RE: [EXTERNAL] Re: What throughput is reasonable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hrrrm…  No dice here.

Summary:   Getting some RNETLINK barking and "policy FAIL" on the serer side, but ESP connection does seem to connect.

But no traffic flowing through it.   The "clients" tun0 interface does show OUTPUT packets, but nothing seems to be coming back from the other end?

See detailed output from both sides below -- I've probably missed something.

--------

Server Side:

$ sudo ./espsetup.sh
0x87654321 0x12345678
RTNETLINK answers: No such process
RTNETLINK answers: No such process

$ sudo ./esplisten.pl &
setsockopt:: policy FAIL
setsockopt:: policy FAIL
setsockopt:: UDP_ENCAP OK

$ openssl s_server -accept 8443 -crlf -cert server-cert.pem -key server-key.pem 
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALALwQABDC7IgsOtJgDJlfJjHIKuR5TC9tfSenNr4DLZdwdxSpv
0gSTz+NsZY90x2qyRjt/rOuhBgIEXKusc6IEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES128-SHA256:AES256-SHA:AES256-SHA256:CAMELLIA128-SHA:CAMELLIA256-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-CAMELLIA256-SHA:EDH-DSS-DES-CBC3-SHA
Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384:P-521
Shared Elliptic curves: P-256:P-384:P-521
CIPHER is ECDHE-RSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
POST /ssl-vpn/getconfig.esp HTTP/1.1
Host: 10.181.43.20:8443
User-Agent: PAN GlobalProtect
X-Pad: 0000000000000000000000000000000000000000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 149

client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2cmd5&enc-algo=aes-128-cbc%2caes-256-cbc&asd

################## Pasted gpconf.xml here ##################
HTTP/1.1 200 OK                                                                                      
Content-Length: 991

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<response>
  <ip-address>172.16.0.1</ip-address>
  <netmask>255.255.255.0</netmask>
  <mtu>1460</mtu>
  <gw-address>172.16.0.2</gw-address>
  <ipsec>
    <udp-port>8443</udp-port>
    <enc-algo>aes128</enc-algo>
    <hmac-algo>sha1</hmac-algo>
    <c2s-spi>12345678</c2s-spi>
    <s2c-spi>87654321</s2c-spi>
    <ekey-c2s>
      <bits>512</bits>
      <val>1234567890123456789012345678901234567890123456789012345678901234</val>
    </ekey-c2s>
    <ekey-s2c>
      <bits>512</bits>
      <val>1234567890123456789012345678901234567890123456789012345678901234</val>
    </ekey-s2c>
      <akey-c2s>
        <bits>512</bits>
        <val>1234567890123456789012345678901234567890123456789012345678901234</val>
      </akey-c2s>
      <akey-s2c>
        <bits>512</bits>
        <val>1234567890123456789012345678901234567890123456789012345678901234</val>
      </akey-s2c>
    <ipsec-mode>esp-tunnel</ipsec-mode>
  </ipsec>
</response>

HTTP/1.1 200 OK
Content-Length: 124

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<response>
  <hip-report-needed>no</hip-report-needed>
</response>
################## End of Paste ##################
START_TUNNEL
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
POST /ssl-vpn/hipreportcheck.esp HTTP/1.1
Host: 10.181.43.20:8443
User-Agent: PAN GlobalProtect
X-Pad: 00000000000000000000000000000000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

client-role=global-protect-full&asd&client-ip=172.16.0.1&md5=7815696ecbf1c96e6894b779456d330eERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT

>From CLIENT side (logged in as root)

# ip tuntap add mode tun user $LOGNAME
# ip link set tun0 up
# ifconfig tun0 172.16.0.1 pointopoint 172.16.0.2
# ./openconnect 10.181.43.20:8443 --protocol gp -C asd --servercert pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=  --dtls-local-port=8443 -i tun0 -s /bin/true
POST https://10.181.43.20:8443/ssl-vpn/getconfig.esp
Connected to 10.181.43.20:8443
SSL negotiation with 10.181.43.20
Server certificate verify failed: signer not found
Connected to HTTPS on 10.181.43.20
POST https://10.181.43.20:8443/ssl-vpn/hipreportcheck.esp
Connected as 172.16.0.1, using SSL, with ESP in progress
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.
^Z
[1]+  Stopped                 ./openconnect 10.181.43.20:8443 --protocol gp -C asd --servercert pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --dtls-local-port=8443 -i tun0 -s /bin/true
# bg
[1]+ ./openconnect 10.181.43.20:8443 --protocol gp -C asd --servercert pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --dtls-local-port=8443 -i tun0 -s /bin/true &
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.181.43.29  netmask 255.255.255.0  broadcast 10.181.43.255
        inet6 fe80::250:56ff:fea9:795c  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:a9:79:5c  txqueuelen 1000  (Ethernet)
        RX packets 13604  bytes 1966636 (1.8 MiB)
        RX errors 0  dropped 103  overruns 0  frame 0
        TX packets 12400  bytes 2155612 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 951  bytes 60520 (59.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 951  bytes 60520 (59.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1460
        inet 172.16.0.1  netmask 255.255.255.255  destination 172.16.0.2
        inet6 fe80::6484:59f6:9a57:76c1  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.181.43.1     0.0.0.0         UG        0 0          0 eth0
10.181.43.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.0.2      0.0.0.0         255.255.255.255 UH        0 0          0 tun0

[root@flehpcvpn0009 openconnect-PATCHED3]# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.018 ms
^C
--- 172.16.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.018/0.018/0.018/0.000 ms

# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
^C
--- 172.16.0.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 2999ms



----------------------------------------------
From: David Woodhouse [mailto:dwmw2@xxxxxxxxxxxxx] 
Sent: Monday, April 8, 2019 3:09 PM
To: Phillips, Tony
Cc: Nikos Mavrogiannopoulos; Daniel Lenski; openconnect-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [EXTERNAL] Re: What throughput is reasonable?

Sounds good. Run s_server on the fake server. Paste the HTTP responses when the client connects to it. Don't forget to run esplisten.pl on the server too.
-- 
dwmw2
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux