Hello Chris,
On 08/22/2017 12:55 AM, Chris Laprise wrote:
> Is this Qubes 3.2?
Yes.
> What changes does the Cisco client make to the routing table ('route'
> command)?
Before starting AnyConnect:
[user@my-work-vpn ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
10.137.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
After starting AnyConnect:
[user@my-work-vpn ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
10.5.48.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
10.137.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
vsrv-dc-3.xxxx 0.0.0.0 255.255.255.255 UH 0 0 0 cscotun0
vsrv-dc-2.xxxx 0.0.0.0 255.255.255.255 UH 0 0 0 cscotun0
213.xxx.xxx.xxx 10.137.2.1 255.255.255.255 UGH 0 0 0 eth0
> What changes (if any) to 'FORWARD' chain ('iptables -L')?
Before starting AnyConnect:
[user@my-work-vpn ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:bootpc
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
After starting AnyConnect:
[user@my-work-vpn ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:bootpc
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ciscovpn all -- anywhere anywhere
ciscovpnfw all -- anywhere anywhere
Chain ciscovpn (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp
spt:bootps dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
spt:dhcpv6-client dpt:dhcpv6-server
ACCEPT udp -- anywhere anywhere udp
spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT tcp -- 10.137.2.26 213.xxx.xxx.xxx tcp dpt:https
ACCEPT tcp -- 213.xxx.xxx.xxx 10.137.2.26 tcp spt:https
ACCEPT udp -- 10.137.2.26 213.xxx.xxx.xxx udp dpt:https
ACCEPT udp -- 213.xxx.xxx.xxx 10.137.2.26 udp spt:https
RETURN all -- 10.137.2.26 anywhere
RETURN all -- anywhere 10.137.2.26
RETURN all -- 10.137.2.26 10.137.2.26
RETURN all -- 10.137.2.26 10.137.2.26
RETURN udp -- 10.137.2.26 224.0.0.251 udp dpt:mdns
RETURN udp -- 10.137.2.26 after launching it I can
224.0.0.251 udp dpt:mdns
RETURN udp -- 10.137.2.26 239.255.255.250 udp dpt:ssdp
RETURN udp -- 10.137.2.26 239.255.255.250 udp dpt:ssdp
RETURN all -- anywhere
base-address.mcast.net/4
RETURN all -- 10.137.2.26
base-address.mcast.net/4
RETURN all -- anywhere 255.255.255.255
RETURN all -- 10.137.2.26 255.255.255.255
RETURN all -- 172.21.2.13
aaaaa.de/24
RETURN all --
isys-team.de/24 172.21.2.13
RETURN all -- 172.21.2.13
192.168.3.0/24
RETURN all --
192.168.3.0/24 172.21.2.13
RETURN all -- 172.21.2.13
10.5.48.0/24
RETURN all --
10.5.48.0/24 172.21.2.13
RETURN all -- 172.21.2.13
192.168.5.0/24
RETURN all --
192.168.5.0/24 172.21.2.13
RETURN all -- 172.21.2.13
192.168.100.0/24
RETURN all --
192.168.100.0/24 172.21.2.13
RETURN all -- 172.21.2.13
vsrv-dc-3.xxx.yyy.de
RETURN all --
vsrv-dc-3.xxx.yyy.de 172.21.2.13
RETURN all -- 172.21.2.13
vsrv-dc-2.xxx.yyy.de
RETURN all --
vsrv-dc-2.xxx.yyy.de 172.21.2.13
RETURN udp -- 172.21.2.13 anywhere udp dpt:domain
RETURN udp -- anywhere 172.21.2.13 udp spt:domain
RETURN all -- anywhere 255.255.255.255
RETURN all -- 172.21.2.13 255.255.255.255
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain ciscovpnfw (3 references)
target prot opt source destination
> Does running '/usr/lib/qubes/qubes-setup-dnat-to-ns' update the PR-QBS
> chain ('iptables -L -t nat)? Does that allow appVM to communicate?
>
> What firewall rules are in the appVM's settings (Qubes Manager)? For
> testing (and probably for use) it should be set to "Allow network
> access except" and also allow DNS and ICMP with a blank list below.
>
> Is the appVM based on a regular Linux template such as fedora-25 or
> debian-8?
Both VMs are based on a Qubes 3.2 Templates:
VPN Proxy: Fedora 25
AppVM: Debian 8
(I have also tried to use a Fedora 25 AppVM, same problem)
No connection via Proxy
> Further:
> The 'vpnc' package may be a viable alternative to Anyconnect (the open
> source counterpart is 'openconnect'). Also, Network Manager has an
> openconnect plugin; you would need to install the plugin in the
> template then enable NM for the proxyVM.
I have already tried to use the openconnect plugin for network manager,
but when I click on Add in the network manager and choose VPN and then
"Cisco AnyConnect Compatible VPN (openconnect)" I get a new windows but
can't add any information here as every field looks disabled :-/ ?
Working with OpenConnect would be great.
> Another option: Simply run the Anyconnect client in the appVM (no
> proxyVM for the VPN client). This may be the simplest route.
Yes, but I'd like to connect two VMs (one Windows HVM and one Linux AppVM).
I also thought that is Qubes Best practise to use a dedicated VPN Proxy
VM vs. launching VPN from within an AppVM ?
regards
- PhR