Configure ocserv to hand out IPv6 addresses from radius

Thore thore at selfnet.de
Sat Nov 13 06:08:45 PST 2021 

Good evening,

we are currently evaluating ocserv as an option to replace a srx used as 
vpn apliance.

And while authentication and IPv4 assignments via radius (freeradius) 
work as expected, we are having some trouble to configure IPv6.

The current configuration very much resembles the default config, with 
these options set:

ipv4-network = 2.71.9.254/32

# The IPv6 subnet that leases will be given from.
# Crashes wen uncommented
#ipv6-network = 2001:2:71:9:ffff:ffff:ffff:ffff/64

# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
ipv6-subnet-prefix = 128

route = default


When trying to connect and having freeradius in debug mode, it logs 
something like this:

Sent Access-Accept Id 200 from ...:1812 to ...:49136 length 0
   Framed-IP-Address = 3.141.59.26
   Framed-IPv6-Prefix = 2001:3:141::5926/128
Finished request

However, we couldn't yet figure out why this would not pass the IP to 
the client.
We've also tried Framed-IPv6-Address and also Delegated-IPv6-Prefix, but 
all with the same result.

Can someone here shed some light onto what we are missing?

Best regards
Thore




For convenience  the debug log from ocserv and openconnect:

root at ocserv:# ocserv -f -d 1
note: vhost:default: setting 'radius' as primary authentication method
note: setting 'radius' as accounting method
note: setting 'radius' as supplemental config option
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[17800]: main: Starting 1 instances of ocserv-sm
ocserv[17800]: main: initialized ocserv 1.1.2
ocserv[17801]: sec-mod: reading supplemental config from radius
ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1812
ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1813
ocserv[17801]: sec-mod: sec-mod initialized (socket: 
/run/ocserv.socket.e0a2f140.0)
note: vhost:default: setting 'radius' as primary authentication method
note: setting 'radius' as accounting method
note: setting 'radius' as supplemental config option
note: vhost:default: setting 'radius' as primary authentication method
note: setting 'radius' as accounting method
note: setting 'radius' as supplemental config option
ocserv[17801]: sec-mod: sec-mod instance 0 issue cookie
ocserv[17801]: sec-mod: using 'radius' authentication to authenticate 
user (session: qVE9wU)
ocserv[17801]: radius-auth: communicating username (user at example.net) 
and password
ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server: 
creating socket to: ...
ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3 
local 0 : 0, remote radius : 1812
ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned 
success for server 0
note: vhost:default: setting 'radius' as primary authentication method
note: setting 'radius' as accounting method
note: setting 'radius' as supplemental config option
ocserv[17801]: radius-auth: opening session ...
ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server: 
creating socket to: 141.70.126.58
ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3 
local 0 : 0, remote radius-acct : 1813
ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned 
success for server 0
ocserv[17801]: sec-mod: initiating session for user 'user at example.net' 
(session: qVE9wU)
ocserv[17800]: 
main[user at example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274 new 
user session
ocserv[17800]: 
main[user at example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274 
user logged in



thore at host:# sudo openconnect -u user at example-net ocserv.example.net -v
POST https://ocserv.example.net/
Attempting to connect to server [...]:443
Connected to [...]:443
SSL negotiation with ocserv.example.net
Server certificate verify failed: signer not found

Connected to HTTPS on ocserv.example.net with ciphersuite 
(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; 
path=/; Secure
Content-Type: text/xml
Content-Length: 306
X-Transcend-Version: 1
HTTP body length:  (306)
XML POST enabled
Please enter your username.
POST https://ocserv.example.net/auth
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=...; Max-Age=300; Secure
Content-Type: text/xml
Content-Length: 310
X-Transcend-Version: 1
HTTP body length:  (310)
Please enter your password.
Password:
POST https://ocserv.example.net/auth
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-Version: 1
Set-Cookie: webvpncontext=...; Secure
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:...; path=/; Secure
HTTP body length:  (189)
TCP_INFO rcv mss 1420, snd mss 1420, adv mss 1420, pmtu 1492
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 1.1.2
X-CSTP-Hostname: T480s
X-CSTP-DPD: 60
X-CSTP-Default-Domain: example.net
X-CSTP-Address: 3.141.59.26
X-CSTP-Netmask: 255.255.255.255
X-CSTP-DNS: 8.8.8.8
X-CSTP-Tunnel-All-DNS: true
X-CSTP-Keepalive: 300
X-CSTP-Idle-Timeout: 1200
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172776
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 60
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172786
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 300
X-DTLS-App-ID: ...
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1492
X-CSTP-MTU: 1406
X-DTLS-Content-Encoding: oc-lz4
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 60, Keepalive 300
DTLS option X-DTLS-DPD : 60
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172786
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 300
DTLS option X-DTLS-App-ID : ...
DTLS option X-DTLS-CipherSuite : PSK-NEGOTIATE
DTLS option X-DTLS-Content-Encoding : oc-lz4
DTLS initialised. DPD 60, Keepalive 300
Connected as 3.141.59.26, using SSL + LZ4, with DTLS + LZ4 in progress
Established DTLS connection (using GnuTLS). Ciphersuite 
(DTLS1.2)-(PSK)-(AES-256-GCM).
DTLS connection compression using LZ4.
Initiating MTU detection (min=576, max=1406)
Detected MTU of 1394 bytes (was 1406)
^CSend BYE packet: Aborted by caller
Error: argument "via" is wrong: use nexthop syntax to specify multiple via

User cancelled (SIGINT/SIGTERM); exiting.

More information about the openconnect-devel mailing list