Since the conflict is with libvirt, maybe something changed with libvirt? That’s my best guess. Anyway, it looks like Vladislav will help you hammer your way to a workaround. Good luck.
Here’s the information while connected to the VPN:
$ ip route show default dev tun0 scope link default via 192.168.0.1 dev enp4s0 proto dhcp metric 100 22.214.171.124 via 192.168.0.1 dev enp4s0 src 192.168.0.106 192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.106 metric 100 192.168.70.0/23 dev tun0 scope link 192.168.222.0/24 dev virbr0 proto kernel scope link src 192.168.222.1 linkdown $ ip route get 104.196.x.x 104.196.x.x dev tun0 src 192.168.70.82 uid 1000 cache
192.168.70.82 is the IP address of tun0
$ ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1200 inet 192.168.70.82 netmask 255.255.255.255 destination 192.168.70.82 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 18 bytes 2008 (1.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 326 bytes 29505 (28.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
For comparison here is ip route show; ip route get … when disconnected from the VPN:
$ ip route show default via 192.168.0.1 dev enp4s0 default via 192.168.0.1 dev enp4s0 proto dhcp metric 100 192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.106 metric 100 192.168.222.0/24 dev virbr0 proto kernel scope link src 192.168.222.1 linkdown $ ip route get 104.196.x.x 104.196.x.x via 192.168.0.1 dev enp4s0 src 192.168.0.106 uid 1000 cache
With 192.168.0.106 the IP address of the wired interface.
Thanks for your help.
Can you access/ping the target domain when the VPN is disconnected?
Since the domain has a public IP address, it should be reachable without VPN.
Yes, public sites in my work domain are accessible without the VPN. That has not been the issue.
I cannot access these sites when I’m connected to the VPN. I have not been able to access any internet sites when connected to the VPN.
When I disconnect from the VPN this error message pops up:
Error: argument "via" is wrong: use nexthop syntax to specify multiple via
Which I have found could mean that there are two routes specified with equal weight. Is this related to the “metric” you were pointing out earlier? If so, I tried to find out how to change it but have not found the answer.
Corporate VPNs often restrict routing/forwarding.
Perhaps your VPN allows to access only specific subnets such as this one:
So, try to disable default gateway redirection in the VPN connection settings:
nmcli connection show nmcli connection modify id VPN_CON ipv4.never-default yes ipv6.never-default yes nmcli connection down id VPN_CON nmcli connection up id VPN_CON
Yes, and mine does, but not to their own servers!
I tried the instructions to disable the default gateway and it didn’t make any difference.
Along with your suggestions, I have been doing my own research and while there are indications others are having problems, there has been no definitive solutions. I feel like I’m hitting a wall :(.
Establish the VPN connection and check:
ip route get 1; nmcli connection show
$ ip route get 1; nmcli connection show 126.96.36.199 dev tun0 src 192.168.70.108 uid 1000 cache NAME UUID TYPE DEVICE 802-3-ethernet connection 3663eb8d-2ab1-4e2f-b003-073d0d7804ae ethernet enp4s0 tun0 f5799762-a041-4d4a-aefe-d2847fa45e66 tun tun0 virbr0 754d3f57-b951-48d3-8eb7-9e1b6b0a9ec1 bridge virbr0 tun0 681238ee-d719-4e7a-a834-043d13d9fadb tun --
What VPN protocol are you currently using?
What method have used to configure the connection?
There are 2 different connections with the same name.
Remove/rename the duplicate connection.
I’m running on the command line
sudo openconnect --protocol=anyconnect ...
I have no idea why there are two connections with the same name. Nothing is configured in the Settings GUI for a VPN. I’m looking …
Even after deleting the duplicate connection, the results are the same.
As you have a working Fedora 32 around, please try this:
For those server names you need to access when VPN is up, find out their IP address using a working VPN connection.
Then in the new setup, try access using IP instead of domain names.
This step will help to separate DNS issues to compound with the Routing issues, if there are any.
Do the same for public sites.
I have a working F29 not F32. Nonetheless, DNS (I think) is working because the correct IP is returned but I cannot access just using the IP.
$ ping <ip address> --- <ip address> ping statistics --- 30 packets transmitted, 0 received, 100% packet loss, time 29709ms
Try this way, one of them should work:
sudo dnf install NetworkManager-openconnect nmcli connection import type openconnect file /path/to/vpn.conf sudo dnf install NetworkManager-vpnc nmcli connection import type vpnc file /path/to/vpn.conf
Once the config is imported to NetworkManager, you can change it as mentioned above.
I don’t know where to find a “vpn.conf” file. The only file I could find from Cisco Anyconnect is ~/.anyconnect. When I try the nmcli command I get this error:
Error: failed to import '.anyconnect': does not look like a Multi-protocol VPN client (openconnect) VPN connection (parse failed).
Can you post the file content redacting the private parts?
We need to understand what we are dealing with.
If you cannot open it with text editor, check the type:
Not a problem. Here you go:
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectPreferences> <DefaultUser>email@example.com</DefaultUser> <DefaultSecondUser></DefaultSecondUser> <ClientCertificateThumbprint></ClientCertificateThumbprint> <MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints> <ServerCertificateThumbprint></ServerCertificateThumbprint> <DefaultHostName>vpn.work.com</DefaultHostName> <DefaultHostAddress></DefaultHostAddress> <DefaultGroup></DefaultGroup> <ProxyHost></ProxyHost> <ProxyPort></ProxyPort> <SDITokenType>none</SDITokenType> <ControllablePreferences> <AutoConnectOnStart>true</AutoConnectOnStart> <LocalLanAccess>false</LocalLanAccess> <BlockUntrustedServers>false</BlockUntrustedServers> <EnableAutomaticServerSelection>false</EnableAutomaticServerSelection> <MinimizeOnConnect>true</MinimizeOnConnect></ControllablePreferences> </AnyConnectPreferences>
Thanks. I really appreciate the continued help with this.
I think the simplest workaround would be something like this:
nmcli connection modify uuid 3663eb8d-2ab1-4e2f-b003-073d0d7804ae \ ipv4.routes "0.0.0.0/1 192.168.0.1, 188.8.131.52/1 192.168.0.1" nmcli connection up uuid 3663eb8d-2ab1-4e2f-b003-073d0d7804ae
Still unable to access any company servers while connected to the VPN. However, I am able to access internet sites such as this one, google, etc. So that is an improvement.
Seems no routing configurations are there.
One way to find out is to compare the routing table and DNS used before and after the connection, to see what is being changed by Anyconnect.