On Thu, Apr 23, 2020 at 8:32 AM Grant Janssen <grant.janssen@xxxxxxxxx> wrote: > > here is a session I initiated with the verbose and dump options (which are not mentioned in the man page) They are both in there. (`--dump` is actually shorthand for `--dump-http-traffic`) https://www.infradead.org/openconnect/manual.html > I do now see I have a couple of errors > > GlobalProtect login returned unexpected argument value arg[19]=4 > GlobalProtect login returned unexpected argument value arg[20]=unknown > Please report 2 unexpected values above (of which 0 fatal) to <openconnect-devel@xxxxxxxxxxxxxxxxxxx> These are not actually errors, and don't have anything to do with routing configuration. Just unknown values which we are trying to figure out the meaning of by getting users to report their occurrence to us :) > I see all the routes are xmitted from the firewall in the dump, but still only get 14 of 18 the tunnel routes > Though the count below is 16, I only actually have 14, since the DNS servers are added as /32 routes ) I suggest printing the routes with `ip route show`, which displays them in the much more readable CIDR format. OpenConnect *does not* do any routing configuration itself; it simply forwards the routing information to the vpnc-script:. I note that you're getting these 5 errors from the vpnc-script: RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument So, I whip up a quick Python script to figure out what's wrong with your routes… import re from ipaddress import * s=''' < <member>10.1.130.69/30</member> < <member>10.1.129.65/29</member> < <member>10.1.135.65/29</member> < <member>10.1.130.65/30</member> < <member>10.1.129.245/30</member> < <member>10.110.12.0/23</member> < <member>10.1.79.0/24</member> < <member>10.1.80.0/20</member> < <member>10.1.96.0/23</member> < <member>10.1.129.192/27</member> < <member>10.1.130.0/26</member> < <member>10.1.130.128/26</member> < <member>10.1.132.0/24</member> < <member>10.1.133.0/24</member> < <member>10.1.134.0/26</member> < <member>10.1.135.192/26</member> < <member>10.1.156.0/24</member> < <member>10.1.157.0/24</member>''' print([(ip_network(f'{a}/{p}', strict=False), ip_network(f'{a}/{p}', strict=False).network_address==ip_address(a)) for a, p in re.findall('(\d+\.\d+\.\d+\.\d+)/(\d+)',s)]) And this outputs the following… [('10.1.130.69/30', IPv4Network('10.1.130.68/30'), False), ('10.1.129.65/29', IPv4Network('10.1.129.64/29'), False), ('10.1.135.65/29', IPv4Network('10.1.135.64/29'), False), ('10.1.130.65/30', IPv4Network('10.1.130.64/30'), False), ('10.1.129.245/30', IPv4Network('10.1.129.244/30'), False), ('10.110.12.0/23', IPv4Network('10.110.12.0/23'), True), ('10.1.79.0/24', IPv4Network('10.1.79.0/24'), True), ('10.1.80.0/20', IPv4Network('10.1.80.0/20'), True), ('10.1.96.0/23', IPv4Network('10.1.96.0/23'), True), ('10.1.129.192/27', IPv4Network('10.1.129.192/27'), True), ('10.1.130.0/26', IPv4Network('10.1.130.0/26'), True), ('10.1.130.128/26', IPv4Network('10.1.130.128/26'), True), ('10.1.132.0/24', IPv4Network('10.1.132.0/24'), True), ('10.1.133.0/24', IPv4Network('10.1.133.0/24'), True), ('10.1.134.0/26', IPv4Network('10.1.134.0/26'), True), ('10.1.135.192/26', IPv4Network('10.1.135.192/26'), True), ('10.1.156.0/24', IPv4Network('10.1.156.0/24'), True), ('10.1.157.0/24', IPv4Network('10.1.157.0/24'), True)] Voilà. 5 of your 18 routes are specified in a non-canonical way. For example: 10.1.130.69/30 should be 10.1.130.68/30, without any of the first 30 bits set, etc. The `ip route` utilities used by the standard vpnc-script on Linux (https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script) don't accept these non-canonical routes. You could use an alternate script like vpn-slice (which does accept these https://github.com/dlenski/vpn-slice/issues/20#issuecomment-526765210), but a better idea is to just fix the routes so that they'll be accepted as valid by all routing utilities across all platforms. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
