Pulse Secure and 6in4 or 4in6 with ESP

Daniel Lenski dlenski at gmail.com
Fri Oct 23 12:25:25 EDT 2020 

On Fri, Oct 23, 2020 at 2:37 AM Christian Deckelmann
<deckel at deckelnet.de> wrote:
>
> Hello,
>
>
> Pulse Secure states that 4in6 and 6in4 are supported in their latest
> release (9.1R9).
>
> https://www-prev.pulsesecure.net/download/techpubs/current/2182/pulse-connect-secure/pcs/9.1rx/9.1r9/ps-pcs-sa-9.1r9.0-releasenotes.pdf
> <https://www-prev.pulsesecure.net/download/techpubs/current/2182/pulse-connect-secure/pcs/9.1rx/9.1r9/ps-pcs-sa-9.1r9.0-releasenotes.pdf>
>

Of all the stupid things about the Juniper and Pulse VPNs, this
idiotic abstraction inversion (VPN-internal traffic using IPv[value]
can only go over an external gateway connection using
ESP-over-IPv[same]) is probably the stupidest.

Good that they're fixing it.

> It looks like below with openconnect 8.10.
>
> Gateway has IPv6 on the external interace. Client has IPv6 as well.
>
> In the tunnel, only IPv4 is configured.
>
>
>
> I could provide a Pulse Gateway for testing.


A gateway for testing would be very useful.

It's very easy to manually disable the Pulse-stupidity-avoiding
behavior in OpenConnect (just comment out:
https://gitlab.com/openconnect/openconnect/blob/master/esp.c#L309-327)
but one of the crucial issues here will be figuring out how to detect
the gateway version so that we can enable the stupid behavior for the
old servers that require it, and not for the new ones that don't.

>
> Thanks,
>
> Christian
>
> Unknown attr 0x4000 len 1: 00
>
> Unknown attr 0x4001 len 1: 00
>
> Unknown attr 0x401f len 1: 00
>
> Unknown attr 0x4020 len 1: 00
>
> Unknown attr 0x4021 len 1: 00
>
> Received MTU 1400 from server
>
> Received DNS server X.X.X.X
>
> Received DNS server Y.Y.Y.Y
>
> Received DNS search domain XXXXXXX.com
>
> Unknown attr 0x4007 len 4: 00 00 00 01
>
> Unknown attr 0x4019 len 1: 00
>
> ESP only: 0
>
> Unknown attr 0x4024 len 1: 00
>
> ESP to SSL fallback: 0 seconds
>
> Unknown attr 0x400f len 2: 00 00
>
> ESP encryption: 0x0000 (unknown)
>
> ESP HMAC: 0x0000 (unknown)
>
> ESP key lifetime: 0 seconds
>
> ESP key lifetime: 0 bytes
>
> ESP replay protection: 0
>
> Unknown attr 0x4015 len 4: 00 00 00 00
>
> ESP port: 0
>
> ESP to SSL fallback: 0 seconds
>
> Unknown attr 0x4018 len 4: 00 00 00 00
>
> Received internal Legacy IP address A.A.A.A
>
> Received netmask 255.255.255.255
>
> Received internal gateway address 10.200.200.200
>
> Unknown attr 0x400a len 1: 01
>
> Unknown attr 0x400c len 1: 00
>
> Unknown attr 0x400d len 1: 00
>
> Unknown attr 0x400e len 1: 00
>
> Unknown attr 0x401b len 1: 00
>
> Unknown attr 0x401c len 1: 00
>
> Unknown attr 0x13 len 268: 3c 61 64 76 61 6e 63 65 64 2d 63 6f 6e 66 69
> 67...
>
> Unknown attr 0x14 len 1: 00
>
> Set up UDP failed; using SSL instead
>
> Connected as A.A.A.A, using SSL, with ESP disabled


Does your Pulse server really send all of these unknown/empty/zero
values!? Is that just because it's new and somehow unconfigured?

Dan

More information about the openconnect-devel mailing list