I tried:
if (strncasecmp(req->user_agent, "Open Any", 8) == 0) {
if (strncmp(req->user_agent, "Open AnyConnect VPN Agent
v3", 28) == 0)
req->user_agent_type = AGENT_OPENCONNECT_V3;
else
req->user_agent_type = AGENT_OPENCONNECT;
} else if (strncasecmp(req->user_agent, "Cisco Any", 8) == 0) {
req->user_agent_type = AGENT_OPENCONNECT;
}
IPv6 address is recognized by AnyConnect for iOS, but with a 'null'
cidr. I tried the changes I made in worker-auth.c, same.
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
HTTP/1.1 200 CONNECTED
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Version: 1
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-Server-Version: ocserv 0.8.9
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 suggesting DPD of 90 secs
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER: X-CSTP-DPD: 90
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Default-Domain: sskaje.me
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 sending IPv4 192.168.122.199
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Address: 192.168.122.199
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Netmask: 255.255.255.0
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 sending IPv6
2400:8900:e000:xxxx:xxxx:2f:f9e5:c701
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Address: 2400:8900:e000:xxxx:xxxx:2f:f9e5:c701
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.8.8
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.8.8
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.4.4
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Keepalive: 32400
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Idle-Timeout: none
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Smartcard-Removal-Disconnect: true
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Rekey-Time: 172800
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Rekey-Method: ssl
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Session-Timeout: none
Here is debug log from AnyConnect:
[12-28-14 11:56:22:950] AnyConnectDataAgent: Current Profile:
profile.xml Received VPN Session Configuration Settings: Keep
Installed: enabled Rekey Method: handshake Proxy Setting: do not
modify Proxy Server: none Proxy PAC URL: none Proxy Exceptions:
none Proxy Lockdown: enabled Split Exclude: disabled Split Include:
disabled Split DNS: disabled Tunnel all DNS: disabled Local LAN
Wildcard: disabled Firewall Rules: none Client Address:
192.168.122.199 Client Mask: 255.255.255.0 Client IPv6 Address:
2400:8900:E000:XXXX:XXXX:2F:F9E5:C701 Client IPv6 Mask: unknown MTU:
1293 TLS Compression: disabled TLS Keep Alive: 32400 seconds TLS
Rekey Interval: 172800 seconds TLS DPD: 90 seconds DTLS: enabled
DTLS Compression: disabled DTLS Keep Alive: 32400 seconds DTLS Rekey
Interval: 172810 seconds DTLS DPD: 90 seconds Session Timeout: 0
seconds Disconnect Timeout: 0 seconds Idle Timeout: 0 seconds
Server: unknown MUS Host: unknown DAP User Message: none Quarantine
State: unknown Always On VPN: unknown Lease Duration: none Default
Domain: sskaje.me Home page: unknown Smart Card Removal Disconnect:
enabled License Response: accept
...
[12-28-14 11:56:22:960] AnyConnectDataAgent: Function: enableHostMgr
File: /tmp/build/thehoff/DaVinci_MR120.647307753904/DaVinci_MR12/vpn/ApplePlugins/Agent/TunTapMgr.cpp
Line: 2842 about to enable tuntap: v4 192.168.122.199/255.255.255.0
(fake ? no); v6 2400:8900:E000:XXXX:XXXX:2F:F9E5:C701/null (fake ? no)
sskaje at gmail.com
https://sskaje.me/
On Sat, Dec 27, 2014 at 4:55 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Fri, 2014-12-26 at 18:25 +0000, David Woodhouse wrote:
>> On Fri, 2014-12-26 at 20:18 +0200, Nikos Mavrogiannopoulos wrote:
>> >
>> > Hi,
>> > The logic as it is now for ocserv worker is to send IPv6 addresses if
>> > the client is openconnect or the client has sent the header
>> > "X-CSTP-Full-IPv6-Capability: true". That is because cisco's clients
>> > didn't properly handle IPv6 if they didn't send that header.
>>
>> Really? Or do they just expect different headers and handle things
>> differently. We seemed to have IPv6 support, and it was deployed at UCB
>> (where I briefly had an account to test OpenConnect with IPv6) a *long*
>> time before X-CSTP-Full-IPv6-Capability came about.
>
> I have disabled IPv6 support in anyconnect clients because I have had no
> opportunity to test them. If sskaje verifies that they work if they are
> treated as being openconnect, I'll enable it there as well.
>
> regards,
> Nikos
>
>
