[SOLVED] network manager and ipsec and the Great Firewall of China.
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
network manager and ipsec and the Great Firewall of China.
Hi, Happy Christmas! So here I am trying to get through the Great Firewall of China. Have been using very successfully openvpn for many years but now they have upped the anti and it is pretty well locked down now so thought I would give ipsec a go. Trouble is I know nothing about i.p sec but did a bit of reading but could not really figure out what was needed given the general Linux instructions (for Ubuntu) by my current vpn provider. So thought I would try to get it up and running via the network manager first.
i could recommend you use TOR, which is very successful at making it out of the Great Firewall on a consistent basis. since there are 4 redundant methods of the distribution of bridge addresses (bridges are entry points into the TOR network), the operators of the Great firewall can never get a listing of ALL of the bridges, so they can't block all of them. the following site may be blocked in china, but you may find another way to get there... https://www.torproject.org/ or maybe somebody in china has been able to mirror the site.
i looked on freedesktop.org to see if there was a help file for the network app, and there doesn't seem to be anything listed, either under NetworkManager, VPN, ipsec or anything else... but i did find this link if it's any help https://help.ubuntu.com/community/NetworkManager
btw... this is the slackware forum... ubuntu is down a bit lower on the distribution forums list, but i figured i'd try to help you out anyway
I have tried TOR and in fact it is still on my system. However it is blocked in China. I can't remember if I tried relays or not although I suspect I must have done but regardless it is too slow for everyday general usage. The only way I could get TOR to work was through the VPN! (which is how I know it is too slow).
I am in fact using Slack 14, I did mention this in a 'p.s' right at the end :-)
Darth Vader. I agree. It is a strange omission but I had already installed NetworkManager-openvpn via sbopkg.
"The name org.freedesktop.NetworkManager was not provided with any .service files"
What is this about
It's complaining about systemd .service files are missing, which are useless anyway, because Slackware has no systemd. So I think, upstream broke something.
Can ssh traffic pass trough the gfw? If so you could rent a small vps somewhere and
then build a local socks 5 proxy over ssh I use that to unblock youtube videos lol.
ssh -N -D8080 server.somewhere.tld <- after that it listens on 127.0.0.1 port 8080
While Slackware 14 ship both NetworkManager and OpenVPN, ironically, it doesn't include the bridge between these two: NetworkManager-openvpn.
Always I asked myself: WHY?
Because it was not critical to have that in Slackware. NetworkManager itself was more critical so it got added to Slackware 14. NetworkManager-OpenVPN can be added by yourself easily using slackbuilds.org as you indicated.
Thanks for the comments so far. Ok, maybe I can try a different tack. So I am sure all the ipsec stuff works behind the scenes (openvpn does as I used it up until very recently), I just need to configure it. If I can add the required info to the config files (username, pw, server/i.p) then I maybe can take it from there. Any of you gurus know which file/s I should be editing?
hotchili, blogspot is blocked in China....... need ipsec to read it, lol.
I have tried TOR and in fact it is still on my system. However it is blocked in China. I can't remember if I tried relays or not although I suspect I must have done but regardless it is too slow for everyday general usage. The only way I could get TOR to work was through the VPN! (which is how I know it is too slow).
I am in fact using Slack 14, I did mention this in a 'p.s' right at the end :-)
Darth Vader. I agree. It is a strange omission but I had already installed NetworkManager-openvpn via sbopkg.
So I still have the problem. Anyone??
Thanks, BashTin.
>However it is blocked in China.
It shouldn't be possible. Public relay(visible relay) should be blocked by the CCP.
That is why you should try find bridge relay. You may try send an email to eff(it is what those eff staffs said in CCC),they may give you some IPs.
>The only way I could get TOR to work was through the VPN! (which is how I know it is too slow).
Maybe you should. Because all anonymity network cant hide the fact that you are participating the network. However, tor does put harder effort to make it "low-profile" among all kind of connections.
Also,you may not have to use Tor all the time. My speculation is that there is seemingly no one would go as far as monitoring your plain VPN connection outside China,then monitor your connection to the VPN and beat you up(as far as you don't do something stupid,of course),just make sure it is encrypted.
>which is how I know it is too slow
Depend on usage,if bandwidth isn't a problem,then the slowness is really just caused by speed of light.To make it faster you may consider making participants denser on the earth.(i.e. You can contribute to the network by joining it)
Last edited by lolnameless; 12-24-2012 at 08:01 AM.
sorry about that... i didn't notice you had a slack system... i wasn't paying attention i guess...
the tor network has several redundant ways of getting bridge addresses, and each method has different bridge addresses listed so a blocking operation can never get a complete list. if you get any good bridge addresses, you should be able to get a connection that's a bit faster than what you remember. if you don't remember adding a bridge address to your tor config, you probably haven't done it, as it consists of an IP address and a long hexadecimal string about 40 characters long(which is the public key fingerprint of the bridge). i would remember if i had to manually enter one. you can specify several bridge addresses, and if any of them are too slow, tor will ignore them. obviously, the most often blocked bridge addresses will be the ones tor downloads automatically, one other method used is to email for a list. there are two other methods are a bit different, and make it impossible for anyone blocking bridges to get all of them. the more people running bridge relays, the better. i can tell you that my bridge consistently serves connections to China as well as several other countries that censor their internet, and my bridge has been somewhat consistently online for several months. it took a few days after starting the bridge before it started getting used, and it's still in use, so the method for distributing my bridge address must be fairly reliable, even in China. you can leave a private message for me on this forum and i can give you my bridge address if you like. i can even send you the web addresses in China where the tor website is mirrored.
Last edited by unclejed613; 12-25-2012 at 09:25 PM.
well thanks so far guys. A little more forward. Discovered what I actually needed was vpnc ('c' standing for Cisco). But even though I got it all installed and configured I could not get it to authenticate. So gave Cisco's vpnclient a go. Had to apply a couple of patches to get it to compile and...... yes you guessed, could not get that to connect either. Anyway will have to leave it for the mo and come back to it latter.
Right, going to mark this as 'solved' as I have finally got a connection to witopia using IPSec and I post the neccessary steps for anyone who maybe be intersted.
First off Network Manager in Slackware 14 appears broken or at least from my experience. (I did a fresh install on two different machines with the same outcome).
With network-scripts-14.00-noarch-3, openconnect-3.20-i486-1, networkmanagement-0.9.0-i486-1 and network-manager-applet-0.9.4.1-i4862 installed in network manager, under 'wired connection' tab, the 'add', edit and delete buttons are greyed out. Wicd network manager has no such issues.
Secondly with the addition of vpnc-0.5.3-i486-1 the vpn tab becomes visible. However whenever I try to add a vpn connection of any type I get the message back 'The name org.freedesktop.NetworkManager was not provided with any .service files'. I have read that communication between the manager and the underlying tools is done via dbus so I guess something is not right here. As this was installed via sbopkg I would have thought any links/whatever should have been setup at the config stage.
Thirdly the wireless tab is greyed out. Wicd network manager has no such issues.
Onto getting IPSec working on Slackware 14.
I found Witopia staff, although willing, were somewhat lacking in the neccessary technical skills required so had to figure it out by myself. With some digging around and trial and error I found the majic client was vpnc. This is easily installed via sbopkg. Then you need to create a connection profile, /etc/vpnc/yourprofilename.conf. It shoud end up looking like
Code:
# nat traversal mode (this is critical. If it is not included you will not connect)
NAT Traversal Mode natt
# I.P or host name of witopia server you are connecting too
# i.p is better as the pesky Great Firewall likes to play games with DNS
IPSec gateway num.num.num.num
# group name
IPSec ID witopia
# Group password
IPSec secret witopia
# Your username
# There are two formats for usernames and they are NOT interchangeable. Please see the “details” under your active services via the portal to see your correct username.
# Format 1: username@witopia (notice that there is no .net at the end)
# Format 2: W\your@email.com (the W \ must be present)
Xauth username my-user-name
# Your password in plain text
Xauth password my-password
Then, assuming you have a network connection up, just issue 'vpnc [name of your conf file]' and you should connect. (I do get an 'Enter Hostname' dialoug pop up, just click cancel)
Wifi rtl8192ce module woes.
The saga continues. The second machine I was trying this all out on is a Toshiba Satellite C805 with Realtek 8192C/8188C 802.11n PCI wireless chip.
After around 5 or 10 minutes the connection would go down and although the connection was still up as far as iwconfig and ifconfig was concerned there was no way to re-establish an internet connection other that reboot.
Dmesg would show errors about 'reset failed', 'wlan0 link not ready' and similar (did not keep a copy).
To cut a long story short this is a well known bug and the simple fix is to download the latest driver from Realteks website. Make, make install and all is well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.