IPv6 in AnyConnect for iOS

sskaje sskaje at gmail.com
Sat Dec 27 20:00:36 PST 2014 

I tried:

        if (strncasecmp(req->user_agent, "Open Any", 8) == 0) {
            if (strncmp(req->user_agent, "Open AnyConnect VPN Agent
v3", 28) == 0)
                req->user_agent_type = AGENT_OPENCONNECT_V3;
            else
                req->user_agent_type = AGENT_OPENCONNECT;
        } else if (strncasecmp(req->user_agent, "Cisco Any", 8) == 0) {
            req->user_agent_type = AGENT_OPENCONNECT;
        }


IPv6 address is recognized by AnyConnect for iOS, but with a 'null'
cidr. I tried the changes I made in worker-auth.c, same.

ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
HTTP/1.1 200 CONNECTED
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Version: 1
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-Server-Version: ocserv 0.8.9
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 suggesting DPD of 90 secs
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER: X-CSTP-DPD: 90
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Default-Domain: sskaje.me
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 sending IPv4 192.168.122.199
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Address: 192.168.122.199
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Netmask: 255.255.255.0
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 sending IPv6
2400:8900:e000:xxxx:xxxx:2f:f9e5:c701
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Address: 2400:8900:e000:xxxx:xxxx:2f:f9e5:c701
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.8.8
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.8.8
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-DNS: 8.8.4.4
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Keepalive: 32400
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Idle-Timeout: none
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Smartcard-Removal-Disconnect: true
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Rekey-Time: 172800
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Rekey-Method: ssl
ocserv[28717]: worker[sskaje]: xx.xx.xx.xx:56367 ========HEADER:
X-CSTP-Session-Timeout: none


Here is debug log from AnyConnect:
[12-28-14 11:56:22:950] AnyConnectDataAgent: Current Profile:
profile.xml Received VPN Session Configuration Settings:  Keep
Installed: enabled  Rekey Method: handshake  Proxy Setting: do not
modify  Proxy Server: none  Proxy PAC URL: none  Proxy Exceptions:
none  Proxy Lockdown: enabled  Split Exclude: disabled  Split Include:
disabled  Split DNS: disabled  Tunnel all DNS: disabled  Local LAN
Wildcard: disabled  Firewall Rules: none  Client Address:
192.168.122.199  Client Mask: 255.255.255.0  Client IPv6 Address:
2400:8900:E000:XXXX:XXXX:2F:F9E5:C701  Client IPv6 Mask: unknown  MTU:
1293  TLS Compression: disabled  TLS Keep Alive: 32400 seconds  TLS
Rekey Interval: 172800 seconds  TLS DPD: 90 seconds  DTLS: enabled
DTLS Compression: disabled  DTLS Keep Alive: 32400 seconds  DTLS Rekey
Interval: 172810 seconds  DTLS DPD: 90 seconds  Session Timeout: 0
seconds  Disconnect Timeout: 0 seconds  Idle Timeout: 0 seconds
Server: unknown  MUS Host: unknown  DAP User Message: none  Quarantine
State: unknown  Always On VPN: unknown  Lease Duration: none  Default
Domain: sskaje.me  Home page: unknown  Smart Card Removal Disconnect:
enabled  License Response: accept
...
[12-28-14 11:56:22:960] AnyConnectDataAgent: Function: enableHostMgr
File: /tmp/build/thehoff/DaVinci_MR120.647307753904/DaVinci_MR12/vpn/ApplePlugins/Agent/TunTapMgr.cpp
Line: 2842 about to enable tuntap: v4 192.168.122.199/255.255.255.0
(fake ? no); v6 2400:8900:E000:XXXX:XXXX:2F:F9E5:C701/null (fake ? no)




sskaje at gmail.com
https://sskaje.me/


On Sat, Dec 27, 2014 at 4:55 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Fri, 2014-12-26 at 18:25 +0000, David Woodhouse wrote:
>> On Fri, 2014-12-26 at 20:18 +0200, Nikos Mavrogiannopoulos wrote:
>> >
>> > Hi,
>> >  The logic as it is now for ocserv worker is to send IPv6 addresses if
>> > the client is openconnect or the client has sent the header
>> > "X-CSTP-Full-IPv6-Capability: true". That is because cisco's clients
>> > didn't properly handle IPv6 if they didn't send that header.
>>
>> Really? Or do they just expect different headers and handle things
>> differently. We seemed to have IPv6 support, and it was deployed at UCB
>> (where I briefly had an account to test OpenConnect with IPv6) a *long*
>> time before X-CSTP-Full-IPv6-Capability came about.
>
> I have disabled IPv6 support in anyconnect clients because I have had no
> opportunity to test them. If sskaje verifies that they work if they are
> treated as being openconnect, I'll enable it there as well.
>
> regards,
> Nikos
>
>

More information about the openconnect-devel mailing list