On Thu, May 31, 2018 at 7:13 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > On Thu, 2018-05-31 at 18:56 +0300, Daniel Lenski wrote: >> On Thu, May 31, 2018 at 2:10 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> > >> > >> > After a lot of hard work and persistence by Dan, the GlobalProtect >> > support is finally merged. Thanks! >> >> Woohoo. There would be several beer emojis here if the list weren't >> plain-text-only. :-P > > It doesn't accept HTML crap but you *can* post UTF-8 text; this isn't > the 20th century. > > If you want beer, you can have it? ? > > Besides, you didn't reply to the list anyway :) Derp. Re-adding the list so they can have some ? too. I'm saddened that I can't use the <blink> tag and vintage Java applets, however. >> Persisting IP addresses, and requesting specific IP addresses. (I can >> expand both of these to replicate the behavior for IPv6 addresses, but >> have no way to test it currently.) >> >> [0/2] Explanation. >> http://lists.infradead.org/pipermail/openconnect-devel/2017-December/004638.html >> [1/2] Make AnyConnect protocol request the same IPv4 address on reconnect. >> http://lists.infradead.org/pipermail/openconnect-devel/2017-December/004637.html >> (already part of GPST) >> [2/2] Add CLI option to request specific IPv4 address, usable by >> both AnyConnect and GP protocols. >> http://lists.infradead.org/pipermail/openconnect-devel/2017-December/004639.html > > Hm, I'm not keen on having those for Legacy IP only. Tell me more about > the AnyConnect side ? is that against a Cisco ASA, or ocserv? We ought > to be able to test the latter with IPv6, certainly. Cisco ASA only. ocserv ignores X-CSTP-Address as a request header. I suspect it'd be easy to add this behavior, though Nikos might have some thoughts about security implications, and might want to make it optional. These flags *shouldn't* be necessary but I have access to one badly-mangled Cisco VPN where I can only access certain hosts if I'm connected via a specific IP-address. Like I said, I *can* write the code to do it for IPv6 too? but I have no way to test it against a real ASA since I currently don't have access to a Cisco ASA that supports IPv6. GP is a similar situation (https://github.com/dlenski/openconnect/issues/79). I have a highly-educated guess about exactly how to add IPv6 support, but have no way to test it. > I wasn't aware that the Cisco ASA ever changed the IP address on > reconnect of an active session. No, I'm not aware of Cisco ever giving a new IP address when reconnecting with the same cookie. (GlobalProtect, however, will reliably drop the ball on this if I don't include the parameter for a specific IP address ? which is why I do it implicitly on reconnection.) > It *does* change the IP address quite > frequently when a session expires and you reconnect; can this be used > to try to work around that? Yes. Simply put, with --request-ip 1.2.3.4, all the Cisco ASAs I have access to will assign me that IP address as long as it's available to them, and ignore it otherwise. >> Small patch for the NM-openconnect plugin, which is needed to make the >> HIP script (--csd-wrapper) work correctly with GlobalProtect. Commit >> message and comments have more gory details about why: >> >> http://lists.infradead.org/pipermail/openconnect-devel/2018-May/004868.html > > That ends up running the user-provided csd_wrapper script as the system > 'nm-openconnect' user. Is that sane? When the current version runs CSD *in the authentication phase*, it does so as the currently-logged-in user: https://gitlab.gnome.org/GNOME/network-manager-openconnect/blob/master/auth-dialog/main.c#L1096 Is that the behavior you'd prefer to replicate when running in the connection phase? It will only apply to GlobalProtect, currently, since Cisco/Juniper protocols don't need to (and don't try to) run the CSD script in the connection phase. Dan
