IPv6 default route not set using OpenConnect
shouldbe q931
shouldbeq931 at gmail.com
Tue Feb 19 04:50:23 EST 2013
Running Ubuntu 12.10 X64
Connecting to a dual stack ASA running 9.1.1
Connecting from an IPv4 only network
The IPv4 side of both clients works as expected, however the IPv6 side
has some differences.
The AnyConnect client provides an IPv6 /128 address and sets the
default route for IPv6 traffic across the VPN
OpenConnect provides an IPv6 /64 address and the default route is set to lo
In the output below, I have done some basic "santizing" on user, host
and domain names, IPv6 addresses and public IPv4 addresses
Using the Cisco AnyConnect client 3.1.02026
user at V5-171:~$ netstat -6 -r
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:1:2:3::2/128 :: U 256 0
0 cscotun0
fe80::/64 :: U 256 0
0 cscotun0
::/0 :: U 1 0
0 cscotun0
::/0 :: !n -1 1 341 lo
::1/128 :: Un 0 1 83 lo
2001:1:2:3::2/128 :: Un 0 1 528 lo
fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0
0 cscotun0
::/0 :: !n -1 1 341 lo
Using OpenConnect 4.0.6-1ubuntu1 and NetworkManager OpenConnect
0.9.6.0-0ubuntu1 from the Ubuntu repo
user at V5-171:~$ netstat -6 -r
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:1:2:3::/64 :: U 256 0 0 vpn0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 vpn0
::/0 :: !n -1 1 511 lo
::1/128 :: Un 0 1 84 lo
2001:1:2:3::2/128 :: Un 0 1 0 lo
fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 vpn0
::/0 :: !n -1 1 511 lo
I then tried connecting in a shell
sudo openconnect -vvv https://asa.domain.com
Attempting to connect to 1.2.3.4:443
SSL negotiation with asa.domain.com
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sat, 02 Feb 2013 12:21:40 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
SSL negotiation with asa.domain.com
Connected to HTTPS on asa.domain.com
GET https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:user
Password:
POST https://asa.domain.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:<deleted>:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:<deleted>;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 192.168.54.5
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2001:1:2:3::1
X-CSTP-Netmask: 2001:1:2:3::1/64
X-CSTP-DNS: 192.168.53.42
X-CSTP-DNS: 10.201.253.41
X-CSTP-NBNS: 192.168.53.42
X-CSTP-NBNS: 10.201.253.41
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: domain.com
X-CSTP-Split-Include: 192.168.53.0/255.255.255.0
X-CSTP-Split-Include: 10.201.253.0/255.255.255.0
X-CSTP-Split-DNS: domain.com
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: <deleted>
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1415
X-DTLS-MTU: 1418
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
^C
I know that I could set the default route manually, but wondered if I
misconfigured something, or had hit a bug.
I've gone back through the mailing list archives to July 2012, but
couldn't see anything that might reference this.
Cheers
More information about the openconnect-devel
mailing list