[OSX-Users] VPN to soton

Tim Chown tjc at ecs.soton.ac.uk
Wed Feb 15 16:43:03 GMT 2017 

Hi Hugh,

> On 15 Feb 2017, at 16:27, Hugh Glaser <hg1 at soton.ac.uk> wrote:
> 
> Hmmm.
> Tried it - my tables got screwed.
> And after closing the VPN I still can't get to 152.78.0.0/16 :-)
> Just a warning for anyone else trying.
> If/when I sort it out, I'll post.

Works for me, I think, see below…

Short version:

$ sudo route -nv add -net 152.78 -interface utun2  (you need to check the VPN interface)
$ sudo route change default 192.168.0.1 

Long version:

Last login: Fri Feb 10 16:30:43 on console
JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.67
traceroute to www.bbc.net.uk (212.58.244.67), 64 hops max, 52 byte packets
 1  192.168.0.1 (192.168.0.1)  1.706 ms  2.373 ms  1.016 ms
 2  lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7)  21.220 ms  20.190 ms  46.153 ms
 3  tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17)  39.182 ms  20.970 ms  20.917 ms
 4  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.710 ms  21.633 ms  21.660 ms
 5  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.757 ms  20.476 ms  20.271 ms
^C
JNTLT005491:~ timchown$ 

--— I connected to VPN here ——

JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.246.54
traceroute to www.bbc.net.uk (212.58.246.54), 64 hops max, 52 byte packets
 1  * * *
 2  b54gafwc1n2-ext.net.soton.ac.uk (152.78.0.26)  25.859 ms  24.348 ms  28.636 ms
 3  146.97.146.165 (146.97.146.165)  23.641 ms  23.592 ms  25.629 ms
 4  ae1-0.aldess-rbr1.ja.net (146.97.68.46)  25.126 ms  24.626 ms  24.991 ms
 5  ae23.londpg-sbr2.ja.net (146.97.37.249)  44.553 ms  26.042 ms  26.172 ms
 6  ae30.londtw-sbr2.ja.net (146.97.33.6)  28.877 ms  26.335 ms  27.630 ms
 7  ae29.londtn-sbr1.ja.net (146.97.33.10)  48.189 ms  26.364 ms  26.240 ms
 8  ae0.londtn-ban1.ja.net (146.97.35.210)  26.224 ms  26.339 ms  26.289 ms
^C
JNTLT005491:~ timchown$ 
JNTLT005491:~ timchown$ 
JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
 1  * * *
 2  152.78.109.11 (152.78.109.11)  25.339 ms  61.727 ms  24.285 ms
 3  www.soton.ac.uk (152.78.118.51)  24.509 ms  24.488 ms  24.212 ms
^C
JNTLT005491:~ timchown$ 

—— relevant bit of routing table ——

JNTLT005491:~ timchown$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            link#12            UCS            32        0   utun2
default            192.168.0.1        UGScI          21        0     en0
10.64.10.152       10.64.10.152       UH              1       25   utun2

—— determining the VPN interface… ——

JNTLT005491:~ timchown$ ifconfig -a
...
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::6b9a:e0c6:941f:415b%utun0 prefixlen 64 scopeid 0xa 
	nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::237c:854:9af5:ce24%utun1 prefixlen 64 scopeid 0xb 
	nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	inet 10.64.10.152 --> 10.64.10.152 netmask 0xffffffff 

— so add new route to 152.78 via utun2 ——

JNTLT005491:~ timchown$ sudo route -nv add -net 152.78 -interface utun2
Password:
u: inet 152.78.0.0; u: link utun2; u: inet 255.255.0.0; RTM_ADD: Add Route: len 136, pid: 0, seq 1, errno 0, flags:<UP,STATIC>
locks:  inits: 
sockaddrs: <DST,GATEWAY,NETMASK>
 152.78.0.0 utun2 255.255.0.0
add net 152.78: gateway utun2

— and default to my home v4 router IP address —

JNTLT005491:~ timchown$ sudo route change default 192.168.0.1 
change net default: gateway 192.168.0.1
JNTLT005491:~ timchown$ 


— then traces go the right way (only soton via VPN) —


JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.70
traceroute to www.bbc.net.uk (212.58.244.70), 64 hops max, 52 byte packets
 1  192.168.0.1 (192.168.0.1)  1.163 ms  2.397 ms  1.918 ms
 2  lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7)  19.075 ms  20.672 ms  20.736 ms
 3  tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17)  20.118 ms  26.382 ms  21.875 ms
 4  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.646 ms  24.558 ms  20.977 ms
 5  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  22.719 ms  22.954 ms  24.379 ms
^C
JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
 1  * * *
 2  152.78.109.11 (152.78.109.11)  24.652 ms  27.919 ms  24.011 ms
 3  www.soton.ac.uk (152.78.118.51)  23.242 ms  25.343 ms  23.939 ms
^C
JNTLT005491:~ timchown$ 


Tim

> 
>> On 15 Feb 2017, at 16:00, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
>> 
>> On 15 Feb 2017, at 15:46, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:
>> 
>>> Wow.
>>> Yeah, I had a feeling that it was part of the Cisco vision - can't have those pesky users not going through the corporate network, etc..
>>> Mustn't even give them the option by hiding it somewhere.
>>> Since you haven't mentioned it, I am guessing there isn't some obvious plist file that cane hacked, or some routing table "improvements" I can do?
>> 
>> See http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn ?  Not tried it, but it makes sense, i.e. add a route for 152.78.0.0/16 down the tunnel, and everything else via your home router IP address.
>> 
>> Tim
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/osx-users/attachments/20170215/d9f94ecd/attachment-0001.html

More information about the Osx-users mailing list