[OSX-Users] VPN to soton
Hugh Glaser
hg at ecs.soton.ac.uk
Wed Feb 15 16:56:48 GMT 2017
Yay.
Thanks mate - I wasn't choosing the right VPN interface.
Mine is utun3 at the moment.
Do you know if that likely to change (maybe after a reboot?)
Now I need to work out how to get it to do that automatically (I see hints in your article.)
> On 15 Feb 2017, at 16:43, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
>
> Hi Hugh,
>
>> On 15 Feb 2017, at 16:27, Hugh Glaser <hg1 at soton.ac.uk> wrote:
>>
>> Hmmm.
>> Tried it - my tables got screwed.
>> And after closing the VPN I still can't get to 152.78.0.0/16 :-)
>> Just a warning for anyone else trying.
>> If/when I sort it out, I'll post.
>
> Works for me, I think, see below…
>
> Short version:
>
> $ sudo route -nv add -net 152.78 -interface utun2 (you need to check the VPN interface)
> $ sudo route change default 192.168.0.1
>
> Long version:
>
> Last login: Fri Feb 10 16:30:43 on console
> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.67
> traceroute to www.bbc.net.uk (212.58.244.67), 64 hops max, 52 byte packets
> 1 192.168.0.1 (192.168.0.1) 1.706 ms 2.373 ms 1.016 ms
> 2 lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7) 21.220 ms 20.190 ms 46.153 ms
> 3 tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17) 39.182 ms 20.970 ms 20.917 ms
> 4 be2-t6-mse1.router.uk.clara.net (195.157.3.45) 21.710 ms 21.633 ms 21.660 ms
> 5 be2-t6-mse1.router.uk.clara.net (195.157.3.45) 21.757 ms 20.476 ms 20.271 ms
> ^C
> JNTLT005491:~ timchown$
>
> --— I connected to VPN here ——
>
> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.246.54
> traceroute to www.bbc.net.uk (212.58.246.54), 64 hops max, 52 byte packets
> 1 * * *
> 2 b54gafwc1n2-ext.net.soton.ac.uk (152.78.0.26) 25.859 ms 24.348 ms 28.636 ms
> 3 146.97.146.165 (146.97.146.165) 23.641 ms 23.592 ms 25.629 ms
> 4 ae1-0.aldess-rbr1.ja.net (146.97.68.46) 25.126 ms 24.626 ms 24.991 ms
> 5 ae23.londpg-sbr2.ja.net (146.97.37.249) 44.553 ms 26.042 ms 26.172 ms
> 6 ae30.londtw-sbr2.ja.net (146.97.33.6) 28.877 ms 26.335 ms 27.630 ms
> 7 ae29.londtn-sbr1.ja.net (146.97.33.10) 48.189 ms 26.364 ms 26.240 ms
> 8 ae0.londtn-ban1.ja.net (146.97.35.210) 26.224 ms 26.339 ms 26.289 ms
> ^C
> JNTLT005491:~ timchown$
> JNTLT005491:~ timchown$
> JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
> traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
> 1 * * *
> 2 152.78.109.11 (152.78.109.11) 25.339 ms 61.727 ms 24.285 ms
> 3 www.soton.ac.uk (152.78.118.51) 24.509 ms 24.488 ms 24.212 ms
> ^C
> JNTLT005491:~ timchown$
>
> —— relevant bit of routing table ——
>
> JNTLT005491:~ timchown$ netstat -nr
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default link#12 UCS 32 0 utun2
> default 192.168.0.1 UGScI 21 0 en0
> 10.64.10.152 10.64.10.152 UH 1 25 utun2
>
> —— determining the VPN interface… ——
>
> JNTLT005491:~ timchown$ ifconfig -a
> ...
> utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
> inet6 fe80::6b9a:e0c6:941f:415b%utun0 prefixlen 64 scopeid 0xa
> nd6 options=201<PERFORMNUD,DAD>
> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
> inet6 fe80::237c:854:9af5:ce24%utun1 prefixlen 64 scopeid 0xb
> nd6 options=201<PERFORMNUD,DAD>
> utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
> inet 10.64.10.152 --> 10.64.10.152 netmask 0xffffffff
>
> — so add new route to 152.78 via utun2 ——
>
> JNTLT005491:~ timchown$ sudo route -nv add -net 152.78 -interface utun2
> Password:
> u: inet 152.78.0.0; u: link utun2; u: inet 255.255.0.0; RTM_ADD: Add Route: len 136, pid: 0, seq 1, errno 0, flags:<UP,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK>
> 152.78.0.0 utun2 255.255.0.0
> add net 152.78: gateway utun2
>
> — and default to my home v4 router IP address —
>
> JNTLT005491:~ timchown$ sudo route change default 192.168.0.1
> change net default: gateway 192.168.0.1
> JNTLT005491:~ timchown$
>
>
> — then traces go the right way (only soton via VPN) —
>
>
> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.70
> traceroute to www.bbc.net.uk (212.58.244.70), 64 hops max, 52 byte packets
> 1 192.168.0.1 (192.168.0.1) 1.163 ms 2.397 ms 1.918 ms
> 2 lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7) 19.075 ms 20.672 ms 20.736 ms
> 3 tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17) 20.118 ms 26.382 ms 21.875 ms
> 4 be2-t6-mse1.router.uk.clara.net (195.157.3.45) 21.646 ms 24.558 ms 20.977 ms
> 5 be2-t6-mse1.router.uk.clara.net (195.157.3.45) 22.719 ms 22.954 ms 24.379 ms
> ^C
> JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
> traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
> 1 * * *
> 2 152.78.109.11 (152.78.109.11) 24.652 ms 27.919 ms 24.011 ms
> 3 www.soton.ac.uk (152.78.118.51) 23.242 ms 25.343 ms 23.939 ms
> ^C
> JNTLT005491:~ timchown$
>
>
> Tim
>
>>
>>> On 15 Feb 2017, at 16:00, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
>>>
>>> On 15 Feb 2017, at 15:46, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:
>>>
>>>> Wow.
>>>> Yeah, I had a feeling that it was part of the Cisco vision - can't have those pesky users not going through the corporate network, etc..
>>>> Mustn't even give them the option by hiding it somewhere.
>>>> Since you haven't mentioned it, I am guessing there isn't some obvious plist file that cane hacked, or some routing table "improvements" I can do?
>>>
>>> See http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn ? Not tried it, but it makes sense, i.e. add a route for 152.78.0.0/16 down the tunnel, and everything else via your home router IP address.
>>>
>>> Tim
>>
>>
>
More information about the Osx-users
mailing list