On Thu, Oct 31, 2019 at 3:33 PM Leendert van Doorn
<leendert@xxxxxxxxxxxxxx> wrote:
>
> On Thu, Oct 31, 2019 at 6:59 PM Nikos Mavrogiannopoulos <n.mavrogiannopoulos@xxxxxxxxx> wrote:
> >
> > Is there something we can do on the ocserv side to improve that?
> > Should if we send the routes to the mobile client would it work? Would you like to propose a patch?
>
> I do have a patch for ocserv. In fact, its very similar to a patch that you suggested back in 2014. It's in a different spot because the code changed, but the concept is the same.
>
> diff --git a/src/worker-http.c b/src/worker-http.c
> index 7951931a..6c796556 100644
> --- a/src/worker-http.c
> +++ b/src/worker-http.c
> @@ -377,6 +377,8 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
> req->user_agent_type = AGENT_OPENCONNECT;
> } else if (strncasecmp(req->user_agent, "OpenConnect VPN Agent", 21) == 0) {
> req->user_agent_type = AGENT_OPENCONNECT;
> + } else if (strncasecmp(req->user_agent, "Cisco Any", 9) == 0) {
> + req->user_agent_type = AGENT_OPENCONNECT;
> }
> break;
This seems to match both the mobile and non-mobile agent. Is that
intentional? We don't have automated tests for them, so we'd need some
testing with recent clients before enabling that. Should we check a
specific version of them? I remember several old versions of them had
issues with specific headers.
> I haven't sent it yet because:
>
> 1) IPv6 dns didn't work. I have solved this now, see below.
> 2) I want to understand why full tunnel mode doesn't work. The split route is a hack that works but it is not very elegant.
>
> I did fix the DNS issue. It turns out that ocserv is sending the wrong answer back to an anyconnect client. For an IPv6 address it should use the following:
>
> X-CSTP-DNS-IP6: 2604:8800:164:0:202:c9ff:fe4d:97b3
>
> Instead the code sends (with my above patch):
>
> X-CSTP-DNS: 2604:8800:164:0:202:c9ff:fe4d:97b3
>
> which anyconnect flags as an invalid server configuration.
It used to be that openconnect would not read the X-CSTP-DNS-IP6 if I
remember well. I see it is now handled, so we could make ocserv send
the appropriate header that anyconnect would understand as well.
> I'm not sure this is an oversight because the ocserv code does determine whether the dns address is an ipv6 address or not, but then ignores it in the response.
>
> I'm also not sure how this impacts openconnect clients, so I don't want to change the ocserv responses before understanding that better.
>
> Anyway, the dns fix patch is:
Would you like to send the patches as a merge request on ocserv
project, and test the server with anyconnect clients?
regards,
Nikos
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
