IPv6 default route not set using OpenConnect

shouldbe q931 shouldbeq931 at gmail.com
Tue Feb 19 04:50:23 EST 2013


Running Ubuntu 12.10 X64

Connecting to a dual stack ASA running 9.1.1

Connecting from an IPv4 only network

The IPv4 side of both clients works as expected, however the IPv6 side
has some differences.

The AnyConnect client provides an IPv6 /128 address and sets the
default route for IPv6 traffic across the VPN

OpenConnect provides an IPv6 /64 address and the default route is set to lo


In the output below, I have done some basic "santizing" on user, host
and domain names, IPv6 addresses and public IPv4 addresses


Using the Cisco AnyConnect client 3.1.02026

user at V5-171:~$ netstat -6 -r
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:1:2:3::2/128              ::                         U    256 0
  0 cscotun0
fe80::/64                      ::                         U    256 0
  0 cscotun0
::/0                           ::                         U    1   0
  0 cscotun0
::/0                           ::                         !n   -1  1   341 lo
::1/128                        ::                         Un   0   1    83 lo
2001:1:2:3::2/128              ::                         Un   0   1   528 lo
fe80::aed:b9ff:fef8:fc21/128   ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0
  0 cscotun0
::/0                           ::                         !n   -1  1   341 lo

Using OpenConnect 4.0.6-1ubuntu1 and NetworkManager OpenConnect
0.9.6.0-0ubuntu1 from the Ubuntu repo

user at V5-171:~$ netstat -6 -r
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:1:2:3::/64                ::                         U    256 0     0 vpn0
fe80::/64                      ::                         U    256 0     0 eth1
fe80::/64                      ::                         U    256 0     0 vpn0
::/0                           ::                         !n   -1  1   511 lo
::1/128                        ::                         Un   0   1    84 lo
2001:1:2:3::2/128              ::                         Un   0   1     0 lo
fe80::aed:b9ff:fef8:fc21/128   ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0     0 vpn0
::/0                           ::                         !n   -1  1   511 lo




I then tried connecting in a shell

sudo openconnect -vvv https://asa.domain.com
Attempting to connect to 1.2.3.4:443
SSL negotiation with asa.domain.com
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sat, 02 Feb 2013 12:21:40 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with asa.domain.com
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:user
Password:
POST https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:<deleted>:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:<deleted>;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 192.168.54.5
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2001:1:2:3::1
X-CSTP-Netmask: 2001:1:2:3::1/64
X-CSTP-DNS: 192.168.53.42
X-CSTP-DNS: 10.201.253.41
X-CSTP-NBNS: 192.168.53.42
X-CSTP-NBNS: 10.201.253.41
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: domain.com
X-CSTP-Split-Include: 192.168.53.0/255.255.255.0
X-CSTP-Split-Include: 10.201.253.0/255.255.255.0
X-CSTP-Split-DNS: domain.com
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: <deleted>
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1415
X-DTLS-MTU: 1418
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
^C

I know that I could set the default route manually, but wondered if I
misconfigured something, or had hit a bug.

I've gone back through the mailing list archives to July 2012, but
couldn't see anything that might reference this.

Cheers



More information about the openconnect-devel mailing list