[OSX-Users] VPN to soton

Tim Chown tjc at ecs.soton.ac.uk
Fri Feb 17 09:42:59 GMT 2017 

> On 15 Feb 2017, at 16:56, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:
> 
> Yay.
> Thanks mate - I wasn't choosing the right VPN interface.
> Mine is utun3 at the moment.
> Do you know if that likely to change (maybe after a reboot?)

Probably best to assume that it might.

> Now I need to work out how to get it to do that automatically (I see hints in your article.)

I saw the Python example. Not something I’ve needed, so not tried it.

Tim

> 
> 
>> On 15 Feb 2017, at 16:43, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
>> 
>> Hi Hugh,
>> 
>>> On 15 Feb 2017, at 16:27, Hugh Glaser <hg1 at soton.ac.uk> wrote:
>>> 
>>> Hmmm.
>>> Tried it - my tables got screwed.
>>> And after closing the VPN I still can't get to 152.78.0.0/16 :-)
>>> Just a warning for anyone else trying.
>>> If/when I sort it out, I'll post.
>> 
>> Works for me, I think, see below…
>> 
>> Short version:
>> 
>> $ sudo route -nv add -net 152.78 -interface utun2  (you need to check the VPN interface)
>> $ sudo route change default 192.168.0.1 
>> 
>> Long version:
>> 
>> Last login: Fri Feb 10 16:30:43 on console
>> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
>> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.67
>> traceroute to www.bbc.net.uk (212.58.244.67), 64 hops max, 52 byte packets
>> 1  192.168.0.1 (192.168.0.1)  1.706 ms  2.373 ms  1.016 ms
>> 2  lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7)  21.220 ms  20.190 ms  46.153 ms
>> 3  tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17)  39.182 ms  20.970 ms  20.917 ms
>> 4  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.710 ms  21.633 ms  21.660 ms
>> 5  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.757 ms  20.476 ms  20.271 ms
>> ^C
>> JNTLT005491:~ timchown$ 
>> 
>> --— I connected to VPN here ——
>> 
>> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
>> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.246.54
>> traceroute to www.bbc.net.uk (212.58.246.54), 64 hops max, 52 byte packets
>> 1  * * *
>> 2  b54gafwc1n2-ext.net.soton.ac.uk (152.78.0.26)  25.859 ms  24.348 ms  28.636 ms
>> 3  146.97.146.165 (146.97.146.165)  23.641 ms  23.592 ms  25.629 ms
>> 4  ae1-0.aldess-rbr1.ja.net (146.97.68.46)  25.126 ms  24.626 ms  24.991 ms
>> 5  ae23.londpg-sbr2.ja.net (146.97.37.249)  44.553 ms  26.042 ms  26.172 ms
>> 6  ae30.londtw-sbr2.ja.net (146.97.33.6)  28.877 ms  26.335 ms  27.630 ms
>> 7  ae29.londtn-sbr1.ja.net (146.97.33.10)  48.189 ms  26.364 ms  26.240 ms
>> 8  ae0.londtn-ban1.ja.net (146.97.35.210)  26.224 ms  26.339 ms  26.289 ms
>> ^C
>> JNTLT005491:~ timchown$ 
>> JNTLT005491:~ timchown$ 
>> JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
>> traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
>> 1  * * *
>> 2  152.78.109.11 (152.78.109.11)  25.339 ms  61.727 ms  24.285 ms
>> 3  www.soton.ac.uk (152.78.118.51)  24.509 ms  24.488 ms  24.212 ms
>> ^C
>> JNTLT005491:~ timchown$ 
>> 
>> —— relevant bit of routing table ——
>> 
>> JNTLT005491:~ timchown$ netstat -nr
>> Routing tables
>> 
>> Internet:
>> Destination        Gateway            Flags        Refs      Use   Netif Expire
>> default            link#12            UCS            32        0   utun2
>> default            192.168.0.1        UGScI          21        0     en0
>> 10.64.10.152       10.64.10.152       UH              1       25   utun2
>> 
>> —— determining the VPN interface… ——
>> 
>> JNTLT005491:~ timchown$ ifconfig -a
>> ...
>> utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
>> 	inet6 fe80::6b9a:e0c6:941f:415b%utun0 prefixlen 64 scopeid 0xa 
>> 	nd6 options=201<PERFORMNUD,DAD>
>> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
>> 	inet6 fe80::237c:854:9af5:ce24%utun1 prefixlen 64 scopeid 0xb 
>> 	nd6 options=201<PERFORMNUD,DAD>
>> utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>> 	inet 10.64.10.152 --> 10.64.10.152 netmask 0xffffffff 
>> 
>> — so add new route to 152.78 via utun2 ——
>> 
>> JNTLT005491:~ timchown$ sudo route -nv add -net 152.78 -interface utun2
>> Password:
>> u: inet 152.78.0.0; u: link utun2; u: inet 255.255.0.0; RTM_ADD: Add Route: len 136, pid: 0, seq 1, errno 0, flags:<UP,STATIC>
>> locks:  inits: 
>> sockaddrs: <DST,GATEWAY,NETMASK>
>> 152.78.0.0 utun2 255.255.0.0
>> add net 152.78: gateway utun2
>> 
>> — and default to my home v4 router IP address —
>> 
>> JNTLT005491:~ timchown$ sudo route change default 192.168.0.1 
>> change net default: gateway 192.168.0.1
>> JNTLT005491:~ timchown$ 
>> 
>> 
>> — then traces go the right way (only soton via VPN) —
>> 
>> 
>> JNTLT005491:~ timchown$ traceroute www.bbc.co.uk
>> traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.244.70
>> traceroute to www.bbc.net.uk (212.58.244.70), 64 hops max, 52 byte packets
>> 1  192.168.0.1 (192.168.0.1)  1.163 ms  2.397 ms  1.918 ms
>> 2  lo5-tcl2-bng1.router.uk.clara.net (80.168.0.7)  19.075 ms  20.672 ms  20.736 ms
>> 3  tengige0-1-1-2-tcl2-mse1.router.uk.clara.net (195.157.0.17)  20.118 ms  26.382 ms  21.875 ms
>> 4  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  21.646 ms  24.558 ms  20.977 ms
>> 5  be2-t6-mse1.router.uk.clara.net (195.157.3.45)  22.719 ms  22.954 ms  24.379 ms
>> ^C
>> JNTLT005491:~ timchown$ traceroute www.soton.ac.uk
>> traceroute to www.soton.ac.uk (152.78.118.51), 64 hops max, 52 byte packets
>> 1  * * *
>> 2  152.78.109.11 (152.78.109.11)  24.652 ms  27.919 ms  24.011 ms
>> 3  www.soton.ac.uk (152.78.118.51)  23.242 ms  25.343 ms  23.939 ms
>> ^C
>> JNTLT005491:~ timchown$ 
>> 
>> 
>> Tim
>> 
>>> 
>>>> On 15 Feb 2017, at 16:00, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
>>>> 
>>>> On 15 Feb 2017, at 15:46, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:
>>>> 
>>>>> Wow.
>>>>> Yeah, I had a feeling that it was part of the Cisco vision - can't have those pesky users not going through the corporate network, etc..
>>>>> Mustn't even give them the option by hiding it somewhere.
>>>>> Since you haven't mentioned it, I am guessing there isn't some obvious plist file that cane hacked, or some routing table "improvements" I can do?
>>>> 
>>>> See http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn ?  Not tried it, but it makes sense, i.e. add a route for 152.78.0.0/16 down the tunnel, and everything else via your home router IP address.
>>>> 
>>>> Tim
>>> 
>>> 
>> 
> 
>

More information about the Osx-users mailing list