IPv6 default route not set using OpenConnect
shouldbe q931
shouldbeq931 at gmail.com
Thu Mar 14 20:36:40 EDT 2013
On Wed, Mar 13, 2013 at 1:55 PM, shouldbe q931 <shouldbeq931 at gmail.com> wrote:
> On Tue, Mar 12, 2013 at 2:37 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> On Tue, 2013-02-19 at 09:50 +0000, shouldbe q931 wrote:
>>>
>>> I know that I could set the default route manually, but wondered if I
>>> misconfigured something, or had hit a bug.
>>>
>>> I've gone back through the mailing list archives to July 2012, but
>>> couldn't see anything that might reference this.
>>
>> The behaviour of vpnc-script goes something like this:
>>
>> If there are 'split include' routes listed, set those routes only.
>> Else, set the default route (ignoring 'split exclude').
>>
>> The fact that it ignores 'split excludes' is a bug, but nobody's ever
>> cared because fairly much nobody ever uses them AFAICT.
>>
>> Your routing *does* have split includes... but only for Legacy IP. I
>> suppose we're supposed to route those Legacy IP ranges *and* the default
>> IPv6 route through the VPN?
>>
>> Looking at the current version of the vpnc-script, it looks like it
>> *ought* to get this right. Since $CISCO_IPV6_SPLIT_INC isn't (well,
>> shouldn't be) set, it should set the default route.
>>
>> Firstly, can you check that your vpnc-script is up to date. Download the
>> latest version which is linked from
>> http://www.infradead.org/openconnect/vpnc-script.html and try using that
>> (make it executable and use the --vpnc-script argument).
>>
>> --
>> dwmw2
>
> Yes, the split include is for IPv4, and but IPv6 should be for all traffic.
>
> If it would be useful, I can also test removing the split include.
>
> I am not using (and have never seen used) split exclude.
>
> The vpnc-script changelog on ubuntu lists the below as the most recent change
> ---------------------------------------
> vpnc-scripts (0.1~git20120602-2) unstable; urgency=low
>
> * Add Vcs-* fields for the collab-maint git repository.
> * Move iproute from Depends to Recommends, vpnc-script can work
> around it if not available.
>
> -- Mike Miller <mtmiller at ieee.org> Wed, 06 Jun 2012 06:58:46 -0400
> ---------------------------------------
>
> I renamed the version from the repo, and copied the one from infradead
> into usr/share/vpnc-scripts/vpnc-script
>
> I'll test this evening when I'm "outside" the network.
>
> Cheers
>
> Arne
Calling openconnect manually with the updated vpnc-script, IPv6 works
as expected and DNS works as expected, if I use NetworkManager to
initiate the VPN, IPv6 has the same problem, and the DNS servers are
not set
Using NetworkManager
---------------------------------------
netstat -6 -r
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:470:9652:3::/64 :: U 256 0 0 vpn0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 vpn0
::/0 :: !n -1 1 9 lo
::1/128 :: Un 0 1 1 lo
2001:470:9652:3::1/128 :: Un 0 1 0 lo
fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 vpn0
::/0 :: !n -1 1 9 lo
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.10.1 0.0.0.0 UG 0 0 0 eth1
10.201.253.0 * 255.255.255.0 U 0 0 0 vpn0
link-local * 255.255.0.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.53.0 * 255.255.255.0 U 0 0 0 vpn0
192.168.54.0 * 255.255.255.0 U 0 0 0 vpn0
213.122.155.21 192.168.10.1 255.255.255.255 UGH 0 0 0 eth1
nslookup www.infradead.org
Server: 127.0.1.1
Address: 127.0.1.1#53
** server can't find www.infradead.org: NXDOMAIN
traceroute6 2a00:1450:400b:c02::63
connect: Network is unreachable
---------------------------------------
calling openconnect via command line
---------------------------------------
sudo openconnect -vvv asa.domain.com
Attempting to connect to 213.122.155.21:443
SSL negotiation with asa.domain.com
Server certificate verify failed: signer not found
Certificate from VPN server "asa.domain.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 14 Mar 2013 19:25:39 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
SSL negotiation with asa.domain.com
Server certificate verify failed: signer not found
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:testuser
Password:
POST https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:184B2305E903B0BA7D5807A9665AE3EDEB4FBD8D&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:BE3E6EA0056DCDC3AD683DE2441C2E7315606731;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1406, snd mss 1406, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 192.168.54.4
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2001:470:9652:3::1
X-CSTP-Netmask: 2001:470:9652:3::1/64
X-CSTP-DNS: 192.168.53.42
X-CSTP-DNS: 10.201.253.41
X-CSTP-NBNS: 192.168.53.42
X-CSTP-NBNS: 10.201.253.41
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: domain.com
X-CSTP-Split-Include: 192.168.53.0/255.255.255.0
X-CSTP-Split-Include: 10.201.253.0/255.255.255.0
X-CSTP-Split-DNS: domain.com
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID:
51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1373
X-DTLS-MTU: 1418
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID :
51767A33B70A95BBBF90D8E82771774265CA2116873D16F70E6B366CCF91A798
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1418
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS connected. DPD 30, Keepalive 20
Connected tun0 as 192.168.54.4 + 2001:470:9652:3::1, using SSL
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 51 bytes
Sending uncompressed data packet of 62 bytes
Sending uncompressed data packet of 62 bytes
No work to do; sleeping for 6000 ms...
No work to do; sleeping for 16000 ms...
Received uncompressed data packet of 126 bytes
Sending uncompressed data packet of 154 bytes
No work to do; sleeping for 20000 ms...
Established DTLS connection (using OpenSSL)
netstat -6 -r
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:470:9652:3::/64 :: U 256 0 0 tun0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 tun0
::/0 :: U 1 0 0 tun0
::/0 :: !n -1 1 15 lo
::1/128 :: Un 0 1 1 lo
2001:470:9652:3::1/128 :: Un 0 1 0 lo
fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 tun0
::/0 :: !n -1 1 15 lo
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.10.1 0.0.0.0 UG 0 0 0 eth1
10.201.253.0 * 255.255.255.0 U 0 0 0 tun0
dc-1.domain.com * 255.255.255.255 UH 0 0 0 tun0
link-local * 255.255.0.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.53.0 * 255.255.255.0 U 0 0 0 tun0
dc-2.xclaimproj * 255.255.255.255 UH 0 0 0 tun0
sslc.xclaimproj * 255.255.255.255 UH 0 0 0 vpn0
192.168.54.0 * 255.255.255.0 U 0 0 0 tun0
asa.domain.com 192.168.10.1 255.255.255.255 UGH 0 0 0 eth1
nslookup www.infradead.org
Server: 192.168.53.42
Address: 192.168.53.42#53
Non-authoritative answer:
www.infradead.org canonical name = casper.infradead.org.
Name: casper.infradead.org
Address: 85.118.1.10
traceroute6 2a00:1450:400b:c02::63
traceroute to 2a00:1450:400b:c02::63 (2a00:1450:400b:c02::63) from
2001:470:9652:3::1, 30 hops max, 24 byte packets
1 2001:470:9652:1::254 (2001:470:9652:1::254) 56.876 ms 48.295 ms 96.59 ms
2 thermionic-1.tunnel.tserv5.lon1.ipv6.he.net
(2001:470:1f08:1623::1) 72.007 ms 114.474 ms 67.415 ms
3 gige-g4-8.core1.lon1.he.net (2001:470:0:67::1) 74.81 ms 87.64 ms
65.825 ms
4 2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1) 62.54 ms 63.825 ms 63.326 ms
5 2001:4860::1:0:15f (2001:4860::1:0:15f) 66.591 ms 65.824 ms 78.254 ms
6 2001:4860::8:0:2dde (2001:4860::8:0:2dde) 68.538 ms 66.952 ms 73.13 ms
7 2001:4860::1:0:3a11 (2001:4860::1:0:3a11) 132.633 ms 107.85 ms 73.917 ms
8 2001:4860::2:0:3d87 (2001:4860::2:0:3d87) 73.528 ms 72.326 ms 120.891 ms
9 * *^C
---------------------------------------
Cheers
Arne
More information about the openconnect-devel
mailing list