Dear All,
I have an issue connecting to one of our partner with openconnect.
Symptoms are the following:
- we can build a VPN with Openconnect on Linux to our partner and it
is working fine (traffic is passing through as expected)
- we can build a VPN with Cisco Anyconnect on Windows to our partner
- we CANNOT build a VPN with Openconnect on Windows to our partner
(technically, VPN is built but traffic is not passing through, details
below)
- we CAN build VPN with OpenConnect on Windows to other partners
>From all of these, I would say there is nothing wrong with the partner
VPN (because connecting to it from windows/anyconnect and
linux/openconnect combination are working fine).
After days of investigation I found out that there are no ARP replies
on the tun interface when connecting from openconnect/windows.
Logs attached:
- openconnect-logs.txt: openconnect binary logs
- openconnect-ipconfig.txt ipconfig output
- openconnect-after.txt: routes after the vpn connection has been built
When I'm using AnyConnect, then I'm seeing ARP traffic (both requests
and answers) on Cisco Anyconnect VPN Virtual Miniport Adapter for
Windows x64:
12 2015-04-28 08:43:26.030225000 Cisco_3c:7a:00 Broadcast
ARP 42 Who has 10.219.35.3? Tell 10.219.35.2
13 2015-04-28 08:43:26.030333000 Cimsys_33:44:55
Cisco_3c:7a:00 ARP 42 10.219.35.3 is at 00:11:22:33:44:55
When I'm using OpenConnect on Windows, then I'm seeing only ARP
requests on TAP-Windows Adapter v9:
3 2015-04-28 08:45:33.158621000 00:ff:11:26:6c:fd Broadcast
ARP 42 Who has 10.219.35.8? Tell 10.219.35.7
However, connecting to another partner with OpenConnect on Windows is
working fine.
I don't know where to go next, because VPN guys said the VPN
concentrator is working well (can connect from anyconnect and
openconnect on linux, just openconnect on windows does not work)
Any help would be very much appreciated because this is driving me crazy.
Best regards,
Szabolcs Horvath
-------------- next part --------------
C:\Program Files (x86)\OpenConnect>openconnect --cookie=4252DopDN6ElsHKovbiously-not-this-mFXq
--no-cert-check 195.228.84.1 -v --mtu 1300 --base-mtu 1300 --script vpnc-script-win.js
WARNING: This version of openconnect is v7.06 but
the libopenconnect library is v7.06-unknown
Attempting to connect to server 195.228.84.1:443
Connected to 195.228.84.1:443
SSL negotiation with 195.228.84.1
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on 195.228.84.1
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.219.35.7
X-CSTP-Netmask: 255.255.255.255
X-CSTP-DNS: 172.19.230.44
X-CSTP-DNS: 172.18.2.7
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Split-Include: 10.219.0.0/255.255.0.0
X-CSTP-Split-Include: 172.19.230.44/255.255.255.255
X-CSTP-Split-Include: 172.18.2.7/255.255.255.255
X-CSTP-Split-DNS: elmu.hu
X-CSTP-Split-DNS: rwehun.local
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 92B12E7BE78DDD60E5DEB65C2F105D39F9808F2905F22309C857960802577980
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1300
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Microsoft (R) Windows Script Host 5.8 verzi?
Copyright (C) Microsoft Corporation 1996-2001. Minden jog fenntartva.
Opened tun device tun
TAP-Windows driver v9.21 (0)
Microsoft (R) Windows Script Host 5.8 verzi?
Copyright (C) Microsoft Corporation 1996-2001. Minden jog fenntartva.
route print
VPN Gateway: 195.228.84.1
Internal Address: 10.219.35.7
Internal Netmask: 255.255.255.255
Internal Gateway: 10.219.35.8
Interface: "tun"
MTU: 1300
netsh interface ipv4 set subinterface "tun" mtu=1300 store=active
Configuring "tun" interface for Legacy IP...
netsh interface ip set address "tun" static 10.219.35.7 255.255.255.255
route add 195.228.84.1 mask 255.255.255.255 10.35.76.1
netsh interface ip add dns "tun" 172.19.230.44 index=1
netsh interface ip add dns "tun" 172.18.2.7 index=2
done.
Configuring Legacy IP networks:
Waiting for interface to come up...
route print
Waiting for interface to come up...
route print
route add 172.18.2.7 mask 255.255.255.255 10.219.35.8
route add 172.19.230.44 mask 255.255.255.255 10.219.35.8
route add 10.219.0.0 mask 255.255.0.0 10.219.35.8
Route configuration done.
DTLS option X-DTLS-Session-ID : 92B12E7BE78DDD60E5DEB65C2F105D39F9808F2905F22309C857960802577980
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected tun as 10.219.35.7, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
-------------- next part --------------
Ethernet-adapter tun:
Kapcsolatspecifikus DNS-ut?tag. . :
Le?r?s. . . . . . . . . . . . . . : TAP-Windows Adapter V9
Fizikai c?m . . . . . . . . . . . : 00-FF-11-26-6C-FD
DHCP enged?lyezve . . . . . . . . : Nem
Automatikus konfigur?ci? enged?lyezve : Igen
Kapcsolati szint? IPv6-c?m . . . : fe80::61c9:bee8:8db2:6c28%34(K?v?nt)
IPv4-c?m. . . . . . . . . . . . . : 10.219.35.7(K?v?nt)
Alh?l?zati maszk. . . . . . . . . : 255.255.255.255
Alap?rtelmezett ?tj?r?. . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 402718481
DHCPv6-?gyf?l DUID azonos?t?ja . . . . . . . : 00-01-00-01-17-6B-BF-B1-D4-BE-D9-0C-74-6A
DNS-kiszolg?l?k . . . . . . . . . : 172.19.230.44
172.18.2.7
NetBIOS a TCP/IP felett . . . . . : Enged?lyezve
-------------- next part --------------
C:\>route print -4
===========================================================================
Kapcsolatlista
34...00 ff 11 26 6c fd ......TAP-Windows Adapter V9
26...54 26 24 db a2 1d ......Check Point Virtual Network Adapter For Endpoint VPN Client
18...54 79 95 48 d1 14 ......Check Point Virtual Network Adapter For SSL Network Extender
17...10 0b a9 03 19 e5 ......Microsoft Virtual WiFi Miniport Adapter
12...10 0b a9 03 19 e4 ......Intel(R) Centrino(R) Advanced-N 6205
11...d4 be d9 0c 74 6a ......Intel(R) 82579LM Gigabit Network Connection
29...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
30...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
1...........................Software Loopback Interface 1
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
===========================================================================
IPv4 ?tvonalt?bla
===========================================================================
Akt?v ?tvonalak:
H?l?zati c?l H?l?zati maszk ?tj?r? Kapcsolat Metrika
0.0.0.0 0.0.0.0 10.35.76.1 10.35.76.20 10
10.35.76.0 255.255.255.0 Kapcsolaton bel?li 10.35.76.20 266
10.35.76.20 255.255.255.255 Kapcsolaton bel?li 10.35.76.20 266
10.35.76.255 255.255.255.255 Kapcsolaton bel?li 10.35.76.20 266
10.219.0.0 255.255.0.0 10.219.35.8 10.219.35.7 21
10.219.35.7 255.255.255.255 Kapcsolaton bel?li 10.219.35.7 276
10.219.40.0 255.255.255.0 46.0.0.1 10.219.35.7 21
46.107.8.0 255.255.255.0 46.0.0.1 10.219.35.7 21
127.0.0.0 255.0.0.0 Kapcsolaton bel?li 127.0.0.1 306
127.0.0.1 255.255.255.255 Kapcsolaton bel?li 127.0.0.1 306
127.255.255.255 255.255.255.255 Kapcsolaton bel?li 127.0.0.1 306
172.18.2.7 255.255.255.255 10.219.35.8 10.219.35.7 21
172.19.230.44 255.255.255.255 10.219.35.8 10.219.35.7 21
172.25.0.0 255.255.0.0 46.0.0.1 10.219.35.7 21
195.228.84.1 255.255.255.255 10.35.76.1 10.35.76.20 11
===========================================================================
?lland? ?tvonalak:
Nincs
