Hello! Short feedback for anyone else who might have found this post: instead of rebuilding Openconnect on Windows, we ended up changing the VPN netmask to /27. It works like a charm. Looks like Windows TAP driver from OpenVPN has issues with /32 netmask. Szabolcs 2015-04-28 9:44 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>: > On Tue, 2015-04-28 at 09:32 +0200, Horv?th Szabolcs wrote: >> , >> >> I have an issue connecting to one of our partner with openconnect. >> Symptoms are the following: >> - we can build a VPN with Openconnect on Linux to our partner and it >> is working fine (traffic is passing through as expected) >> - we can build a VPN with Cisco Anyconnect on Windows to our partner >> - we CANNOT build a VPN with Openconnect on Windows to our partner >> (technically, VPN is built but traffic is not passing through, >> details >> below) >> - we CAN build VPN with OpenConnect on Windows to other partners >> >> From all of these, I would say there is nothing wrong with the >> partner >> VPN (because connecting to it from windows/anyconnect and >> linux/openconnect combination are working fine). >> >> After days of investigation I found out that there are no ARP replies >> on the tun interface when connecting from openconnect/windows. > > I can't look hard at this for another few hours at least, and I have a > 2-year-old trying to "help" me type this.... first thought is to look > at the netmasks. > > The whole ARP thing is a fiction because Windows doesn't do tunnel > devices properly; it makes us pretend to be Ethernet. So we have to > *fake* ARP in the driver for Legacy IP (and ND for IPv6). > > We tell the driver the IP address of the faked "router" on the subnet, > and it fakes ARP replies from that IP address. This falls over when > the netmask is 255.255.255.255 though, or something like that... > > -- > dwmw2
