vpn connection hangs with openconnect version >v5.01 after a couple of seconds...
Kaloyan Dimitrov
kaloyan.dimitrov at aviaso.com
Thu Mar 13 08:19:05 EDT 2014
Thanks for the quick response.
Regarding the routing: Removing the "10.55.1.0/24 dev tun0 scope link"
fixed my problem, thanks for your hint.
After discussing with out network administrator he told me that windows
clients just have the route with higher metric.
We also noticed that the issue appears probably because the physical
network(10.55.1.0/24) is actually part of the networks behind the vpn.
If vpnc-script is improved(as it handles the routes based on
CISCO_SPLIT_INC_%d_* variables) to handle such a case(when physical
network is part of vpn networks) with adding higher metric route(similar
to how windows client does it) this should be just fine.
As for the openconnect problematic version indeed I corrected myself in
a reply from 03/12/2014 18:17 +0200
"Hi again, sorry, seems like v5.01 doesn't do the job as well. Same
issue exists there... "
Regards,
Kaloyan
On 03/12/2014 08:22 PM, David Woodhouse wrote:
> On Wed, 2014-03-12 at 18:07 +0200, Kaloyan Dimitrov wrote:
>> Established DTLS connection (using GnuTLS)
>>
>> CSTP Dead Peer Detection detected dead peer!
>>
>> Please advise why is this happening.
> This could be a routing issue. Obviously if we set up a default route
> that points to the VPN, we have to have a route to the *gateway* that
> still goes via the physical network.
>
> When we get that wrong, so packets for the VPN server are handed to
> openconnect and then send out again as a packet for the VPN server... it
> doesn't really work very well.
>
> You said that 5.01 worked and 5.03 did not. Did anything *else* change?
> Like your vpnc-script, for example?
>
> If not, it shouldn't be that hard to track it down. We could use 'git
> bisect' to narrow in on the offending commit. There weren't many commits
> between 5.01 and 5.03 in fact, and my first suspect would be this one:
> http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/1fe3f43f
>
> What is the value of the $VPNGATEWAY environment variable, when you
> connect with 5.01 and with 5.03?
>
--
Kaloyan Dimitrov
Software Developer
Aviaso Inc
Huobstrasse 10 CH-8808 Pfaeffikon Switzerland
Phone: +41 55 422 0000
kaloyan.dimitrov at aviaso.com www.aviaso.com
More information about the openconnect-devel
mailing list