[MASTER] nm 0.7 VPN import of cisco .pcf settings doesn't work properly

I can confirm this bug. It means that I still have to use the Cisco client, which also seams to be broken for the latest kernel version.

could someone check whether the patch in the upstream bug fixes this?

hard to backport this to stable releases as it changes UI.

The group key is very easy to decode, look at http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

SRU candidate. prospective fix landed in upstream svn r4252.

adjusted patch and uploaded to NM PPA:
https://edge.launchpad.net/~network-manager/+archive

Version uploaded is:
network-manager-vpnc_0.7~~svn20081015t024626-0ubuntu1.8.10.1~nm1_source.changes

If that works we can make a SRU out of it as it seems not to change UI. Let us know.

bug is in -vpnc package and not in core NM.

The new version (pached version of network-manager-vpnc_0.7~~svn20081015t024626-0ubuntu1.8.10.1~nm1_source.changes) from the PPA allows importing the .pcf, but when the file is opened/imported network manager exits without error message. Please let me know if there is any testing/log files you would need.

i have uploaded ~nm4 packages to the same place. do those fix your "exit"?

network-manager no longer exits without message when I import the .PCF;
that's GREAT.

But it fails to connect.

kvpn imported the .PCF and connects. It looks like kvpn has an imported
group password which it appears network-manager does not have.

Can I dig up any further information that would make this easier for you?

I have the same issue, running Ubuntu 8.10. I installed the patch but vpnc still cant decode the group password, and I can't get vpnc to come up again (noob). Let me know how I can help.

We've published an update to network-manager-vpnc ( version 0.7~~svn20081015t024626-0ubuntu1.8.10.1~nm4 ) on the NM manager.

Adding these lines to your sources and updating ONLY that package should let you test it:
deb http://ppa.launchpad.net/network-manager/ubuntu intrepid main
deb-src http://ppa.launchpad.net/network-manager/ubuntu intrepid main

Remember to remove the PPA from your sources after you update that single package.

I have confirmation from one customer that the fix worked.

For me, version 0.7-0ubuntu1~nm1~intrepid1 does import the group password, but still, I cannot connect (vpnc-connect from commandline works, though): I get an error, that vpn secrets are invalid.

In my case it might be related to some special characters in the group-pwd: There are some characters that are displayed in the console like <E1> or <ED>, in gedit they're displayed properly (í, etc.) and in the vpnc-applet they are displayed as crossed-out rectangels. When I copy paste the correct password from gedit to the applet, it still does not work. I realized, that two symbols stay on the right in the group-pwd field and cannot be removed: one crossed-out rectangle and one '{'. After unchecking the requirement of a group pwd they're not there any more but still, the connection does not work. So this might be more than just a problem with the fonts?

Hi Fabián Rodríguez,

Followed your instructions, it worked like a charm. It imported the group password correctly and most important, now the option is available to configure the option such as "Saved", "Always Ask" and "Not required". These complete the Cisco VPN connection saga on Ubuntu.

Great work.

thanks
Nikhil

I tried above version of NM but could not import the second profile listed at
  ftp://ftp.rrzn.uni-hannover.de/pub/local/vpn/profiles_non_windows/
After downloading that .pdf file, choosing it and clicking on "Open", the GUI freezes and nothing happens. I am using Ubuntu 8.10.

Cheers,
Enrico

This happens to me, too: when trying to import a *.pcf file, the import dialog freezes.
I tried three different *.pcf files.
Also when I try to "add" a new vpn-connection, the dialog freezes.
I'm using Ubuntu 8.10 on a lenovo T400.

I can confirm the last two mentioned problems. The "nm-connection-editor" is on system-monitor in the waiting channel "futex_wait".
I've attached the messages shown on terminal after I've clicked on "Open".
I also use Ubuntu 8.10.

I just had a chance to try this on the same VPN.pcf on Ubuntu 9.04 and found it has the same problem. kvpnc imports fine, but vpnc and Network Manager fail to import the Cisco VPN PCF file.

root@Bubbles:~/Desktop# dpkg -l network-manager
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii network-manage 0.7.1~rc4.1.cf network management framework daemon
root@Bubbles:~/Desktop# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.04
Release: 9.04
Codename: jaunty

I can confirm that .pcf import is not working with network manager
djc@Twingo:~$ dpkg -l network-manager
network-manage 0.7.1~rc4.1.cf network management framework daemon

djc@Twingo:~$ sudo vpnc-connect --username xxxxxxxx

Enter password for <email address hidden>:
Connect Banner:
xxxxxxxxxxxxxxxxxxxxxx

VPNC started in background (pid: 5659)...

However using network manager
"VPN Connection Failed"

If I import the .pcf and then export, the comparing files I can see the following items have changed or disappeared.

original import exported file
AuthType=5 AuthType=1
enc_GroupPwd=8F28C.... enc_GroupPwd=
CertStore=1 CertStore=0
CertName=xxxxxxxx CertName=
CertPath=xxxxxxxxx CertPath=
EnableMSLogon=1 EnableMSLogon=
EnableLocalLAN=0 EnableLocalLAN=1

Dr D J Clark,

In your version of the original pcf, it looks to me like there are settings related to certificates to use for connecting to the VPN, and not only group password setting.

Unfortunately, the vpnc plugin doesn't support authentication using certificates yet, so I believe this is why it doesn't work.

Could you please confirm with the exported file from NM (after re-adding the enc_GroupPwd value), whether vpnc-connect will connect successfully?

Thanks,

I am using a version of the vpnc plugin that has been recompiled with
certificate support (detail at <http://www.publishing.ucl.ac.uk/roamnet.html>)

As noted in the original report I can connect using the command line vpnc-connnect. The
problem is that NM cannot be used. The location of the certificate file and the
Group password are included in my /etc/vpnc/default.conf. ( I am also able to connect with these argument on the command line.) It would appear that
NM does not use this and entering the GroupPwd in the NM dialogue does not work

No I cannot connect using NM even with the GroupPwd and entered in the NM dialogue . Of course that may be that NM isn't finding the cert [1], but the result of the export/import test suggests that both cert and GroupPwd are
being ignored or mishandled.

[1] I only have one example VPN to test, and that requires a cert.

Dr D J Clark,

Please include the information requested at https://wiki.ubuntu.com/DebuggingNetworkManager. If you have trouble, do not hesitate to ask for more assistance. What is most important in this case is to provide a full capture log as you reproduce the issue. It would also be helpful if you could attach your /etc/vpnc/default.conf file (with any sensitive information hidden). Thanks in advance.

Attaching log etc
jc@Twingo:~$ date
Thu Sep 10 20:32:47 BST 2009

attempt to connect using NW, fails

djc@Twingo:~$ date
Thu Sep 10 20:37:16 BST 2009
djc@Twingo:~$ sudo vpnc-connect --username uczcdjc
[sudo] password for djc:
Sorry, try again.
[sudo] password for djc:
Enter password for ucxxxx@128.40.x.x:
Connect Banner:
| Welcome to the RoamNet Service Version 2 (KLB).
|
| Access to and use of this service is restricted to authorised individuals and subject to UCL Computing Regulations.
|
| Please see http://www.ucl.ac.uk/is/roamnet/status.php for service details and history.

resolvconf: Error: /etc/resolv.conf must be a symlink
VPNC started in background (pid: 3607)...
djc@Twingo:~$ elinks www.ubuntu.com

Network connection is working (this posted from working VPN connection)

djc@Twingo:~$ date
Thu Sep 10 20:38:59 BST 2009
djc@Twingo:~$ sudo vpnc-disconnect
Terminating vpnc daemon (pid: 3607)
djc@Twingo:~$ date
Thu Sep 10 20:39:21 BST 2009
djc@Twingo:~$

and this is the .pcf

[main]

Description=UCL RoamNet Service

Host=128.40.x.x

AuthType=5

GroupName=Roam...xxxxxxx

GroupPwd=

enc_GroupPwd=xxxx....B790

EnableISPConnect=0

ISPConnectType=0

ISPConnect=

ISPPhonebook=

ISPCommand=

Username=

SaveUserPassword=0

UserPassword=

enc_UserPassword=

NTDomain=

EnableBackup=0

BackupServer=

EnableMSLogon=1

MSLogonType=0

EnableNat=1

TunnelingMode=0

TcpTunnelingPort=10000

CertStore=1

CertName=rootcert

CertPath=/home/djc/download

CertSubjectName=

CertSerialHash=00000000000000000000000000000000

SendCertChain=0

PeerTimeout=90

EnableLocalLAN=0

default.conf

IPSec gateway 128.40.x.x
IPSec ID Roamxxxxxxx
IKE Authmode hybrid
NAT Traversal Mode cisco-udp
IPSec obfuscated secret xxxxx.....9B790
CA-File /etc/vpnc/UCL_rootcert

Thank you for reporting this bug to Ubuntu. Intrepid Ibex 8.10 reached EOL on 30 March 2010.
Please see this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.
Thank you.

I've just realized I made a mistake, Intrepid Ibex 8.10 "will reach" EOL on 30 "APRIL" 2010.

Sorry for this.

Anyway, I think that one month doesn't make any difference now.

It seems to work in 9.10 so I think the status in Ubuntu should be Fix Released and not invalid, maybe invalid for Intrepid.

Setting it as fix released since it seems to be working on 9.10.

This is still a bug in Network Manager Applet 0.8, Network Manager-vpnc 0.8-ubuntu3

The enc_GroupPwd= is imported from the .pcf file and it is decrypted, but it would appear that the resulting decrypted string is incomplete, probably truncated. As a result although the decrypted Group Password appears in the Network Manager applet it does not work.