OpenConnect ignores the gateway's proposed MTU

Michael Helmling helmling at mathematik.uni-kl.de
Mon Feb 18 06:49:21 EST 2013 

Am 18.02.2013 11:32, schrieb David Woodhouse:
> On Mon, 2013-02-18 at 10:48 +0100, Michael Helmling wrote:
>> Thank you, the issue does not occur with openconnect-4.99, but it does
>> in 4.08.
>> In the debug output of 4.08 the line
>> "DTLS option X-DTLS-MTU : 1418"
>> appears while with 4.99 the correct value 1330 appears there. I guess
>> that's the point. So the issue will be fixed with the next release version?
> Hm, I didn't think we'd done anything that would *fix* that between 4.08
> and 4.99; I'd like to make sure I fully understand what's going on and
> make sure it's really fixed and will *remain* fixed.
>
> Please could I see the full debug output of 4.99 when you connect with
> the '-v' option on the command line? And also 4.08, preferably. Thanks.
>
The logs are attached. I also get with both versions 4.08 and 4.99 this 
certificate warning which does not happen under 4.07, while I believe 
that the SSL certificate is in fact valid. But that seems a different 
story. :-)

-------------- next part --------------
$ sudo ./openconnect -v -u xxx at rhrk.uni-kl.de --authgroup=Split_Tunnel vpn.uni-kl.de
Attempting to connect to server 131.246.118.6:443
SSL negotiation with 131.246.118.6
No match for altname 'vpn.uni-kl.de'
No altname in peer cert matched '131.246.118.6'
Server certificate verify failed: certificate does not match hostname

Certificate from VPN server "131.246.118.6" failed verification.
Reason: certificate does not match hostname
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 131.246.118.6
GET https://131.246.118.6/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 18 Feb 2013 11:39:00 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with 131.246.118.6
No match for altname 'vpn.uni-kl.de'
No altname in peer cert matched '131.246.118.6'
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on 131.246.118.6
GET https://131.246.118.6/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give 
Please enter your username and password.
Password:
POST https://131.246.118.6/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:2385B92C063FA8B84D433871088D2AAD9400B2E9&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2FTU-KL_all.xml&fh:A032E3D143CA182D0C849DEC2855B0635818FC31; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 131.246.83.45
X-CSTP-Netmask: 255.255.252.0
X-CSTP-Address: 2001:638:208:fd4d::101a
X-CSTP-Netmask: 2001:638:208:fd4d::101a/64
X-CSTP-DNS: 131.246.9.116
X-CSTP-DNS: 131.246.1.116
X-CSTP-NBNS: 131.246.121.11
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: triple-a.uni-kl.de
X-CSTP-Split-Include: 131.246.0.0/255.255.0.0
X-CSTP-Split-Include: 192.68.165.0/255.255.255.0
X-CSTP-Split-Include: 192.68.166.0/255.255.254.0
X-CSTP-Split-Include: 192.68.168.0/255.255.254.0
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Rekey-Time: 1800
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 20377D0F362FC423A24FB579A4F9B3888FA0D1ECD767C666F08FCDE74B778AFC
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 1800
X-CSTP-MTU: 1331
X-DTLS-MTU: 1418
X-DTLS-CipherSuite: AES256-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID : 20377D0F362FC423A24FB579A4F9B3888FA0D1ECD767C666F08FCDE74B778AFC
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 1800
DTLS option X-DTLS-MTU : 1418
DTLS option X-DTLS-CipherSuite : AES256-SHA
DTLS connected. DPD 30, Keepalive 20
Connected tun0 as xxx.xxx.xxx.xxx + 2001:xxxxxx, using SSL
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 80 bytes
No work to do; sleeping for 16000 ms...
Sending uncompressed data packet of 80 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 80 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 80 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 59 bytes
Sending uncompressed data packet of 59 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 110 bytes
Received uncompressed data packet of 145 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 72 bytes
Sending uncompressed data packet of 60 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 80 bytes
Sending uncompressed data packet of 72 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 80 bytes
Sending uncompressed data packet of 72 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 80 bytes

-------------- next part --------------
$ sudo ./openconnect -v -u xxx at rhrk.uni-kl.de --authgroup=Split_Tunnel vpn.uni-kl.de
Attempting to connect to server 131.246.118.6:443
SSL negotiation with 131.246.118.6
No match for altname 'vpn.uni-kl.de'
No altname in peer cert matched '131.246.118.6'
Server certificate verify failed: certificate does not match hostname

Certificate from VPN server "131.246.118.6" failed verification.
Reason: certificate does not match hostname
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 131.246.118.6
POST https://131.246.118.6/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 18 Feb 2013 11:45:28 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Password:
POST https://131.246.118.6/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 18 Feb 2013 11:45:31 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 131.246.83.79
X-CSTP-Netmask: 255.255.252.0
X-CSTP-Address: 2001:638:208:fd4d::1071
X-CSTP-Netmask: 2001:638:208:fd4d::1071/64
X-CSTP-DNS: 131.246.9.116
X-CSTP-DNS: 131.246.1.116
X-CSTP-NBNS: 131.246.121.11
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: triple-a.uni-kl.de
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Rekey-Time: 1800
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: F0D6308AB9B440133B0AE70497125937B40B9631C5264AF185DF0D7BF82BFF5E
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 1800
X-CSTP-MTU: 1330
X-DTLS-MTU: 1330
X-DTLS-CipherSuite: AES256-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <?xml version="1.0" encoding="UTF-8"?><config-auth client="vpn" type="complete"><version who="sg">9.1(1)</version><session-id>267235328</session-id><session-token>1401035405 at 267235328@1361187931 at FF8A2667E3D594D74FD2B8257133B5CE0BFC10DB</session-token><auth id="success"><message id="0" param1="" param2=""></message></auth><config client="vpn" type="private"><vpn-base-config><base-package-uri>/CACHE/stc/7</base-package-uri><server-cert-hash>2385B92C063FA8B84D433871088D2AAD9400B2E9</server-cert-hash></vpn-base-config><opaque is-for="vpn-client"><service-profile-manifest><ServiceProfiles rev="1.0">  <Profile service-type="user">    <FileName></FileName>    <FileExtension>xml</FileExtension>    <Directory></Directory>    <DeployDirectory></DeployDirectory>    <Description>AnyConnect VPN Profile</Description>    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>  </Profile>  <Profile service-type="nam">    <FileName>configuration.xml</FileName>    <FileExtension>nsp</FileExtension>    <Directory>Network Access Manager\system</Directory>    <DeployDirectory>Network Access Manager\newConfigFiles</DeployDirectory>    <Description>NAM Service Profile</Description>    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>  </Profile>  <Profile service-type="feedback">    <FileName>CustomerExperience_Feedback.xml</FileName>    <FileExtension>fsp</FileExtension>    <Directory>CustomerExperienceFeedback</Directory>    <DeployDirectory>CustomerExperienceFeedback</DeployDirectory>    <Description>Feedback Service Profile</Description>    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>  </Profile>  <Profile service-type="telemetry">    <FileName>Telemetry_ServiceProfile.xml</FileName>    <FileExtension>tsp</FileExtension>    <Directory>Telemetry</Directory>    <DeployDirectory>Telemetry</DeployDirectory>    <Description>Telemetry Service Profile</Description>    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>  </Profile>  <Profile service-type="websecurity">    <FileName>WebSecurity_ServiceProfile.wso</FileName>    <FileExtension>wsp</FileExtension>    <DerivedFileExtension>wso</DerivedFileExtension>    <Directory>websecurity</Directory>    <DeployDirectory>websecurity</DeployDirectory>    <Description>Web Security Service Profile</Description>    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>  </Profile></ServiceProfiles></service-profile-manifest><vpn-client-pkg-version><pkgversion>3,1,02026</pkgversion></vpn-client-pkg-version><vpn-core-manifest><vpn rev="1.0">  <file version="3.1.02026" id="VPNCore" is_core="yes" type="script" action="install">    <uri>binaries/vpnsetup.sh</uri>    <display-name>AnyConnect Secure Mobility Client</display-name>  </file>  <file version="3.1.02026" id="DART" is_core="no" type="script" action="install" module="dart">    <uri>binaries/dartsetup.sh</uri>    <display-name>AnyConnect DART</display-name>  </file>  <file version="3.1.02026" id="Posture" is_core="no" type="script" action="install" module="posture">    <uri>binaries/posturesetup.sh</uri>    <display-name>AnyConnect Posture</display-name>  </file></vpn></vpn-core-manifest><custom-attr></custom-attr></opaque><vpn-profile-manifest><vpn rev="1.0"><file type="profile" service-type="user"><uri>/CACHE/stc/profiles/TU-KL_all.xml</uri><hash type="sha1">A032E3D143CA182D0C849DEC2855B0635818FC31</hash></file></vpn></vpn-profile-manifest></config></config-auth>
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID : F0D6308AB9B440133B0AE70497125937B40B9631C5264AF185DF0D7BF82BFF5E
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 1800
DTLS option X-DTLS-MTU : 1330
DTLS option X-DTLS-CipherSuite : AES256-SHA
DTLS connected. DPD 30, Keepalive 20
Connected tun0 as 131.xxx.xxx.xxx + 2001:xxxxx, using SSL
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 159 bytes
No work to do; sleeping for 19000 ms...
Sending uncompressed data packet of 76 bytes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: helmling.vcf
Type: text/x-vcard
Size: 365 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130218/538a858e/attachment-0001.vcf>

More information about the openconnect-devel mailing list