DNS not working

Cezary Drożak cezary at drozak.net
Mon Dec 18 02:22:32 PST 2023 

Hello,

I would like to connect to the corporate Fortinet VPN using 
OpenConnect. After
connecting, I am able to successfully SSH to my computer using IP, but 
not using
a hostname. While this is not a huge problem when using SSH, it makes 
me unable
to access intranet websites—they are only available by URL and 
connection times
out when I try to open them.

I don't know much about networking, so please be understanding if I miss
something obvious. Here is a `resolvectl` output:

$ resolvectl
Global
          Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
   resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
                     8.8.8.8#dns.google 
2606:4700:4700::1111#cloudflare-dns.com
                     2620:fe::9#dns.quad9.net 
2001:4860:4860::8888#dns.google

Link 2 (enp4s0)
   Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
        Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS 
DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
      DNS Servers: 192.168.3.1 192.168.0.1
       DNS Domain: lan

Link 7 (vpn0)
   Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
        Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS 
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.1
      DNS Servers: 192.168.3.1
       DNS Domain: corpo.com

192.168.3.1 is the DNS IP. For me, everything looks correct here. Here 
is a log
from `openconnect` itself:

$ sudo openconnect --protocol=fortinet -u cezdro corpo.com:10443
GET https://corpo.com:10443/
Connected to xx.xx.xxx.xxx:10443
SSL negotiation with corpo.com
Connected to HTTPS on corpo.com with ciphersuite 
(TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Password:
POST https://corpo.com:10443/remote/logincheck

Code:
POST https://corpo.com:10443/remote/logincheck
Error reading HTTP response: Invalid argument
Retrying failed POST request on new connection
POST https://corpo.com:10443/remote/logincheck
SSL negotiation with corpo.com
Connected to HTTPS on corpo.com with ciphersuite 
(TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
GET https://corpo.com:10443/remote/fortisslvpn_xml?dual_stack=1
DTLS is enabled on port 10443
Server reports that reconnect-after-drop is allowed within 255 seconds, 
but only from the same source IP address
WARNING: Got split-DNS domains corpo.com,corpo2.com,corpo3.com (not yet 
implemented)
WARNING: Got split-DNS server 192.168.3.1 (not yet implemented)
WARNING: Got split-DNS server 192.168.3.254 (not yet implemented)
Got search domain corpo.com
Got IPv4 DNS server 192.168.3.1
Got Legacy IP address 10.xxx.xxx.x
Got IPv4 route 192.168.3.0/255.255.255.0
Got IPv4 route 192.168.17.2/255.255.255.255
Got IPv4 route 10.0.2.0/255.255.255.0
Got IPv4 route 192.168.2.0/255.255.255.0
Got IPv4 route 192.168.44.2/255.255.255.255
Idle timeout is 0 minutes.
Received split routes; not setting default Legacy IP route
Established DTLS connection (using GnuTLS). Ciphersuite 
(DTLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM).
Requesting calculated MTU of 1351
Configured as 10.xxx.xxx.x, with SSL disconnected and DTLS established
Session authentication will expire at Mon Dec 18 22:47:23 2023

Using vhost-net for tun acceleration, ring size 32

All the intranet websites are the subdomains of corpo.com (of course 
the real
name is different), e.g. wiki.corpo.com, files.corpo.com etc.

Public internet websites all work as expected. Is there something I can 
do?

Cezary Drożak

More information about the openconnect-devel mailing list