Hey Daniel,
Quick question... i installed GNUTLS 3.6.13, the most recent
version... and when i ./configure the openconnect bits... i see
this:
...
checking for known-broken versions of GnuTLS... yes
configure: error: DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.
see https://gitlab.com/gnutls/gnutls/issues/960
Add --without-gnutls-version-check to configure args to avoid this
check (DTLS
will still be disabled at runtime), or build with another version.
Do you know if the DTLS issue still exists in 3.6.13 (as the warning
says v3.6.3 through v3.6.12, which i should be outside of).. or is
there a problem with the test?
./Darren
On Tue, Mar 31, 2020 at 5:35 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote:
>
> One other thing to check is whether ping or DNS lookup packets can get
> through. I have seen a few cases where a VPN server will block all
> traffic to a client except ping and/or DNS lookups… because of some
> kind of security scanner that doesn't like the client, perhaps due to
> some minor change like the version number in the User-Agent.
>
> With vpn-slice, you should get /etc/hosts aliases for the DNS servers,
> called dns0.tun0 and dns1.tun0, as a convenience. With the “normal”
> vpnc-script, they'll end up in /etc/resolv.conf, or wherever.
>
> Do any of these work?
> ping [DNS server]
> dig @[DNS server IP] [known hostname internal to the VPN]
>
> -Dan
>
> On Tue, Mar 31, 2020 at 2:27 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote:
> >
> > Glad to hear of another (happy? ) vpn-slice user. Looks like you did
> > your homework very solidly here.
> >
> > For what it's worth, OpenConnect doesn't run the tests that involve
> > real interaction with a server unless you have ocserv and a couple
> > other tools installed (see
> > https://www.infradead.org/openconnect/building.html). It appears that
> > they didn't run here.
> >
> > It's quite surprising that running with --no-dtls doesn't fix this
> > problem. Assuming that you were running OpenConnect v7.08 (very widely
> > distributed) on the old laptop, it may be worth using git-bisect to
> > try to narrow down where we (may have) broken your setup.
> >
> > -Dan
> >
> >
> > On Tue, Mar 31, 2020 at 1:59 PM Darren Fuller <dfuller@xxxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, Mar 31, 2020 at 3:40 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote:
> > > >
> > > > On Tue, Mar 31, 2020 at 10:43 AM Darren Fuller <dfuller@xxxxxxxxxxxxxx> wrote:
> > > > > I was running openconnect on my old laptop for years without issue.
> > > > > I was given a new laptop from work and I can't for the life of me get
> > > > > it to function properly now.
> > > >
> > > > What version were you using on the old laptop?
> > > > Any other possibly relevant changes?
> > > > Any change in the vpnc-script
> > > > (https://www.infradead.org/openconnect/vpnc-script.html) that you are
> > > > using?
> > >
> > > I have no idea other than i had it for about 2 years.. the laptop
> > > went tits up unexpectedly and although i had the script i used to
> > > connect saved in a private git repo, i didn't have information on
> > > versions.
> > >
> > > I used to use the vpn-slice script, but when that didn't work, I
> > > omitted the -s altogether to see if i could figure it out.
> > >
> > > > > The new laptop is on Linux Mint 19.3. I built all the prerequisite
> > > > > libraries from source as well as the latest version of openconnect.
> > > >
> > > > I haven't seen anyone build OpenConnect with OpenSSL 3.0.0-dev before.
> > > > This is a very new version and it's possible that something doesn't
> > > > work right with DTLS.
> > >
> > > OK.... i will back that out and try an older version.. is there a
> > > preferred version to use?
> > >
> > > >
> > > > > Here is my output from --version
> > > > >
> > > > > > openconnect --version
> > > > > OpenConnect version v8.06-1-g9377c0ed
> > > > > Using OpenSSL 3.0.0-dev xx XXX xxxx. Features present: TPM (OpenSSL
> > > > > ENGINE not present), PKCS#11, RSA software token, HOTP software token,
> > > > > TOTP software token, DTLS, ESP
> > > > > Supported protocols: anyconnect (default), nc, gp, pulse
> > > > >
> > > > > When I connect, I get no errors, but i can't seem to do anything on
> > > > > the remote network.
> > > > >
> > > > > Here is an anonymized version of what i am using to connect. Note,
> > > > > these are the same values i used on the old machine without issue:
> > > >
> > > > Things to try:
> > > >
> > > > 1 (help us figure out what's wrong): Run `make check` to test
> > > > openconnect against a local copy of ocserv. This will likely help to
> > > > pinpoint a DTLS problem.
> > >
> > > I did run make check when i built it initially. here is the make check output:
> > >
> > > (Tue Mar-3 4:48:56pm)-(CPU 24.7%:0:Net 88)-(darren:~/dev/openconnect)-(3.8M:139)
> > > > make check
> > > Making check in tests
> > > make[1]: Entering directory '/home/darren/dev/openconnect/tests'
> > > make
> > > make[2]: Entering directory '/home/darren/dev/openconnect/tests'
> > > make[2]: Nothing to be done for 'all'.
> > > make[2]: Leaving directory '/home/darren/dev/openconnect/tests'
> > > make check-TESTS
> > > make[2]: Entering directory '/home/darren/dev/openconnect/tests'
> > > make[3]: Entering directory '/home/darren/dev/openconnect/tests'
> > > PASS: lzstest
> > > PASS: seqtest
> > > PASS: bad_dtls_test
> > > ============================================================================
> > > Testsuite summary for openconnect 8.06
> > > ============================================================================
> > > # TOTAL: 3
> > > # PASS: 3
> > > # SKIP: 0
> > > # XFAIL: 0
> > > # FAIL: 0
> > > # XPASS: 0
> > > # ERROR: 0
> > > ============================================================================
> > > make[3]: Leaving directory '/home/darren/dev/openconnect/tests'
> > > make[2]: Leaving directory '/home/darren/dev/openconnect/tests'
> > > make[1]: Leaving directory '/home/darren/dev/openconnect/tests'
> > > Making check in po
> > > make[1]: Entering directory '/home/darren/dev/openconnect/po'
> > > make[1]: Nothing to be done for 'check'.
> > > make[1]: Leaving directory '/home/darren/dev/openconnect/po'
> > > make[1]: Entering directory '/home/darren/dev/openconnect'
> > > make[1]: Leaving directory '/home/darren/dev/openconnect'
> > >
> > >
> > > > 2 (just make it work right now): Add --no-dtls to the command line.
> > > > This disables DTLS and uses only TLS for the tunnel. It's suboptimal,
> > > > and probably slower, but if it can authenticate and do the routing
> > > > setup correctly… the tunnel should work pretty much no matter what.
> > >
> > > i tried this looking at the output from another set of questions on
> > > here.. doesn't seem to make a difference.
> > >
> > > when i try to open a web page on a known ip in the remote network i
> > > get no replies at all:
> > >
> > > > sudo tcpdump -i tun0 | grep 209.171.240.41
> > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > > listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
> > > 16:53:42.630947 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq
> > > 383197302, win 64480, options [mss 1240,sackOK,TS val 1577079246 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:42.631004 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq
> > > 1061496345, win 64480, options [mss 1240,sackOK,TS val 1577079246 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:42.882330 IP u11026.44832 > 209.171.240.41.8200: Flags [S], seq
> > > 2750626011, win 64480, options [mss 1240,sackOK,TS val 1577079497 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:43.633580 IP u11026.44828 > 209.171.240.41.8200: Flags [S], seq
> > > 1061496345, win 64480, options [mss 1240,sackOK,TS val 1577080249 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:43.633594 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq
> > > 383197302, win 64480, options [mss 1240,sackOK,TS val 1577080249 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:43.889571 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq
> > > 2750626011, win 64480, options [mss 1240,sackOK,TS val 1577080505 ecr
> > > 0,nop,wscale 7], length 0
> > > 16:53:45.649591 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq
> > > 383197302, win 64480, options [mss 1240,sackOK,TS val 1577082265 ecr
> > > 0,nop,wscale 7], length 0
> > >
> > >
> > > > 2 (rebuild with GnuTLS): This should be as simple as `sudo apt-get
> > > > install libgnutls-dev && ./configure --with-gnutls && make`. Do note
> > > > that DTLS is disabled with some recent versions of GnuTLS, because of
> > > > a security bug.
> > > >
> > > > We generally suggest building with GnuTLS, rather than DTLS.
> > > >
> > >
> > > I'll do this too. stay tuned.
> > >
> > >
> > > thanks for the help Daniel...
> > > ./Darren
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
