ocserv: config-per-group not read if group comes from certificate
Norbert Paschedag
noe at physik.uzh.ch
Thu Sep 25 02:32:40 PDT 2014
On Wed, 24 Sep 2014, Nikos Mavrogiannopoulos wrote:
> On Wed, Sep 24, 2014 at 2:41 PM, Norbert Paschedag <noe at physik.uzh.ch> wrote:
>> Hi,
>> I'm trying to set up ocserv so it can be used by anyconnect users.
>> Authentication is done via certificates and passwords (via pam).
>> The group is determined from the cert DN and there's no group selector
>> (although anyconnect displays the group).
>> Both user and group are correctly shown in the debug output:
>> ocserv[12766]: sec-mod: auth init for user 'testuser' (group: 'vpntest')
>> from '192.168.2.13'
>
>> The config-per-group files, however, are not being read at all and it
>> seems that the proc->groupname seen in get_sup_config() is empty.
>> config-per-user _is_ read correctly.
>
> Hi,
> Could you elaborate on the scenario at hand. Do you have both a config
> per user and config per group, and both should be read for this particular user?
The original idea was to have per-group configs only. But after seeing
they're not read, I tried per-user configs as well. Only the per-user
configs are ever read.
> What is the log (with debugging) output when that user connects?
>
> If both apply, ocserv should load the group configuration, and then the user
> configuration will override it.
Ok, log obtained from 'ocserv -f -d 6' is attached below.
Both the files /etc/ocserv/config-per-group/vpntest and /etc/ocserv/config-per-group/testuser
exist and contain the route shown in the log at line 202.
Regards,
Norbert
001 listening (TCP) on 192.168.2.66:443...
002 listening (UDP) on 192.168.2.66:443...
003 ocserv[16604]: main: initialized ocserv 0.8.4
004 ocserv[16606]: sec-mod: sec-mod initialized (socket: /etc/ocserv/chroot///var/run/ocserv-socket.16604)
005 ocserv[16604]: error connecting to sec-mod socket '/var/run/ocserv-socket.16604': No such file or directory
006 ocserv[16604]: main: processed 1 CA certificate(s)
007 ocserv[16604]: main: putting process 16607 to cgroup 'cpuset:test'
008 ocserv[16604]: main: main-misc.c:743: cannot open: /sys/fs/cgroup/cpuset/test/tasks
009 ocserv[16607]: worker: 192.168.2.13:43912 accepted connection
010 ocserv[16607]: worker: 192.168.2.13:43912 client certificate verification succeeded
011 ocserv[16606]: sec-mod: received request from pid 16607 and uid 99
012 ocserv[16606]: sec-mod: cmd [size=261] sm: decrypt
013 ocserv[16607]: worker: 192.168.2.13:43912 sending message 'resume data store request' to main
014 ocserv[16607]: worker: 192.168.2.13:43912 TLS handshake completed
015 ocserv[16604]: main: 192.168.2.13:43912 main received message 'resume data store request' of 2419 bytes
016 ocserv[16604]: main: 192.168.2.13:43912 TLS session DB storing 24ad4a81ce0f677f6474aee1e5359150bb0aa28cc7e9ff6e8218b273e2daeb82
017 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
018 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
019 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
020 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
021 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
022 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
023 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
024 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Connection: close
025 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
026 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Length: 289
027 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Type: application/x-www-form-urlencoded
028 ocserv[16607]: worker: 192.168.2.13:43912 HTTP POST /
029 ocserv[16607]: worker: 192.168.2.13:43912 POST body: '<?xml version="1.0" encoding="UTF-8"?>
030 <config-auth client="vpn" type="init" aggregate-auth-version="2">
031 <version who="vpn">3.1.05170</version>
032 <device-id>linux-64</device-id>
033 <group-select>vpntest</group-select>
034 <group-access>https://vpn2</group-access>
035 </config-auth>
036 '
037 ocserv[16607]: worker: 192.168.2.13:43912 cannot find 'username' in client XML message
038 ocserv[16607]: worker: 192.168.2.13:43912 failed reading username
039 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
040 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
041 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
042 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
043 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
044 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
045 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
046 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
047 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Length: 36
048 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Type: application/x-www-form-urlencoded
049 ocserv[16607]: worker: 192.168.2.13:43912 HTTP POST /auth
050 ocserv[16607]: worker: 192.168.2.13:43912 POST body: 'group_list=vpntest&username=testuser'
051 ocserv[16607]: worker: 192.168.2.13:43912 cannot find 'group%5flist' in client message
052 ocserv[16607]: worker: 192.168.2.13:43912 sending message 'sm: auth init' to secmod
053 ocserv[16606]: sec-mod: received request from pid 16607 and uid 99
054 ocserv[16606]: sec-mod: cmd [size=59] sm: auth init
055 ocserv[16606]: sec-mod: auth init for user 'testuser' (group: 'vpntest') from '192.168.2.13'
056 ocserv[16607]: worker: 192.168.2.13:43912 received auth reply message (value: 2)
057 ocserv[16607]: worker: 192.168.2.13:43912 continuing authentication for 'testuser'
058 ocserv[16607]: worker: 192.168.2.13:43912 sent sid: 9XNKjjbHsm/CvxQu
059 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
060 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
061 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
062 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
063 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Cookie: webvpncontext=9XNKjjbHsm/CvxQu
064 ocserv[16607]: worker: 192.168.2.13:43912 received sid: 9XNKjjbHsm/CvxQu
065 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
066 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
067 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
068 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
069 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Length: 18
070 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Content-Type: application/x-www-form-urlencoded
071 ocserv[16607]: worker: 192.168.2.13:43912 HTTP POST /auth
072 ocserv[16607]: worker: 192.168.2.13:43912 POST body: 'password=XXXX'
073 ocserv[16607]: worker: 192.168.2.13:43912 sending message 'sm: auth cont' to secmod
074 ocserv[16606]: sec-mod: received request from pid 16607 and uid 99
075 ocserv[16606]: sec-mod: cmd [size=27] sm: auth cont
076 ocserv[16606]: sec-mod: auth cont for user 'testuser'
077 ocserv[16606]: pam_krb5[16606]: error reading keytab 'FILE:/etc/krb5.keytab'
078 ocserv[16606]: pam_krb5[16606]: TGT verified
079 ocserv[16606]: pam_krb5[16606]: authentication succeeds for 'testuser' (testuser at MYREALM)
080 ocserv[16606]: sec-mod: auth deinit for user 'testuser'
081 ocserv[16607]: worker: 192.168.2.13:43912 received auth reply message (value: 1)
082 ocserv[16607]: worker: 192.168.2.13:43912 user 'testuser' obtained cookie
083 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
084 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
085 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
086 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
087 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Cookie: webvpnc=bu:/&p:t&iu:1/&sh:DCA943A4171DCB665B8D9C8446D758DC7C7ECE63&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2F/etc/ocserv/userprofile.xml&fh:5D18881D36B7521A0FE1A55503385F80AD25BD5C; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr; webvpncontext=9XNKjjbHsm/CvxQu; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALML
088 ocserv[16607]: worker: 192.168.2.13:43912 received sid: 9XNKjjbHsm/CvxQu
089 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
090 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
091 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
092 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
093 ocserv[16607]: worker: 192.168.2.13:43912 HTTP GET /1/index.html
094 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
095 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
096 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
097 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
098 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Cookie: webvpnc=bu:/&p:t&iu:1/&sh:DCA943A4171DCB665B8D9C8446D758DC7C7ECE63&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2F/etc/ocserv/userprofile.xml&fh:5D18881D36B7521A0FE1A55503385F80AD25BD5C; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr; webvpncontext=9XNKjjbHsm/CvxQu; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALML
099 ocserv[16607]: worker: 192.168.2.13:43912 received sid: 9XNKjjbHsm/CvxQu
100 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
101 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
102 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
103 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
104 ocserv[16607]: worker: 192.168.2.13:43912 HTTP GET /1/Linux_64
105 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: User-Agent: AnyConnect Linux_64 3.1.05170
106 ocserv[16607]: worker: 192.168.2.13:43912 User-agent: 'AnyConnect Linux_64 3.1.05170'
107 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept: */*
108 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Accept-Encoding: identity
109 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Cookie: webvpnc=bu:/&p:t&iu:1/&sh:DCA943A4171DCB665B8D9C8446D758DC7C7ECE63&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2F/etc/ocserv/userprofile.xml&fh:5D18881D36B7521A0FE1A55503385F80AD25BD5C; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr; webvpncontext=9XNKjjbHsm/CvxQu; webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALML
110 ocserv[16607]: worker: 192.168.2.13:43912 received sid: 9XNKjjbHsm/CvxQu
111 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Transcend-Version: 1
112 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-Aggregate-Auth: 1
113 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: X-AnyConnect-Platform: linux-64
114 ocserv[16607]: worker: 192.168.2.13:43912 HTTP: Host: vpn2
115 ocserv[16607]: worker: 192.168.2.13:43912 HTTP GET /1/binaries/update.txt
116 ocserv[16607]: worker: 192.168.2.13:43912 requested fixed string: /1/binaries/update.txt
117 ocserv[16604]: main: putting process 16615 to cgroup 'cpuset:test'
118 ocserv[16604]: main: main-misc.c:743: cannot open: /sys/fs/cgroup/cpuset/test/tasks
119 ocserv[16615]: worker: 192.168.2.13:43914 accepted connection
120 ocserv[16615]: worker: 192.168.2.13:43914 tlslib.c:282: error verifying client certificate: No certificate was found.
121 ocserv[16606]: sec-mod: received request from pid 16615 and uid 99
122 ocserv[16606]: sec-mod: cmd [size=261] sm: decrypt
123 ocserv[16615]: worker: 192.168.2.13:43914 sending message 'resume data store request' to main
124 ocserv[16615]: worker: 192.168.2.13:43914 TLS handshake completed
125 ocserv[16604]: main: 192.168.2.13:43914 main received message 'resume data store request' of 277 bytes
126 ocserv[16604]: main: 192.168.2.13:43914 TLS session DB storing 13f5c642fdfd407a1ac364ed76186120fa82f9be89a5b75315393f78b936c0d3
127 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: User-Agent: AnyConnect Downloader 3.1.05170
128 ocserv[16615]: worker: 192.168.2.13:43914 User-agent: 'AnyConnect Downloader 3.1.05170'
129 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Accept: */*
130 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Cookie: webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr
131 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Host: vpn2
132 ocserv[16615]: worker: 192.168.2.13:43914 HTTP GET /1/VPNManifest.xml
133 ocserv[16615]: worker: 192.168.2.13:43914 requested fixed string: /1/VPNManifest.xml
134 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: User-Agent: AnyConnect Downloader 3.1.05170
135 ocserv[16615]: worker: 192.168.2.13:43914 User-agent: 'AnyConnect Downloader 3.1.05170'
136 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Accept: */*
137 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Cookie: webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr
138 ocserv[16615]: worker: 192.168.2.13:43914 HTTP: Host: vpn2
139 ocserv[16615]: worker: 192.168.2.13:43914 HTTP GET /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect
140 ocserv[16615]: worker: 192.168.2.13:43914 unexpected URL /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect
141 ocserv[16604]: main: 192.168.2.13:43914 main-misc.c:414: command socket closed
142 ocserv[16604]: main: 192.168.2.13:43914 removing client '' with id '16615'
143 ocserv[16604]: main: putting process 16616 to cgroup 'cpuset:test'
144 ocserv[16604]: main: main-misc.c:743: cannot open: /sys/fs/cgroup/cpuset/test/tasks
145 ocserv[16616]: worker: 192.168.2.13:43915 accepted connection
146 ocserv[16616]: worker: 192.168.2.13:43915 sending message 'resume data fetch request' to main
147 ocserv[16604]: main: 192.168.2.13:43915 main received message 'resume data fetch request' of 34 bytes
148 ocserv[16604]: main: 192.168.2.13:43915 TLS session DB resuming 13f5c642fdfd407a1ac364ed76186120fa82f9be89a5b75315393f78b936c0d3
149 ocserv[16604]: main: 192.168.2.13:43915 sending message 'resume data fetch reply' to worker
150 ocserv[16616]: worker: 192.168.2.13:43915 tlslib.c:282: error verifying client certificate: No certificate was found.
151 ocserv[16616]: worker: 192.168.2.13:43915 TLS handshake completed
152 ocserv[16616]: worker: 192.168.2.13:43915 HTTP: User-Agent: AnyConnect Downloader 3.1.05170
153 ocserv[16616]: worker: 192.168.2.13:43915 User-agent: 'AnyConnect Downloader 3.1.05170'
154 ocserv[16616]: worker: 192.168.2.13:43915 HTTP: Accept: */*
155 ocserv[16616]: worker: 192.168.2.13:43915 HTTP: Cookie: webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr
156 ocserv[16616]: worker: 192.168.2.13:43915 HTTP: Host: vpn2
157 ocserv[16616]: worker: 192.168.2.13:43915 HTTP GET /+CSCOT+/oem-customization?app=AnyConnect&type=manifest&platform=linux-64
158 ocserv[16616]: worker: 192.168.2.13:43915 unexpected URL /+CSCOT+/oem-customization?app=AnyConnect&type=manifest&platform=linux-64
159 ocserv[16604]: main: 192.168.2.13:43915 main-misc.c:414: command socket closed
160 ocserv[16604]: main: 192.168.2.13:43915 removing client '' with id '16616'
161 ocserv[16604]: main: putting process 16617 to cgroup 'cpuset:test'
162 ocserv[16604]: main: main-misc.c:743: cannot open: /sys/fs/cgroup/cpuset/test/tasks
163 ocserv[16617]: worker: 192.168.2.13:43917 accepted connection
164 ocserv[16617]: worker: 192.168.2.13:43917 tlslib.c:282: error verifying client certificate: No certificate was found.
165 ocserv[16606]: sec-mod: received request from pid 16617 and uid 99
166 ocserv[16606]: sec-mod: cmd [size=261] sm: decrypt
167 ocserv[16617]: worker: 192.168.2.13:43917 sending message 'resume data store request' to main
168 ocserv[16617]: worker: 192.168.2.13:43917 TLS handshake completed
169 ocserv[16604]: main: 192.168.2.13:43917 main received message 'resume data store request' of 277 bytes
170 ocserv[16604]: main: 192.168.2.13:43917 TLS session DB storing 8ba1750d0a8ed807fe9c34931088b9f4aaf51bd7ec528601a31094c874e7391a
171 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: Host: vpn2
172 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: User-Agent: Cisco AnyConnect VPN Agent for Linux 3.1.05170
173 ocserv[16617]: worker: 192.168.2.13:43917 User-agent: 'Cisco AnyConnect VPN Agent for Linux 3.1.05170'
174 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: Cookie: webvpn=j2XNckFotMbwGjJo5Ma6LlOYvnO+o3EPgfYRxVrkDYztgbwQeMTLbpLiPhJALMLM/2ORMeHcm+9nT5I+chCf7DfxfeFvGJ4IAutsqr7qLIo8e0uDMp0uzWpRfh8i7IJNCUf/eIJTO5QB2l3QoO42PWNyRJR5Gshr
175 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Version: 1
176 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Hostname: vpntest
177 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-MTU: 1399
178 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Address-Type: IPv6,IPv4
179 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Local-Address-IP4: 192.168.122.135
180 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Base-MTU: 1500
181 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Remote-Address-IP4: 192.168.2.66
182 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Full-IPv6-Capability: false
183 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-DTLS-Master-Secret: C1C5BCF3D71DC77692E3A0680DB4D31A57E2CDA3903945C853E0EEDF8CD31D440278790DFF4A9DA467B1FDB48BAA9A35
184 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
185 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-DTLS-Accept-Encoding: lzs
186 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-DTLS-Header-Pad-Length: 0
187 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Accept-Encoding: lzs
188 ocserv[16617]: worker: 192.168.2.13:43917 HTTP: X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
189 ocserv[16617]: worker: 192.168.2.13:43917 HTTP CONNECT /CSCOSSLC/tunnel
190 ocserv[16617]: worker: 192.168.2.13:43917 sending message 'auth cookie request' to main
191 ocserv[16604]: main: 192.168.2.13:43917 main received message 'auth cookie request' of 124 bytes
192 ocserv[16604]: Loading user configuration '/etc/ocserv/config-per-user//testuser'
193 ocserv[16604]: main: 192.168.2.13:43917 new cookie for 'testuser' (16617)
194 ocserv[16604]: main: 192.168.2.13:43917 accepting user 'testuser'
195 ocserv[16604]: main: 192.168.2.13:43917 selected IP for 'testuser': 10.42.5.52
196 ocserv[16604]: main: pinged 10.42.5.52 and 10.42.5.53 and are not in use
197 ocserv[16604]: main: 192.168.2.13:43917 assigned IPv4 to 'testuser': 10.42.5.53
198 ocserv[16604]: main: 192.168.2.13:43917 assigning tun device vpns0
199 ocserv[16604]: main: 192.168.2.13:43917 user 'testuser' of group 'vpntest' authenticated (using cookie)
200 ocserv[16620]: main: 192.168.2.13:43917 executing script /etc/vpn/scripts/connect
201 ocserv[16604]: main: 192.168.2.13:43917 connect-script exit status: 0
202 ocserv[16604]: main: 192.168.2.13:43917 sending route '10.9.0.0/255.255.0.0'
203 ocserv[16604]: main: 192.168.2.13:43917 sending (socket) message 2 to worker
204 ocserv[16617]: worker: 192.168.2.13:43917 received auth reply message (value: 1)
205 ocserv[16617]: worker: 192.168.2.13:43917 suggesting DPD of 90 secs
206 ocserv[16617]: worker: 192.168.2.13:43917 sending IPv4 10.42.5.53
207 ocserv[16617]: worker: 192.168.2.13:43917 adding private route 10.9.0.0/255.255.0.0
208 ocserv[16617]: worker: 192.168.2.13:43917 peer's base MTU is 1500
209 ocserv[16617]: worker: 192.168.2.13:43917 TCP MSS is 1435
210 ocserv[16617]: worker: 192.168.2.13:43917 reducing MTU due to TCP MSS to 1435
211 ocserv[16617]: worker: 192.168.2.13:43917 CSTP Base MTU is 1435 bytes
212 ocserv[16617]: worker: 192.168.2.13:43917 DTLS ciphersuite: AES128-SHA
213 ocserv[16617]: worker: 192.168.2.13:43917 DTLS overhead is 94
214 ocserv[16617]: worker: 192.168.2.13:43917 suggesting DTLS MTU 1341
215 ocserv[16617]: worker: 192.168.2.13:43917 sending message 'tun mtu change' to main
216 ocserv[16617]: worker: 192.168.2.13:43917 setting MTU to 1341
217 ocserv[16604]: main: 192.168.2.13:43917 main received message 'tun mtu change' of 3 bytes
218 ocserv[16604]: main: 192.168.2.13:43917 setting vpns0 MTU to 1341
219 ocserv[16617]: worker: 192.168.2.13:43917 sending message 'session info' to main
220 ocserv[16604]: main: 192.168.2.13:43917 main received message 'session info' of 97 bytes
221 ocserv[16604]: main: 192.168.2.13:43912 main-misc.c:414: command socket closed
222 ocserv[16604]: main: 192.168.2.13:43912 removing client '' with id '16607'
223 ocserv[16617]: worker: 192.168.2.13:43917 received 61 byte(s) (TLS)
224 ocserv[16617]: worker: 192.168.2.13:43917 received BYE packet; exiting
225 ocserv[16617]: worker: 192.168.2.13:43917 sending message 'cli stats' to main
226 ocserv[16617]: worker: 192.168.2.13:43917 sending stats (in: 0, out: 0) to main
227 ocserv[16604]: main: 192.168.2.13:43917 main received message 'cli stats' of 4 bytes
228 ocserv[16604]: main: 192.168.2.13:43917 main-misc.c:414: command socket closed
229 ocserv[16604]: main: 192.168.2.13:43917 removing client 'testuser' with id '16617'
230 ocserv[16639]: main: 192.168.2.13:43917 executing script /etc/vpn/scripts/disconnect
More information about the openconnect-devel
mailing list