IPv6 in AnyConnect for iOS

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Dec 26 10:18:18 PST 2014 

On Fri, 2014-12-26 at 16:51 +0800, sskaje wrote:
> Hi, I'm trying to make my iPhone work with IPv6, I can't find any
> details on anyconnect using ipv6, so I just try to debug and make some
> changes on ocserv.
> I need someone tell me if I was in a wrong track or ocserv ipv6 is buggy.
> 
> 
> I asked Linode for an ipv6 address pool, set the options like
> ipv6-network = 2400:8900:e000:xxxx::
> ipv6-prefix = 64
> But clients generate fake IPv6 addresses(Debug logs in AnyConnect iOS).

Hi,
 The logic as it is now for ocserv worker is to send IPv6 addresses if
the client is openconnect or the client has sent the header
"X-CSTP-Full-IPv6-Capability: true". That is because cisco's clients
didn't properly handle IPv6 if they didn't send that header.

> In worker-vpn.c, I found
> 
>     if (ws->vinfo.ipv6 && req->no_ipv6 == 0) {
> 
> has no_ipv6 == 1, So I added extra User Agent matching like:
> 
>         if (strncasecmp(req->user_agent, "Open Any", 8) == 0) {
>             if (strncmp(req->user_agent, "Open AnyConnect VPN Agent
> v3", 28) == 0)
>                 req->user_agent_type = AGENT_OPENCONNECT_V3;
>             else
>                 req->user_agent_type = AGENT_OPENCONNECT;
>         } else if (strncasecmp(req->user_agent, "Cisco AnyConnect", 16) == 0) {
>             req->user_agent_type = AGENT_ANYCONNECT;
>         }
>         break;

I'd suggest to try to see what happens if you tag this anyconnect client
as AGENT_OPENCONNECT.

> And then
>     /* If we are in CISCO client compatibility mode, do not send
>      * any IPv6 information, unless the client can really handle it.
>      */
>     if (ws->full_ipv6 == 0 && ws->config->cisco_client_compat != 0 &&
>         req->user_agent_type != AGENT_OPENCONNECT &&
> req->user_agent_type != AGENT_ANYCONNECT) {
>         req->no_ipv6 = 1;
>     }
> But ws->full_ipv6 is still 0, and TWO X-CSTP-Address lines are sent to
> client, with both IPv4 and IPv6 addresses.
>...
> I guess if it is because the full_ipv6 0, then I force it 1 for AnyConnect:
>     if (req->user_agent_type == AGENT_ANYCONNECT) {
>         ws->full_ipv6 = 1;
>     }
> 
> found ws->vinfo.ipv6_prefix == 0, fixed in worker-auth.c:
> static int recv_cookie_auth_reply(worker_st * ws)
> ...
>             if (msg->ipv6_prefix) {
>                 ws->config->network.ipv6_prefix = msg->ipv6_prefix;
>             }

That should be the same as the one you set in "ipv6-prefix"
configuration option.

Do you get a correct IPv6 address if you use openconnect?

regards,
Nikos

More information about the openconnect-devel mailing list