Openconnect and GP with IPv6

[Daniel Lenski]

On Fri, Jan 19, 2024 at 4:33 AM Daniel Loxtermann
<daniel.loxtermann at greenbone.net> wrote:
>
> Hey all!
>
> While trying to understand how to get IPv6 on our GlobalProtect Clients,
> we found out about OpenConnect!
>
> You're asking for results about IPv6 with GP.

As the author of the GP IPv6 support, thank you very much for this report.

And also, my apologies for the belated response. I'm just now starting
to dig myself out of a 4-month-deep hole resulting from taking a break
from OpenConnect while I was on my honeymoon.

> We're using IPv4 and IPv6 Split Tunneling with PanOS 11.0.3 and GP 6.1.2-83.
>
> So far, I can tell you this: Works great, if we're using Version 8.20.
> Split tunneling with IPv6 stopped working with 9.00 and newer. I assume
> that's related to
> https://gitlab.com/openconnect/openconnect/-/merge_requests/367

Yes indeed. When I committed
https://gitlab.com/openconnect/openconnect/-/commit/99ae55aec1408a2905df72394dab99cb6fb41aed,
I didn't realize I was going to be causing a lot more problems than I
had solved. 😅

> Due to the revert, the "include IPv6" is indeed recognized as "exclude
> IPv6" (not v4 - that is included as it should) and instead of leaving
> the default route alone, it's changed to the tunnel. Looks like
> something is swapped here.
>
> I could fix this with adding "access-routes-v6" to line 532 in gpst.c:
> https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c?ref_type=heads#L532
> (I've attached a patch, let me know if it's easier for you to create a
> MR it GitLab, I'll create one then)

Argh. That's an excellent catch.

I've just pushed the fix up as
https://gitlab.com/openconnect/openconnect/-/commit/64f0c03d660f1d17834f7ff7ce9d0151704bb32f,
with your name on it.

Thanks again for the detailed report, and will keep your offer in mind
for the next time that we may need access to a "real" GlobalProtect
server in order to fix something.

Daniel