Configure ocserv to hand out IPv6 addresses from radius

Thore thore at selfnet.de
Fri Nov 19 06:31:27 PST 2021 

Good evening,

we are currently using the version shipped with debian stable (1.1.2 + 
debian patches) and have also tested the backports version (1.1.3) which 
shows the same behaviour.

Do the IPv6 changes in 1.1.5 affect us here?

For openconnect:

OpenConnect version v8.10
Using GnuTLS 3.7.2. Features present: PKCS#11, RSA software token, HOTP 
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

Best regards
Thore

On 11/17/21 23:01, Nikos Mavrogiannopoulos wrote:
> Hi,
>   Which openconnect and ocserv version are these? Have you tried with the latest?
> 
> regards,
> Nikos
> 
> ________________________________________
> From: openconnect-devel <openconnect-devel-bounces at lists.infradead.org> on behalf of Thore <thore at selfnet.de>
> Sent: Saturday, November 13, 2021 15:08
> To: openconnect-devel at lists.infradead.org
> Subject: Configure ocserv to hand out IPv6 addresses from radius
> 
> Good evening,
> 
> we are currently evaluating ocserv as an option to replace a srx used as
> vpn apliance.
> 
> And while authentication and IPv4 assignments via radius (freeradius)
> work as expected, we are having some trouble to configure IPv6.
> 
> The current configuration very much resembles the default config, with
> these options set:
> 
> ipv4-network = 2.71.9.254/32
> 
> # The IPv6 subnet that leases will be given from.
> # Crashes wen uncommented
> #ipv6-network = 2001:2:71:9:ffff:ffff:ffff:ffff/64
> 
> # Specify the size of the network to provide to clients. It is
> # generally recommended to provide clients with a /64 network in
> # IPv6, but any subnet may be specified. To provide clients only
> # with a single IP use the prefix 128.
> ipv6-subnet-prefix = 128
> 
> route = default
> 
> 
> When trying to connect and having freeradius in debug mode, it logs
> something like this:
> 
> Sent Access-Accept Id 200 from ...:1812 to ...:49136 length 0
>     Framed-IP-Address = 3.141.59.26
>     Framed-IPv6-Prefix = 2001:3:141::5926/128
> Finished request
> 
> However, we couldn't yet figure out why this would not pass the IP to
> the client.
> We've also tried Framed-IPv6-Address and also Delegated-IPv6-Prefix, but
> all with the same result.
> 
> Can someone here shed some light onto what we are missing?
> 
> Best regards
> Thore
> 
> 
> 
> 
> For convenience  the debug log from ocserv and openconnect:
> 
> root at ocserv:# ocserv -f -d 1
> note: vhost:default: setting 'radius' as primary authentication method
> note: setting 'radius' as accounting method
> note: setting 'radius' as supplemental config option
> listening (TCP) on 0.0.0.0:443...
> listening (TCP) on [::]:443...
> listening (UDP) on 0.0.0.0:443...
> listening (UDP) on [::]:443...
> ocserv[17800]: main: Starting 1 instances of ocserv-sm
> ocserv[17800]: main: initialized ocserv 1.1.2
> ocserv[17801]: sec-mod: reading supplemental config from radius
> ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1812
> ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1813
> ocserv[17801]: sec-mod: sec-mod initialized (socket:
> /run/ocserv.socket.e0a2f140.0)
> note: vhost:default: setting 'radius' as primary authentication method
> note: setting 'radius' as accounting method
> note: setting 'radius' as supplemental config option
> note: vhost:default: setting 'radius' as primary authentication method
> note: setting 'radius' as accounting method
> note: setting 'radius' as supplemental config option
> ocserv[17801]: sec-mod: sec-mod instance 0 issue cookie
> ocserv[17801]: sec-mod: using 'radius' authentication to authenticate
> user (session: qVE9wU)
> ocserv[17801]: radius-auth: communicating username (user at example.net)
> and password
> ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server:
> creating socket to: ...
> ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3
> local 0 : 0, remote radius : 1812
> ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned
> success for server 0
> note: vhost:default: setting 'radius' as primary authentication method
> note: setting 'radius' as accounting method
> note: setting 'radius' as supplemental config option
> ocserv[17801]: radius-auth: opening session ...
> ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server:
> creating socket to: 141.70.126.58
> ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3
> local 0 : 0, remote radius-acct : 1813
> ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned
> success for server 0
> ocserv[17801]: sec-mod: initiating session for user 'user at example.net'
> (session: qVE9wU)
> ocserv[17800]:
> main[user at example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274 new
> user session
> ocserv[17800]:
> main[user at example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274
> user logged in
> 
> 
> 
> thore at host:# sudo openconnect -u user at example-net ocserv.example.net -v
> POST https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2F&data=04%7C01%7C%7C3754c565f0df4f6be7da08d9a6af3de2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637724093853764728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HS5CVaMaON3srPVlW%2FuBdj0WUVwE3YY6awBSiwOXFW8%3D&reserved=0
> Attempting to connect to server [...]:443
> Connected to [...]:443
> SSL negotiation with ocserv.example.net
> Server certificate verify failed: signer not found
> 
> Connected to HTTPS on ocserv.example.net with ciphersuite
> (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> Got HTTP response: HTTP/1.1 200 OK
> Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
> path=/; Secure
> Content-Type: text/xml
> Content-Length: 306
> X-Transcend-Version: 1
> HTTP body length:  (306)
> XML POST enabled
> Please enter your username.
> POST https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2Fauth&data=04%7C01%7C%7C3754c565f0df4f6be7da08d9a6af3de2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637724093853774727%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KnQfPfOZQ13Vns4Xz6R16hp6016JpO4KCf3%2B7K5A7q8%3D&reserved=0
> Got HTTP response: HTTP/1.1 200 OK
> Set-Cookie: webvpncontext=...; Max-Age=300; Secure
> Content-Type: text/xml
> Content-Length: 310
> X-Transcend-Version: 1
> HTTP body length:  (310)
> Please enter your password.
> Password:
> POST https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2Fauth&data=04%7C01%7C%7C3754c565f0df4f6be7da08d9a6af3de2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637724093853774727%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KnQfPfOZQ13Vns4Xz6R16hp6016JpO4KCf3%2B7K5A7q8%3D&reserved=0
> Got HTTP response: HTTP/1.1 200 OK
> Connection: Keep-Alive
> Content-Type: text/xml
> Content-Length: 189
> X-Transcend-Version: 1
> Set-Cookie: webvpncontext=...; Secure
> Set-Cookie: webvpn=<elided>; Secure
> Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
> Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:...; path=/; Secure
> HTTP body length:  (189)
> TCP_INFO rcv mss 1420, snd mss 1420, adv mss 1420, pmtu 1492
> Got CONNECT response: HTTP/1.1 200 CONNECTED
> X-CSTP-Version: 1
> X-CSTP-Server-Name: ocserv 1.1.2
> X-CSTP-Hostname: T480s
> X-CSTP-DPD: 60
> X-CSTP-Default-Domain: example.net
> X-CSTP-Address: 3.141.59.26
> X-CSTP-Netmask: 255.255.255.255
> X-CSTP-DNS: 8.8.8.8
> X-CSTP-Tunnel-All-DNS: true
> X-CSTP-Keepalive: 300
> X-CSTP-Idle-Timeout: 1200
> X-CSTP-Smartcard-Removal-Disconnect: true
> X-CSTP-Rekey-Time: 172776
> X-CSTP-Rekey-Method: ssl
> X-CSTP-Session-Timeout: none
> X-CSTP-Disconnected-Timeout: none
> X-CSTP-Keep: true
> X-CSTP-TCP-Keepalive: true
> X-CSTP-License: accept
> X-DTLS-DPD: 60
> X-DTLS-Port: 443
> X-DTLS-Rekey-Time: 172786
> X-DTLS-Rekey-Method: ssl
> X-DTLS-Keepalive: 300
> X-DTLS-App-ID: ...
> X-DTLS-CipherSuite: PSK-NEGOTIATE
> X-CSTP-Base-MTU: 1492
> X-CSTP-MTU: 1406
> X-DTLS-Content-Encoding: oc-lz4
> X-CSTP-Content-Encoding: oc-lz4
> CSTP connected. DPD 60, Keepalive 300
> DTLS option X-DTLS-DPD : 60
> DTLS option X-DTLS-Port : 443
> DTLS option X-DTLS-Rekey-Time : 172786
> DTLS option X-DTLS-Rekey-Method : ssl
> DTLS option X-DTLS-Keepalive : 300
> DTLS option X-DTLS-App-ID : ...
> DTLS option X-DTLS-CipherSuite : PSK-NEGOTIATE
> DTLS option X-DTLS-Content-Encoding : oc-lz4
> DTLS initialised. DPD 60, Keepalive 300
> Connected as 3.141.59.26, using SSL + LZ4, with DTLS + LZ4 in progress
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS1.2)-(PSK)-(AES-256-GCM).
> DTLS connection compression using LZ4.
> Initiating MTU detection (min=576, max=1406)
> Detected MTU of 1394 bytes (was 1406)
> ^CSend BYE packet: Aborted by caller
> Error: argument "via" is wrong: use nexthop syntax to specify multiple via
> 
> User cancelled (SIGINT/SIGTERM); exiting.
> 
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Fopenconnect-devel&data=04%7C01%7C%7C3754c565f0df4f6be7da08d9a6af3de2%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637724093853774727%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OYrd0Fuum3%2BiLDDWG0i8LXdfVBM3ethuAFJdh%2Fgmo%2Fg%3D&reserved=0
>

More information about the openconnect-devel mailing list