IPv6 in AnyConnect for iOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2014-12-26 at 16:51 +0800, sskaje wrote:
> Hi, I'm trying to make my iPhone work with IPv6, I can't find any
> details on anyconnect using ipv6, so I just try to debug and make some
> changes on ocserv.
> I need someone tell me if I was in a wrong track or ocserv ipv6 is buggy.
> 
> 
> I asked Linode for an ipv6 address pool, set the options like
> ipv6-network = 2400:8900:e000:xxxx::
> ipv6-prefix = 64
> But clients generate fake IPv6 addresses(Debug logs in AnyConnect iOS).

Hi,
 The logic as it is now for ocserv worker is to send IPv6 addresses if
the client is openconnect or the client has sent the header
"X-CSTP-Full-IPv6-Capability: true". That is because cisco's clients
didn't properly handle IPv6 if they didn't send that header.

> In worker-vpn.c, I found
> 
>     if (ws->vinfo.ipv6 && req->no_ipv6 == 0) {
> 
> has no_ipv6 == 1, So I added extra User Agent matching like:
> 
>         if (strncasecmp(req->user_agent, "Open Any", 8) == 0) {
>             if (strncmp(req->user_agent, "Open AnyConnect VPN Agent
> v3", 28) == 0)
>                 req->user_agent_type = AGENT_OPENCONNECT_V3;
>             else
>                 req->user_agent_type = AGENT_OPENCONNECT;
>         } else if (strncasecmp(req->user_agent, "Cisco AnyConnect", 16) == 0) {
>             req->user_agent_type = AGENT_ANYCONNECT;
>         }
>         break;

I'd suggest to try to see what happens if you tag this anyconnect client
as AGENT_OPENCONNECT.

> And then
>     /* If we are in CISCO client compatibility mode, do not send
>      * any IPv6 information, unless the client can really handle it.
>      */
>     if (ws->full_ipv6 == 0 && ws->config->cisco_client_compat != 0 &&
>         req->user_agent_type != AGENT_OPENCONNECT &&
> req->user_agent_type != AGENT_ANYCONNECT) {
>         req->no_ipv6 = 1;
>     }
> But ws->full_ipv6 is still 0, and TWO X-CSTP-Address lines are sent to
> client, with both IPv4 and IPv6 addresses.
>...
> I guess if it is because the full_ipv6 0, then I force it 1 for AnyConnect:
>     if (req->user_agent_type == AGENT_ANYCONNECT) {
>         ws->full_ipv6 = 1;
>     }
> 
> found ws->vinfo.ipv6_prefix == 0, fixed in worker-auth.c:
> static int recv_cookie_auth_reply(worker_st * ws)
> ...
>             if (msg->ipv6_prefix) {
>                 ws->config->network.ipv6_prefix = msg->ipv6_prefix;
>             }

That should be the same as the one you set in "ipv6-prefix"
configuration option.

Do you get a correct IPv6 address if you use openconnect?

regards,
Nikos
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux