vpn connection hangs with openconnect version >v5.01 after a couple of seconds...

Kaloyan Dimitrov kaloyan.dimitrov at aviaso.com
Thu Mar 13 08:19:05 EDT 2014


Thanks for the quick response.

Regarding the routing: Removing the "10.55.1.0/24 dev tun0  scope link" 
fixed my problem, thanks for your hint.

After discussing with out network administrator he told me that windows 
clients just have the route with higher metric.

We also noticed that the issue appears probably because the physical 
network(10.55.1.0/24) is actually part of the networks behind the vpn. 
If vpnc-script is improved(as it handles the routes based on 
CISCO_SPLIT_INC_%d_* variables) to handle such a case(when physical 
network is part of vpn networks) with adding higher metric route(similar 
to how windows  client does it) this should be just fine.

As for the openconnect problematic version indeed I corrected myself in 
a reply from 03/12/2014 18:17 +0200

"Hi again, sorry, seems like v5.01 doesn't do the job as well. Same 
issue exists there... "

Regards,
Kaloyan


On 03/12/2014 08:22 PM, David Woodhouse wrote:
> On Wed, 2014-03-12 at 18:07 +0200, Kaloyan Dimitrov wrote:
>> Established DTLS connection (using GnuTLS)
>>
>> CSTP Dead Peer Detection detected dead peer!
>>
>> Please advise why is this happening.
> This could be a routing issue. Obviously if we set up a default route
> that points to the VPN, we have to have a route to the *gateway* that
> still goes via the physical network.
>
> When we get that wrong, so packets for the VPN server are handed to
> openconnect and then send out again as a packet for the VPN server... it
> doesn't really work very well.
>
> You said that 5.01 worked and 5.03 did not. Did anything *else* change?
> Like your vpnc-script, for example?
>
> If not, it shouldn't be that hard to track it down. We could use 'git
> bisect' to narrow in on the offending commit. There weren't many commits
> between 5.01 and 5.03 in fact, and my first suspect would be this one:
> http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/1fe3f43f
>
> What is the value of the $VPNGATEWAY environment variable, when you
> connect with 5.01 and with 5.03?
>


-- 
Kaloyan Dimitrov
Software Developer

Aviaso Inc
Huobstrasse 10 CH-8808 Pfaeffikon Switzerland
Phone: +41 55 422 0000
kaloyan.dimitrov at aviaso.com  www.aviaso.com  




More information about the openconnect-devel mailing list