IPv6 default route not set using OpenConnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 13, 2013 at 1:55 PM, shouldbe q931 <shouldbeq931 at gmail.com> wrote:
> On Tue, Mar 12, 2013 at 2:37 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> On Tue, 2013-02-19 at 09:50 +0000, shouldbe q931 wrote:
>>>
>>> I know that I could set the default route manually, but wondered if I
>>> misconfigured something, or had hit a bug.
>>>
>>> I've gone back through the mailing list archives to July 2012, but
>>> couldn't see anything that might reference this.
>>
>> The behaviour of vpnc-script goes something like this:
>>
>>  If there are 'split include' routes listed, set those routes only.
>>  Else, set the default route (ignoring 'split exclude').
>>
>> The fact that it ignores 'split excludes' is a bug, but nobody's ever
>> cared because fairly much nobody ever uses them AFAICT.
>>
>> Your routing *does* have split includes... but only for Legacy IP. I
>> suppose we're supposed to route those Legacy IP ranges *and* the default
>> IPv6 route through the VPN?
>>
>> Looking at the current version of the vpnc-script, it looks like it
>> *ought* to get this right. Since $CISCO_IPV6_SPLIT_INC isn't (well,
>> shouldn't be) set, it should set the default route.
>>
>> Firstly, can you check that your vpnc-script is up to date. Download the
>> latest version which is linked from
>> http://www.infradead.org/openconnect/vpnc-script.html and try using that
>> (make it executable and use the --vpnc-script argument).
>>
>> --
>> dwmw2
>
> Yes, the split include is for IPv4, and but IPv6 should be for all traffic.
>
> If it would be useful, I can also test removing the split include.
>
> I am not using (and have never seen used) split exclude.
>
> The vpnc-script changelog on ubuntu lists the below as the most recent change
> ---------------------------------------
> vpnc-scripts (0.1~git20120602-2) unstable; urgency=low
>
>   * Add Vcs-* fields for the collab-maint git repository.
>   * Move iproute from Depends to Recommends, vpnc-script can work
>     around it if not available.
>
>  -- Mike Miller <mtmiller at ieee.org>  Wed, 06 Jun 2012 06:58:46 -0400
> ---------------------------------------
>
> I renamed the version from the repo, and copied the one from infradead
> into usr/share/vpnc-scripts/vpnc-script
>
> I'll test this evening when I'm "outside" the network.
>
> Cheers
>
> Arne

Calling openconnect manually with the updated vpnc-script, IPv6 works
as expected and DNS works as expected, if I use NetworkManager to
initiate the VPN, IPv6 has the same problem, and the DNS servers are
not set


Using NetworkManager
---------------------------------------
netstat -6 -r
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:470:9652:3::/64           ::                         U    256 0     0 vpn0
fe80::/64                      ::                         U    256 0     0 eth1
fe80::/64                      ::                         U    256 0     0 vpn0
::/0                           ::                         !n   -1  1     9 lo
::1/128                        ::                         Un   0   1     1 lo
2001:470:9652:3::1/128         ::                         Un   0   1     0 lo
fe80::aed:b9ff:fef8:fc21/128   ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0     0 vpn0
::/0                           ::                         !n   -1  1     9 lo

 netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.10.1    0.0.0.0         UG        0 0          0 eth1
10.201.253.0    *               255.255.255.0   U         0 0          0 vpn0
link-local      *               255.255.0.0     U         0 0          0 eth1
192.168.10.0    *               255.255.255.0   U         0 0          0 eth1
192.168.53.0    *               255.255.255.0   U         0 0          0 vpn0
192.168.54.0    *               255.255.255.0   U         0 0          0 vpn0
213.122.155.21  192.168.10.1    255.255.255.255 UGH       0 0          0 eth1

nslookup www.infradead.org
Server: 127.0.1.1
Address: 127.0.1.1#53

** server can't find www.infradead.org: NXDOMAIN

traceroute6 2a00:1450:400b:c02::63
connect: Network is unreachable
---------------------------------------

calling openconnect via command line

---------------------------------------
sudo openconnect -vvv asa.domain.com
Attempting to connect to 213.122.155.21:443
SSL negotiation with asa.domain.com
Server certificate verify failed: signer not found

Certificate from VPN server "asa.domain.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 14 Mar 2013 19:25:39 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with asa.domain.com
Server certificate verify failed: signer not found
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:testuser
Password:
POST https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:184B2305E903B0BA7D5807A9665AE3EDEB4FBD8D&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:BE3E6EA0056DCDC3AD683DE2441C2E7315606731;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1406, snd mss 1406, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 192.168.54.4
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2001:470:9652:3::1
X-CSTP-Netmask: 2001:470:9652:3::1/64
X-CSTP-DNS: 192.168.53.42
X-CSTP-DNS: 10.201.253.41
X-CSTP-NBNS: 192.168.53.42
X-CSTP-NBNS: 10.201.253.41
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: domain.com
X-CSTP-Split-Include: 192.168.53.0/255.255.255.0
X-CSTP-Split-Include: 10.201.253.0/255.255.255.0
X-CSTP-Split-DNS: domain.com
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID:
51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1373
X-DTLS-MTU: 1418
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID :
51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1418
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS connected. DPD 30, Keepalive 20
Connected tun0 as 192.168.54.4 + 2001:470:9652:3::1, using SSL
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 62 bytes
No work to do; sleeping for 6000 ms...
No work to do; sleeping for 16000 ms...
Received uncompressed data packet of 126 bytes
Sending uncompressed data packet of 154 bytes
No work to do; sleeping for 20000 ms...
Established DTLS connection (using OpenSSL)


 netstat -6 -r
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:470:9652:3::/64           ::                         U    256 0     0 tun0
fe80::/64                      ::                         U    256 0     0 eth1
fe80::/64                      ::                         U    256 0     0 tun0
::/0                           ::                         U    1   0     0 tun0
::/0                           ::                         !n   -1  1    15 lo
::1/128                        ::                         Un   0   1     1 lo
2001:470:9652:3::1/128         ::                         Un   0   1     0 lo
fe80::aed:b9ff:fef8:fc21/128   ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0     0 tun0
::/0                           ::                         !n   -1  1    15 lo


netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.10.1    0.0.0.0         UG        0 0          0 eth1
10.201.253.0    *               255.255.255.0   U         0 0          0 tun0
dc-1.domain.com *               255.255.255.255 UH        0 0          0 tun0
link-local      *               255.255.0.0     U         0 0          0 eth1
192.168.10.0    *               255.255.255.0   U         0 0          0 eth1
192.168.53.0    *               255.255.255.0   U         0 0          0 tun0
dc-2.xclaimproj *               255.255.255.255 UH        0 0          0 tun0
sslc.xclaimproj *               255.255.255.255 UH        0 0          0 vpn0
192.168.54.0    *               255.255.255.0   U         0 0          0 tun0
asa.domain.com 192.168.10.1    255.255.255.255 UGH       0 0          0 eth1


 nslookup www.infradead.org
Server: 192.168.53.42
Address: 192.168.53.42#53

Non-authoritative answer:
www.infradead.org canonical name = casper.infradead.org.
Name: casper.infradead.org
Address: 85.118.1.10


traceroute6 2a00:1450:400b:c02::63
traceroute to 2a00:1450:400b:c02::63 (2a00:1450:400b:c02::63) from
2001:470:9652:3::1, 30 hops max, 24 byte packets
 1  2001:470:9652:1::254 (2001:470:9652:1::254)  56.876 ms  48.295 ms  96.59 ms
 2  thermionic-1.tunnel.tserv5.lon1.ipv6.he.net
(2001:470:1f08:1623::1)  72.007 ms  114.474 ms  67.415 ms
 3  gige-g4-8.core1.lon1.he.net (2001:470:0:67::1)  74.81 ms  87.64 ms
 65.825 ms
 4  2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1)  62.54 ms  63.825 ms  63.326 ms
 5  2001:4860::1:0:15f (2001:4860::1:0:15f)  66.591 ms  65.824 ms  78.254 ms
 6  2001:4860::8:0:2dde (2001:4860::8:0:2dde)  68.538 ms  66.952 ms  73.13 ms
 7  2001:4860::1:0:3a11 (2001:4860::1:0:3a11)  132.633 ms  107.85 ms  73.917 ms
 8  2001:4860::2:0:3d87 (2001:4860::2:0:3d87)  73.528 ms  72.326 ms  120.891 ms
 9  * *^C
---------------------------------------

Cheers

Arne



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux