DNS not working

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Mon Dec 18 06:05:15 PST 2023 

Hi,

When I am back home, I will double-check what I see on my side when 
connecting to my corporate FortiGate. However, we don't use split-DNS 
though and I am almost certain this is the problem:

WARNING: Got split-DNS domains corpo.com,corpo2.com,corpo3.com (not yet 
implemented)
WARNING: Got split-DNS server 192.168.3.1 (not yet implemented)
WARNING: Got split-DNS server 192.168.3.254 (not yet implemented)

In the meantime, which version the following are you using?
- openfortivpn
- vpnc-script
- Linux distribution

Dimitri

Le 18/12/2023 à 11:22, Cezary Drożak a écrit :
> Hello,
> 
> I would like to connect to the corporate Fortinet VPN using OpenConnect. 
> After
> connecting, I am able to successfully SSH to my computer using IP, but 
> not using
> a hostname. While this is not a huge problem when using SSH, it makes me 
> unable
> to access intranet websites—they are only available by URL and 
> connection times
> out when I try to open them.
> 
> I don't know much about networking, so please be understanding if I miss
> something obvious. Here is a `resolvectl` output:
> 
> $ resolvectl
> Global
>           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
>    resolv.conf mode: stub
> Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
>                      8.8.8.8#dns.google 
> 2606:4700:4700::1111#cloudflare-dns.com
>                      2620:fe::9#dns.quad9.net 
> 2001:4860:4860::8888#dns.google
> 
> Link 2 (enp4s0)
>    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
>         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS 
> DNSSEC=no/unsupported
> Current DNS Server: 192.168.0.1
>       DNS Servers: 192.168.3.1 192.168.0.1
>        DNS Domain: lan
> 
> Link 7 (vpn0)
>    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
>         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS 
> DNSSEC=no/unsupported
> Current DNS Server: 192.168.3.1
>       DNS Servers: 192.168.3.1
>        DNS Domain: corpo.com
> 
> 192.168.3.1 is the DNS IP. For me, everything looks correct here. Here 
> is a log
> from `openconnect` itself:
> 
> $ sudo openconnect --protocol=fortinet -u cezdro corpo.com:10443
> GET https://corpo.com:10443/
> Connected to xx.xx.xxx.xxx:10443
> SSL negotiation with corpo.com
> Connected to HTTPS on corpo.com with ciphersuite 
> (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> Password:
> POST https://corpo.com:10443/remote/logincheck
> 
> Code:
> POST https://corpo.com:10443/remote/logincheck
> Error reading HTTP response: Invalid argument
> Retrying failed POST request on new connection
> POST https://corpo.com:10443/remote/logincheck
> SSL negotiation with corpo.com
> Connected to HTTPS on corpo.com with ciphersuite 
> (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> GET https://corpo.com:10443/remote/fortisslvpn_xml?dual_stack=1
> DTLS is enabled on port 10443
> Server reports that reconnect-after-drop is allowed within 255 seconds, 
> but only from the same source IP address
> WARNING: Got split-DNS domains corpo.com,corpo2.com,corpo3.com (not yet 
> implemented)
> WARNING: Got split-DNS server 192.168.3.1 (not yet implemented)
> WARNING: Got split-DNS server 192.168.3.254 (not yet implemented)
> Got search domain corpo.com
> Got IPv4 DNS server 192.168.3.1
> Got Legacy IP address 10.xxx.xxx.x
> Got IPv4 route 192.168.3.0/255.255.255.0
> Got IPv4 route 192.168.17.2/255.255.255.255
> Got IPv4 route 10.0.2.0/255.255.255.0
> Got IPv4 route 192.168.2.0/255.255.255.0
> Got IPv4 route 192.168.44.2/255.255.255.255
> Idle timeout is 0 minutes.
> Received split routes; not setting default Legacy IP route
> Established DTLS connection (using GnuTLS). Ciphersuite 
> (DTLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM).
> Requesting calculated MTU of 1351
> Configured as 10.xxx.xxx.x, with SSL disconnected and DTLS established
> Session authentication will expire at Mon Dec 18 22:47:23 2023
> 
> Using vhost-net for tun acceleration, ring size 32
> 
> All the intranet websites are the subdomains of corpo.com (of course the 
> real
> name is different), e.g. wiki.corpo.com, files.corpo.com etc.
> 
> Public internet websites all work as expected. Is there something I can do?
> 
> Cezary Drożak

More information about the openconnect-devel mailing list