Hello Chris,
On 08/22/2017 12:55 AM, Chris Laprise wrote:
Is this Qubes 3.2?
Yes.
What changes does the Cisco client make to the routing table ('route'
command)?
Before starting AnyConnect:
[user@my-work-vpn ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
10.137.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
After starting AnyConnect:
[user@my-work-vpn ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
10.5.48.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
10.137.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
vsrv-dc-3.xxxx 0.0.0.0 255.255.255.255 UH 0 0 0 cscotun0
vsrv-dc-2.xxxx 0.0.0.0 255.255.255.255 UH 0 0 0 cscotun0
213.xxx.xxx.xxx 10.137.2.1 255.255.255.255 UGH 0 0 0 eth0
What changes (if any) to 'FORWARD' chain ('iptables -L')?
Before starting AnyConnect:
[user@my-work-vpn ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:bootpc
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
After starting AnyConnect:
[user@my-work-vpn ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:bootpc
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
Chain ciscovpn (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp
spt:bootps dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
spt:dhcpv6-client dpt:dhcpv6-server
ACCEPT udp -- anywhere anywhere udp
spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT tcp -- 10.137.2.26 213.xxx.xxx.xxx tcp dpt:https
ACCEPT tcp -- 213.xxx.xxx.xxx 10.137.2.26 tcp spt:https
ACCEPT udp -- 10.137.2.26 213.xxx.xxx.xxx udp dpt:https
ACCEPT udp -- 213.xxx.xxx.xxx 10.137.2.26 udp spt:https
RETURN all -- 10.137.2.26 anywhere
RETURN all -- anywhere 10.137.2.26
RETURN all -- 10.137.2.26 10.137.2.26
RETURN all -- 10.137.2.26 10.137.2.26
RETURN udp -- 10.137.2.26 224.0.0.251 udp dpt:mdns
RETURN udp -- 10.137.2.26 after launching it I can
224.0.0.251 udp dpt:mdns
RETURN udp -- 10.137.2.26 239.255.255.250 udp dpt:ssdp
RETURN udp -- 10.137.2.26 239.255.255.250 udp dpt:ssdp
RETURN all -- anywhere base-address.mcast.net/4
RETURN all -- 10.137.2.26 base-address.mcast.net/4
RETURN all -- anywhere 255.255.255.255
RETURN all -- 10.137.2.26 255.255.255.255
RETURN all -- 172.21.2.13 aaaaa.de/24
RETURN all -- isys-team.de/24 172.21.2.13
RETURN all -- 172.21.2.13 192.168.3.0/24
RETURN all -- 192.168.3.0/24 172.21.2.13
RETURN all -- 172.21.2.13 10.5.48.0/24
RETURN all -- 10.5.48.0/24 172.21.2.13
RETURN all -- 172.21.2.13 192.168.5.0/24
RETURN all -- 192.168.5.0/24 172.21.2.13
RETURN all -- 172.21.2.13 192.168.100.0/24
RETURN all -- 192.168.100.0/24 172.21.2.13
RETURN all -- 172.21.2.13 vsrv-dc-3.xxx.yyy.de
RETURN all -- vsrv-dc-3.xxx.yyy.de 172.21.2.13
RETURN all -- 172.21.2.13 vsrv-dc-2.xxx.yyy.de
RETURN all -- vsrv-dc-2.xxx.yyy.de 172.21.2.13
RETURN udp -- 172.21.2.13 anywhere udp dpt:domain
RETURN udp -- anywhere 172.21.2.13 udp spt:domain
RETURN all -- anywhere 255.255.255.255
RETURN all -- 172.21.2.13 255.255.255.255
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain ciscovpnfw (3 references)
target prot opt source destination
Does running '/usr/lib/qubes/qubes-setup-dnat-to-ns' update the PR-QBS
chain ('iptables -L -t nat)? Does that allow appVM to communicate?
What firewall rules are in the appVM's settings (Qubes Manager)? For
testing (and probably for use) it should be set to "Allow network
access except" and also allow DNS and ICMP with a blank list below.
Is the appVM based on a regular Linux template such as fedora-25 or
debian-8?
Both VMs are based on a Qubes 3.2 Templates:
VPN Proxy: Fedora 25
AppVM: Debian 8
(I have also tried to use a Fedora 25 AppVM, same problem)
No connection via Proxy
Further:
The 'vpnc' package may be a viable alternative to Anyconnect (the open
source counterpart is 'openconnect'). Also, Network Manager has an
openconnect plugin; you would need to install the plugin in the
template then enable NM for the proxyVM.
I have already tried to use the openconnect plugin for network manager,
but when I click on Add in the network manager and choose VPN and then
"Cisco AnyConnect Compatible VPN (openconnect)" I get a new windows but
can't add any information here as every field looks disabled :-/ ?
Working with OpenConnect would be great.
Another option: Simply run the Anyconnect client in the appVM (no
proxyVM for the VPN client). This may be the simplest route.
Yes, but I'd like to connect two VMs (one Windows HVM and one Linux AppVM).
I also thought that is Qubes Best practise to use a dedicated VPN Proxy
VM vs. launching VPN from within an AppVM ?
regards
- PhR
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ed0e2ec9-8669-393f-e996-40bcec737ac4%40googlemail.com.
For more options, visit https://groups.google.com/d/optout.