Snow Leopard - VPN nodefaultroute broken in pppd

[bgrieder]

Hi,

After upgrading to Snow Leopard, the nodefaultroute pppd option seems to be ignored.

Did anyone else face the same issue?

I circumvented the issue by adding a line in my /etc/ppp/ip-up script:

/sbin/route delete -ifscope ppp0 default $IPREMOTE

... but I would rather have pppd working correctly and the Network Settings panel fixed and improved once and for all.

Bruno

[nsolent]

I found that in Snow Leopard, the ppp connection order (#1) caused it to be the default route while connected (regardless of the "send all traffic" option). Moving it below the ethernet/firewall options fixed this.

Also, after a Snow Leopard upgrade from Leopard, my PPTP VPN broke ... it connected, but route was broken w/ no response when pinging hosts on remote network.
Turned out that some NAT service was semi-on - the resolution was to start & stop internet sharing in the Sharing pane of System Preferences. (the /Library/Preferences/SystemConfiguration/com.apple.nat.plist was configured NAT/enabled = 1 even though the preference pane showed internet sharing as turned off)(deleting this plist also resolved the issue)

-Z

[bgrieder]

Hi nsolent,

Thanks. I reorganized the order of the connections and this seems to make the default routes order more reliable.
However, the nodefaultroute option keeps being ignored.

Something else is very wrong anyway (btw, I performed the Snow Leopard upgrade and it did not improved things on both accounts).

After firing up the VPN connection, trying to ping, or traceroute a server address within or outside the VPN LAN, most of the time - not always- fails.

Code:

MacBook-de-BG:/ bgrieder$ traceroute forums.macosxhints.com
traceroute: unknown host forums.macosxhints.com

However, running an nslookup works !

Code:

MacBook-de-BG:/ bgrieder$ nslookup forums.macosxhints.com
Server:		192.168.0.22
Address:	192.168.0.22#53

Non-authoritative answer:
Name:	forums.macosxhints.com
Address: 70.42.185.231

while this server name "works",

Code:

MacBook-de-BG:/ bgrieder$ traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 209.85.229.147
traceroute to www.l.google.com (209.85.229.147), 64 hops max, 52 byte packets
 1  192.168.0.1 (192.168.0.1)  1.488 ms  0.942 ms  0.830 ms
...

This very strange behaviour does not seem to be linked to the fact that the remote server answers ICMP requests (or not).

Looks like some network cache of the routes that is invalidated by the start-up of the VPN connection but not cleared...sigh....

The same behaviour has been confirmed on 2 other Macs running Snow Leopard. Apple really needs to fix this.

Cheers

Bruno

[bgrieder]

Replying to my own post, there are two issues with Snow Leopard:

-the nodefaultroute option being ignored (to which I would add a systematic unwanted usepeerdns - run 'scutil --dns' after firing up your VPN)

-DNS resolution problems - which explains the traceroute issues reported above
Please see this discussion for details.

In short, any somewhat elaborated set-up of network with 10.6 is currently a mess...

Bruno

[MrJuicy]

After connecting to the Cisco VPN, I replace the DNS Servers and Search Domains for my primary network service (AirPort, in my case) with those of the VPN. When I disconnect, I delete those entries in the DNS tab of the "Advanced..." pane of Network Preferences for the AirPort service. They are automatically replaced with the proper settings by DHCP.

So Apple is failing to ensure that the DNS settings for the VPN are preferred over those of the primary interface. Looking forward to their fix. This is tedious.

[nsolent]

Yes, I haven't researched this but do experience it. The DNS lookups are sporadic after establishing a VPN connection - sometimes they're done on the primary connection's DNS servers, sometimes they're done on the VPN connection's DNS servers... and this is done in a rotation, not fall-back. It doesn't stick with the same DNS server throughout the VPN connection either. I heard mention this is not only problematic on OS X but VPN in general... again no research to clarify.

I may follow bgrieder's advice... but of course I'd rather a fix that didn't involve my regular intervention.

Quote: Originally Posted by nsolent I found that in Snow Leopard, the ppp connection order (#1) caused it to be the default route while connected (regardless of the "send all traffic" option). Moving it below the ethernet/firewall options fixed this. Also, after a Snow Leopard upgrade from Leopard, my PPTP VPN broke ... it connected, but route was broken w/ no response when pinging hosts on remote network. Turned out that some NAT service was semi-on - the resolution was to start & stop internet sharing in the Sharing pane of System Preferences. (the /Library/Preferences/SystemConfiguration/com.apple.nat.plist was configured NAT/enabled = 1 even though the preference pane showed internet sharing as turned off)(deleting this plist also resolved the issue) -Z

Very Good!!! That fix worked for me. Thanks for the post

How do I establish VPN when I TURN COMPUTER ON and BEFORE I log in as one of 3 users? I wrote a batch file and placed it in Startup Folder to establish a VPN connection. It works but only when I log in as a user. I want the connection established when the computer turns on , without having to log in as a user.