Jimbro727
July 25th, 2008, 01:44 AM
Hopefully this is the correct forum for this question..
I'm trying to connect to a Citrix Access Gateway on Ubuntu 7.10. Upon logging in to the web front-end and clicking "Secure Access Client", the Citrix box redirected me to a page to download "citrixvpn-linux-2.4-i386.sh". The beginning portion of this file is a shell script, and the rest is a tarball. The script separates the two, extracts the files from the tarball, compiles a copy of the ip_queue module, and then copies some init scripts. None of this worked under Ubuntu, but I was able to manually separate the tarball and extract what I believe is all of the files that I should need. They are:
ip_queue.c
net6vpn
net6vpnd
net6vpnd.fedora.init
net6vpnd.mandrake.init
net6vpnd.redhat.init
Looking at the init scripts, it appears that before starting the daemon (net6vpnd), they do some iptables stuff. They append the QUEUE target to each chain listed when "iptables -L" is executed. When the init script is told to stop, it removes the QUEUE targets and then stops the daemon.
I was new to the ip_queue module, but it appears that it's a fairly simple module that queues up packets for processing by applications in the userspace.
I already had the ip_queue module compiled, and it seems to work fine, and I can add the QUEUE targets without a problem. I thought that maybe the problem was the included ip_queue source file was some patched version of the ip_queue module, but I think it may just be an older version - it's definitely somewhat different - and I can't get it to compile, gcc complains about just about every included header (number of function parameters, etc.). Maybe this version was written a long time ago?
The daemon appears to start fine, and I can even connect to the Citrix gateway (and it authenticates me!). However, none of my traffic appears to be forwarded through the VPN. I can't see any of the machines that I should be able to. Looking at the network traffic with wireshark, it appears as though there's alot of TLSv1 communication happening between the citrix box and my machine, but I'm not sure what. Sometimes my connection to the Internet is uninterrupted, and I can continue hitting websites, etc. Sometimes it isn't, and I have to stop the daemon and clear those iptables QUEUE rules. I haven't been able to get consistent results, but it seems that my connection is uninterrupted at LEAST for the first time I attempt to establish a VPN connection using a freshly started daemon.
The only information that I'm getting that point to a problem are ip_rt_bug outputs in dmesg. I have no idea what that is, and google hasn't been much help, unfortunately. (I've included some at the bottom)
If anyone has any information regarding this, it would be a huge help. I really need to get this VPN working. Even if you don't know anything about Citrix, if anyone could clear up what's supposed to be happening here, maybe I can further troubleshoot. Thanks!
iptables when I want to establish the VPN:
jimbo@jimbo-desktop:~/citrix-playground$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Daemon (net6vpnd) started:
jimbo@jimbo-desktop:~/citrix-playground$ sudo ./net6vpnd
net6vpnd: net: socket: initializing.
net6vpnd: net: socket: failed to initialize SSL CA certificates.
net6vpnd: ip: initializing.
net6vpnd: ip: tcp: starting.
net6vpnd: ip: starting.
net6vpnd: ip: filter: starting.
net6vpnd: event listener: starting.
net6vpnd: client listener: starting.
Client (net6vpn):
jimbo@jimbo-desktop:~/citrix-playground$ ./net6vpn --login
The server's certificate is not fully trusted.
Do you wish to continue? [yes|no]: yes
Username: ------
Password:
Daemon (after establishing connection with client):
net6vpnd: net: vpn_socket: the server's certificate is not trusted
net6vpnd: vpn: failed to get host check configuration from gateway.
net6vpnd: vpn: failed.
net6vpnd: client handler: the server's certificate is not fully trusted.
net6vpnd: vpn: route [10.0.0.0/255.0.0.0]
net6vpnd: vpn: dns [10.10.1.115]
net6vpnd: vpn: dns [10.10.1.120]
net6vpnd: vpn: dns [10.10.1.13]
net6vpnd: vpn: dns suffix [xxxx.xxx]
net6vpnd: vpn: split dns [off]
net6vpnd: ip: udp: attempting to establish DNS tunnel.
net6vpnd: ip: udp: DNS tunnel established.
Here are some of those ip_rt_bug lines. I'm 192.168.1.127, 192.168.1.1 is my router, and 208.67.222.222 is my secondary DNS (openDNS). My router is my primary DNS server, which leads me to believe that this output is DNS related:
[1053616.702148] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053621.697861] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053626.694138] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053631.689945] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053636.686201] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053641.682505] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053646.678718] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053651.675071] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
I'm trying to connect to a Citrix Access Gateway on Ubuntu 7.10. Upon logging in to the web front-end and clicking "Secure Access Client", the Citrix box redirected me to a page to download "citrixvpn-linux-2.4-i386.sh". The beginning portion of this file is a shell script, and the rest is a tarball. The script separates the two, extracts the files from the tarball, compiles a copy of the ip_queue module, and then copies some init scripts. None of this worked under Ubuntu, but I was able to manually separate the tarball and extract what I believe is all of the files that I should need. They are:
ip_queue.c
net6vpn
net6vpnd
net6vpnd.fedora.init
net6vpnd.mandrake.init
net6vpnd.redhat.init
Looking at the init scripts, it appears that before starting the daemon (net6vpnd), they do some iptables stuff. They append the QUEUE target to each chain listed when "iptables -L" is executed. When the init script is told to stop, it removes the QUEUE targets and then stops the daemon.
I was new to the ip_queue module, but it appears that it's a fairly simple module that queues up packets for processing by applications in the userspace.
I already had the ip_queue module compiled, and it seems to work fine, and I can add the QUEUE targets without a problem. I thought that maybe the problem was the included ip_queue source file was some patched version of the ip_queue module, but I think it may just be an older version - it's definitely somewhat different - and I can't get it to compile, gcc complains about just about every included header (number of function parameters, etc.). Maybe this version was written a long time ago?
The daemon appears to start fine, and I can even connect to the Citrix gateway (and it authenticates me!). However, none of my traffic appears to be forwarded through the VPN. I can't see any of the machines that I should be able to. Looking at the network traffic with wireshark, it appears as though there's alot of TLSv1 communication happening between the citrix box and my machine, but I'm not sure what. Sometimes my connection to the Internet is uninterrupted, and I can continue hitting websites, etc. Sometimes it isn't, and I have to stop the daemon and clear those iptables QUEUE rules. I haven't been able to get consistent results, but it seems that my connection is uninterrupted at LEAST for the first time I attempt to establish a VPN connection using a freshly started daemon.
The only information that I'm getting that point to a problem are ip_rt_bug outputs in dmesg. I have no idea what that is, and google hasn't been much help, unfortunately. (I've included some at the bottom)
If anyone has any information regarding this, it would be a huge help. I really need to get this VPN working. Even if you don't know anything about Citrix, if anyone could clear up what's supposed to be happening here, maybe I can further troubleshoot. Thanks!
iptables when I want to establish the VPN:
jimbo@jimbo-desktop:~/citrix-playground$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
QUEUE 0 -- anywhere anywhere
Daemon (net6vpnd) started:
jimbo@jimbo-desktop:~/citrix-playground$ sudo ./net6vpnd
net6vpnd: net: socket: initializing.
net6vpnd: net: socket: failed to initialize SSL CA certificates.
net6vpnd: ip: initializing.
net6vpnd: ip: tcp: starting.
net6vpnd: ip: starting.
net6vpnd: ip: filter: starting.
net6vpnd: event listener: starting.
net6vpnd: client listener: starting.
Client (net6vpn):
jimbo@jimbo-desktop:~/citrix-playground$ ./net6vpn --login
The server's certificate is not fully trusted.
Do you wish to continue? [yes|no]: yes
Username: ------
Password:
Daemon (after establishing connection with client):
net6vpnd: net: vpn_socket: the server's certificate is not trusted
net6vpnd: vpn: failed to get host check configuration from gateway.
net6vpnd: vpn: failed.
net6vpnd: client handler: the server's certificate is not fully trusted.
net6vpnd: vpn: route [10.0.0.0/255.0.0.0]
net6vpnd: vpn: dns [10.10.1.115]
net6vpnd: vpn: dns [10.10.1.120]
net6vpnd: vpn: dns [10.10.1.13]
net6vpnd: vpn: dns suffix [xxxx.xxx]
net6vpnd: vpn: split dns [off]
net6vpnd: ip: udp: attempting to establish DNS tunnel.
net6vpnd: ip: udp: DNS tunnel established.
Here are some of those ip_rt_bug lines. I'm 192.168.1.127, 192.168.1.1 is my router, and 208.67.222.222 is my secondary DNS (openDNS). My router is my primary DNS server, which leads me to believe that this output is DNS related:
[1053616.702148] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053621.697861] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053626.694138] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053631.689945] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053636.686201] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053641.682505] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?
[1053646.678718] ip_rt_bug: 192.168.1.1 -> 192.168.1.127, ?
[1053651.675071] ip_rt_bug: 208.67.222.222 -> 192.168.1.127, ?