RE: IPv6 with Anyconnect iphone client and ocserv

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Oct 31, 2019 at 6:59 PM Nikos Mavrogiannopoulos <n.mavrogiannopoulos@xxxxxxxxx> wrote:
>
> Is there something we can do on the ocserv side to improve that?
> Should if we send the routes to the mobile client would it work? Would you like to propose a patch?

I do have a patch for ocserv. In fact, its very similar to a patch that you suggested back in 2014. It's in a different spot because the code changed, but the concept is the same.

diff --git a/src/worker-http.c b/src/worker-http.c
index 7951931a..6c796556 100644
--- a/src/worker-http.c
+++ b/src/worker-http.c
@@ -377,6 +377,8 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
                                req->user_agent_type = AGENT_OPENCONNECT;
                } else if (strncasecmp(req->user_agent, "OpenConnect VPN Agent", 21) == 0) {
                        req->user_agent_type = AGENT_OPENCONNECT;
+               } else if (strncasecmp(req->user_agent, "Cisco Any", 9) == 0) {
+                       req->user_agent_type = AGENT_OPENCONNECT;
                }
                break;

I haven't sent it yet because:

1) IPv6 dns didn't work. I have solved this now, see below.
2) I want to understand why full tunnel mode doesn't work. The split route is a hack that works but it is not very elegant.

I did fix the DNS issue. It turns out that ocserv is sending the wrong answer back to an anyconnect client. For an IPv6 address it should use the following:

X-CSTP-DNS-IP6: 2604:8800:164:0:202:c9ff:fe4d:97b3

Instead the code sends (with my above patch):

X-CSTP-DNS: 2604:8800:164:0:202:c9ff:fe4d:97b3

which anyconnect flags as an invalid server configuration.

I'm not sure this is an oversight because the ocserv code does determine whether the dns address is an ipv6 address or not, but then ignores it in the response.

I'm also not sure how this impacts openconnect clients, so I don't want to change the ocserv responses before understanding that better.

Anyway, the dns fix patch is:

diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 1acecb17..8b93950e 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -1991,7 +1991,8 @@ static int connect_handler(worker_st * ws)

                oclog(ws, LOG_INFO, "adding DNS %s", ws->user_config->dns[i]);
                ret =
-                   cstp_printf(ws, "X-CSTP-DNS: %s\r\n",
+                   cstp_printf(ws, "X-CSTP-%s: %s\r\n",
+                              ip6 ? "DNS-IP6" : "DNS",
                               ws->user_config->dns[i]);
                SEND_ERR(ret);
        }

- Leendert

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux