Openvpn connection ok but blocked on Cisco ASA caused by IP Spoofing

Stefan Schörghofer amd1212 at vier-ringe.at
Fri Aug 10 13:53:38 EDT 2012 

Hi List

Im trying to connect to my company using openconnect.
In my company we use a Cisco ASA...and not a long time ago the
connection worked well.

But now i can connect without a problem, but can't reach anything behind
the tunnel.
As soon i am connected the ASA Log is full of this entries:

"Deny IP Spoof from (127.0.0.1) to (172.24.130.56) on interface inside"


Here some version data:
 - OpenConnect version v4.06
 - iproute version 20120521-3
 - kernel: 3.2.0-3-amd64

Im using Debian Wheezy and connecting through the following commandline
(as root):
/usr/local/bin/openconnect -c /root/VPN/username.pem --no-cert-check -u
username -s /root/VPN/vpnc-script https://remote.------.com

vpnc script is the current one from the openconnect website without
modifications.

Attempting to connect to IPADDRESS:443
Client certificate expires soon at: Oct  3 13:41:26 2012 GMT
SSL negotiation with remote.-----.com
Connected to HTTPS on remote.------.com
GET https://remote.------.com/
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with remote.------.com
Connected to HTTPS on remote.------.com
GET https://remote.-----.com/+webvpn+/index.html
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 10.255.1.5, using SSL
Established DTLS connection


Routes:
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         192.168.0.252   0.0.0.0         UG        0 0          0
wlan0
10.255.1.0      0.0.0.0         255.255.255.0   U         0 0          0
tun0
43.160.0.0      0.0.0.0         255.255.0.0     U         0 0          0
tun0
162.49.245.0    0.0.0.0         255.255.255.0   U         0 0          0
tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
wlan0
172.22.18.0     0.0.0.0         255.255.255.0   U         0 0          0
tun0
172.22.58.128   0.0.0.0         255.255.255.128 U         0 0          0
tun0
172.22.60.128   0.0.0.0         255.255.255.128 U         0 0          0
tun0
172.22.62.128   0.0.0.0         255.255.255.128 U         0 0          0
tun0
172.22.160.0    0.0.0.0         255.255.255.0   U         0 0          0
tun0
172.24.48.0     0.0.0.0         255.255.254.0   U         0 0          0
tun0
172.24.130.56   0.0.0.0         255.255.255.255 UH        0 0          0
tun0
172.24.130.123  0.0.0.0         255.255.255.255 UH        0 0          0
tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0
wlan0
193.178.208.104 192.168.0.252   255.255.255.255 UGH       0 0          0
wlan0



resolv.conf
#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# Generated by NetworkManager
domain at.------.com
search fritz.box
nameserver 172.24.130.123
nameserver 172.24.130.56



Do someone have an idea why the ASA thinks my client is spoofing the ip
address? I've sniffed with wireshark and found no packet with
destination ip 127.0.0.1 (a very quick look).
But for other users the ASA Connection is working (with Ubuntu...kernel
3.0 and openconnect 3.0.2).
I've also tried to downgrade to this openconnect version without luck.
What part of my client could be missconfigured to get such an issue?



Thanks in advance
best,
Stefan Schörghofer

More information about the openconnect-devel mailing list