does not work with the Fritz!Box VPN (IPSec XAuth PSK)

How about racoon (ipsec-tools package)? It should support XAuth PSK, according to racoon.conf(5).

To date, the only way I've been able to use my VPN is through NetworkManager-vpnc. My VPN is IPSec based with pre-shared keys, shared group, and user/password authentication. So far, nothing I've used supports that except vpnc through NetworkManager. -- 真実はいつも一つ！/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

James Knott

31 Mar 31 Mar

16:55

New subject: [opensuse-factory] Dropping VPNC

On 03/31/2018 11:33 AM, Frank Krüger wrote:

...

Dropping vpnc in favour of openvpn (likewise in Leap 15.0 I guess) would leave me with some non-working connections via VPN. To my knowledge, openvpn does not support a complete IPSec VPN.

IPSec and OpenVPN are two completely different VPNs. IPSec is an IETF standard and OpenVPN is not. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

1 Apr 1 Apr

11:47

Am 31.03.2018 um 14:10 schrieb Jan Engelhardt:

...

On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

Probably a typo and openconnect instead of openvpn was meant to be mentioned here.

...

The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

openconnect is rumoured to be able to replace vpnc, but I have not used any of these two since switching to my own openvpn server setup ;-) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

15:13

01.04.2018 14:47, Stefan Seyfried пишет:

...

Am 31.03.2018 um 14:10 schrieb Jan Engelhardt:

...
On Saturday 2018-03-31 13:20, Dominique Leuenberger / DimStar wrote:

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

Probably a typo and openconnect instead of openvpn was meant to be mentioned here.

...
The openvpn manpage indeed mentions IPsec a few times with regard to replay windows, but that's it. There is no mention what vpnc's "IPSec ID", "IPSec secret", and "Xauth password" would map to.

openconnect is rumoured to be able to replace vpnc, but I have not used any of these two since switching to my own openvpn server setup ;-)

openconnect implements SSL VPN (compatible with Cisco AnyConnect client) while vpnc implements IPSec VPN. Neither is replacement for the other nor is openVPN replacement for either. My understanding is that current Cisco VPN products all implement SSL VPN (at least, AnyConnect client is the only supported one today) so from practical point of view users may be able to migrate to openconnect. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frederic Crozat

3 Apr 3 Apr

07:20

Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...

* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail. openCONNECT is replacing vpnc, not openVPN. And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better. For everybody who commented in the thread, please test with openconnect / NM-openconnect -- Frederic Crozat Enterprise Desktop Release Manager SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

07:38

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...

Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

07:48

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...

Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings. If not, it is enough reason to not drop vpnc until actual replacement is found. Did you try libreswan I mentioned earlier? And no, openconnect is not replacement for vpnc. It implements different protocol requiring different server setup. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frederic Crozat

07:58

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Le mardi 03 avril 2018 à 10:48 +0300, Andrei Borzenkov a écrit :

...

On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings. If not, it is enough reason to not drop vpnc until actual replacement is found. Did you try libreswan I mentioned earlier?

And no, openconnect is not replacement for vpnc. It implements different protocol requiring different server setup.

Well, looking at vpnc status ( http://lists.unix-ag.uni-kl.de/pipermail /vpnc-devel/2017-November/thread.html ), I'm not sure people should rely on vpnc at all (there is now a github projet, but still no maintainer).. -- Frederic Crozat Enterprise Desktop Release Manager SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

08:29

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

On Tue, Apr 3, 2018 at 10:58 AM, Frederic Crozat <fcrozat@suse.com> wrote:

...

Le mardi 03 avril 2018 à 10:48 +0300, Andrei Borzenkov a écrit :

...
On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings. If not, it is enough reason to not drop vpnc until actual replacement is found. Did you try libreswan I mentioned earlier?

And no, openconnect is not replacement for vpnc. It implements different protocol requiring different server setup.

Well, looking at vpnc status ( http://lists.unix-ag.uni-kl.de/pipermail /vpnc-devel/2017-November/thread.html ), I'm not sure people should rely on vpnc at all (there is now a github projet, but still no maintainer)..

Well, the fact is that Cisco VPN products may offer both SSL and IPSec VPN and can chose to enable either and openconnect implements only the former so dropping vpnc may leave some users without working solution. It means some replacement for IPSec VPN is needed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frederic Crozat

08:42

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Le mardi 03 avril 2018 à 11:29 +0300, Andrei Borzenkov a écrit :

...

On Tue, Apr 3, 2018 at 10:58 AM, Frederic Crozat <fcrozat@suse.com> wrote:

...
Le mardi 03 avril 2018 à 10:48 +0300, Andrei Borzenkov a écrit :

...
On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.o rg> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings. If not, it is enough reason to not drop vpnc until actual replacement is found. Did you try libreswan I mentioned earlier?

And no, openconnect is not replacement for vpnc. It implements different protocol requiring different server setup.

Well, looking at vpnc status ( http://lists.unix-ag.uni-kl.de/piper mail /vpnc-devel/2017-November/thread.html ), I'm not sure people should rely on vpnc at all (there is now a github projet, but still no maintainer)..

Well, the fact is that Cisco VPN products may offer both SSL and IPSec VPN and can chose to enable either and openconnect implements only the former so dropping vpnc may leave some users without working solution. It means some replacement for IPSec VPN is needed.

Like that maybe : https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/... Regarding NM-openswan, it should be dropped in favor or NM-libreswan, which is the replacement with NM >= 1.2 (see https://wiki.gnome.org/Pro jects/NetworkManager/VPN ) and clearly state it is compatible with Cisco IPSec. But it looks like nobody has packaged it yet -- Frederic Crozat Enterprise Desktop Release Manager SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Jan Engelhardt

09:36

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

On Tuesday 2018-04-03 10:42, Frederic Crozat wrote:

...

Like that maybe : https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/...

My findings. - The VPN endpoint does not seem to react to IKEv2. - IKEv1 is very strict when it comes to leftsubnet/rightsubnet (which there is no fucking way of knowing), and I just get NO_PROPOSAL_CHOSEN all the time. I blame StrongSWAN here since vpnc obviously can figure it out somehow. - NetworkManager-openconnect has no password fields in the config, instead these will be shown (and optionally stored) if and when one tries to connect (not what some people may be used to) - openconnect from the command-line works too Good enoguh for me I guess. Oh yeah, and: - The packets exchanged for one keystroke in SSH are 10% bigger in (D)TLS than over IPsec/NAT-T. (269/109 bytes vs 244/100) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frederic Crozat

4 Apr 4 Apr

07:26

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Le mardi 03 avril 2018 à 10:42 +0200, Frederic Crozat a écrit :

...

Le mardi 03 avril 2018 à 11:29 +0300, Andrei Borzenkov a écrit :

...
On Tue, Apr 3, 2018 at 10:58 AM, Frederic Crozat <fcrozat@suse.com> wrote:

...
Le mardi 03 avril 2018 à 10:48 +0300, Andrei Borzenkov a écrit :

...
On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox .o rg> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit : > > * vpnc and networkmanager-vpnc will be removed from the > distro: > openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnec t/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings. If not, it is enough reason to not drop vpnc until actual replacement is found. Did you try libreswan I mentioned earlier?

And no, openconnect is not replacement for vpnc. It implements different protocol requiring different server setup.

Well, looking at vpnc status ( http://lists.unix-ag.uni-kl.de/pip er mail /vpnc-devel/2017-November/thread.html ), I'm not sure people should rely on vpnc at all (there is now a github projet, but still no maintainer)..

Well, the fact is that Cisco VPN products may offer both SSL and IPSec VPN and can chose to enable either and openconnect implements only the former so dropping vpnc may leave some users without working solution. It means some replacement for IPSec VPN is needed.

Like that maybe : https://www.cisco.com/c/en/us/support/docs/network-management/remote- access/117257-config-ios-vpn-strongswan-00.html

Regarding NM-openswan, it should be dropped in favor or NM-libreswan, which is the replacement with NM >= 1.2 (see https://wiki.gnome.org/P ro jects/NetworkManager/VPN ) and clearly state it is compatible with Cisco IPSec.

But it looks like nobody has packaged it yet

And for people wondering, NM-libreswan can work with strongswan too.. It is mostly a rename of NM-strongswan.. -- Frederic Crozat Enterprise Desktop Release Manager SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

12:04

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 04.04.2018 um 09:26 schrieb Frederic Crozat:

...

Le mardi 03 avril 2018 à 10:42 +0200, Frederic Crozat a écrit : And for people wondering, NM-libreswan can work with strongswan too..

but strongswan does not do IPSec XAuth PSK, at least I was not able to find out how to do it. I don't know if libreswan can do it. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

12:07

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 04.04.2018 um 14:04 schrieb Stefan Seyfried:

...

Am 04.04.2018 um 09:26 schrieb Frederic Crozat:

...
Le mardi 03 avril 2018 à 10:42 +0200, Frederic Crozat a écrit : And for people wondering, NM-libreswan can work with strongswan too..

but strongswan does not do IPSec XAuth PSK, at least I was not able to find out how to do it.

It does not work for me either. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Jan Engelhardt

13:13

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

On Wednesday 2018-04-04 14:04, Stefan Seyfried wrote:

...

Am 04.04.2018 um 09:26 schrieb Frederic Crozat:

...
Le mardi 03 avril 2018 à 10:42 +0200, Frederic Crozat a écrit : And for people wondering, NM-libreswan can work with strongswan too..

but strongswan does not do IPSec XAuth PSK, at least I was not able to find out how to do it.

What about https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/... ? It explains where to place Xauth PSK creds and so on. (Even has strongswan in the title, so it probably must have worked for someone somewhere at some point.) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

18:24

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 04.04.2018 um 15:13 schrieb Jan Engelhardt:

...

What about https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/... ? It explains where to place Xauth PSK creds and so on. (Even has strongswan in the title, so it probably must have worked for someone somewhere at some point.)

Fact is, I cannot enter the PSK for IKEv1 in nm-strongswan config GUI. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

19:13

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

04.04.2018 21:24, Stefan Seyfried пишет:

...

Am 04.04.2018 um 15:13 schrieb Jan Engelhardt:

...
What about https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/... ? It explains where to place Xauth PSK creds and so on. (Even has strongswan in the title, so it probably must have worked for someone somewhere at some point.)

Fact is, I cannot enter the PSK for IKEv1 in nm-strongswan config GUI.

Tumbleweed does have NetworkManager-strongswan(-gnome) and quick look into sources shows PSK (group password) and XAUTH (user password). So may be someone finally should give it a try :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

19:16

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

04.04.2018 22:13, Andrei Borzenkov пишет:

...

04.04.2018 21:24, Stefan Seyfried пишет:

...
Am 04.04.2018 um 15:13 schrieb Jan Engelhardt:

...
What about https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/... ? It explains where to place Xauth PSK creds and so on. (Even has strongswan in the title, so it probably must have worked for someone somewhere at some point.)

Fact is, I cannot enter the PSK for IKEv1 in nm-strongswan config GUI.

Tumbleweed does have NetworkManager-strongswan(-gnome) and quick look into sources shows PSK (group password) and XAUTH (user password). So may be someone finally should give it a try :)

Sorry, quick look was into libreswan plugins. Ignore :( -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

3 Apr 3 Apr

08:02

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 03.04.2018 um 09:48 schrieb Andrei Borzenkov:

...

On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings.

Yes, I can.

...

Did you try libreswan I mentioned earlier? Unfortunately, it does not exist in the openSUSE repos. Using NM-openswan does not help.

Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Andrei Borzenkov

08:26

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

On Tue, Apr 3, 2018 at 11:02 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...

Am 03.04.2018 um 09:48 schrieb Andrei Borzenkov:

...
On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings.

Yes, I can.

Mmm ... AnyConnect actually supports both SSL and IPSec protocols, so indeed depending on your server setup (which can selectively enable both SSL and IPSec) it may force you to use IPSec. Just to be sure - you can connect using Cisco AnyConnect - you cannot connect using openconnect - you can connect usin vpnc is it correct?

...

...
Did you try libreswan I mentioned earlier? Unfortunately, it does not exist in the openSUSE repos. Using NM-openswan does not help.

-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Frank Krüger

08:50

New subject: [opensuse-factory] Dropping VPNC [was: Tumbleweed - Review of the week 2018/13]

Am 03.04.2018 um 10:26 schrieb Andrei Borzenkov:

...

On Tue, Apr 3, 2018 at 11:02 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:48 schrieb Andrei Borzenkov:

...
On Tue, Apr 3, 2018 at 10:38 AM, Frank Krüger <fkrueger@mailbox.org> wrote:

...
Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...
Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Thank you for the clarification. I removed vpnc and switched to openconnect. Using the VPN protocol Cisco AnyConnect it works pretty well. However, it is not clear to me how to deal with VPN connections that explicitly require IPSecID and IPSecsecret.

Can you connect to those servers with Cisco AnyConnect? If yes, you should be able to migrate to openconnet using similar settings.

Yes, I can.

Mmm ... AnyConnect actually supports both SSL and IPSec protocols, so indeed depending on your server setup (which can selectively enable both SSL and IPSec) it may force you to use IPSec. Just to be sure

- you can connect using Cisco AnyConnectYes.

...

- you cannot connect using openconnect Just tried, openconnect works for me as well.

...

- you can connect usin vpnc Yes.

To sum up, replacing vpnc by openconnect (and the corresponding NM packages) works for me. However, the question still remains what happens to users who have to rely on IPSec VPN. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Stefan Seyfried

19:19

Am 03.04.2018 um 09:20 schrieb Frederic Crozat:

...

Le samedi 31 mars 2018 à 13:20 +0200, Dominique Leuenberger / DimStar a écrit :

...
* vpnc and networkmanager-vpnc will be removed from the distro: openvpn supports those use cases now.

I think there was a typo in the mail.

openCONNECT is replacing vpnc, not openVPN.

And AFAIK, openconnect (http://www.infradead.org/openconnect/ ) does everything vpnc does, even better.

No it does not. AVM Fritz!Box VPN implementation, very popular in germany. https://en.avm.de/service/vpn/tips-tricks/setting-up-a-vpn-connection-to-fri...

...

For everybody who commented in the thread, please test with openconnect / NM-openconnect

Does not work. Nor does NM-strongswan. vpnc works well. Why does it need to be dropped? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

2423

Age (days ago)

2427

Last active (days ago)

List overview

Download

34 comments

11 participants

participants (11)

Andrei Borzenkov
Dominique Leuenberger / DimStar
Frank Krüger
Frederic Crozat
James Knott
Jan Engelhardt
Michal Hlavac
Michal Kubecek
Neal Gompa
Stefan Brüns
Stefan Seyfried