Fwd: openconnect v7.06 for Windows issue

Horváth Szabolcs hszhsz at gmail.com
Tue Apr 28 00:32:59 PDT 2015 

Dear All,

I have an issue connecting to one of our partner with openconnect.
Symptoms are the following:
- we can build a VPN with Openconnect on Linux to our partner and it
is working fine (traffic is passing through as expected)
- we can build a VPN with Cisco Anyconnect on Windows to our partner
- we CANNOT build a VPN with Openconnect on Windows to our partner
(technically, VPN is built but traffic is not passing through, details
below)
- we CAN build VPN with OpenConnect on Windows to other partners

>From all of these, I would say there is nothing wrong with the partner
VPN (because connecting to it from windows/anyconnect and
linux/openconnect combination are working fine).

After days of investigation I found out that there are no ARP replies
on the tun interface when connecting from openconnect/windows.

Logs attached:
- openconnect-logs.txt: openconnect binary logs
- openconnect-ipconfig.txt ipconfig output
- openconnect-after.txt: routes after the vpn connection has been built

When I'm using AnyConnect, then I'm seeing ARP traffic (both requests
and answers) on Cisco Anyconnect VPN Virtual Miniport Adapter for
Windows x64:
12    2015-04-28 08:43:26.030225000    Cisco_3c:7a:00    Broadcast
ARP    42    Who has 10.219.35.3?  Tell 10.219.35.2
13    2015-04-28 08:43:26.030333000    Cimsys_33:44:55
Cisco_3c:7a:00    ARP    42    10.219.35.3 is at 00:11:22:33:44:55

When I'm using OpenConnect on Windows, then I'm seeing only ARP
requests on TAP-Windows Adapter v9:
3    2015-04-28 08:45:33.158621000    00:ff:11:26:6c:fd    Broadcast
 ARP    42    Who has 10.219.35.8?  Tell 10.219.35.7

However, connecting to another partner with OpenConnect on Windows is
working fine.

I don't know where to go next, because VPN guys said the VPN
concentrator is working well (can connect from anyconnect and
openconnect on linux, just openconnect on windows does not work)

Any help would be very much appreciated because this is driving me crazy.

Best regards,
  Szabolcs Horvath
-------------- next part --------------
C:\Program Files (x86)\OpenConnect>openconnect --cookie=4252DopDN6ElsHKovbiously-not-this-mFXq
 --no-cert-check 195.228.84.1 -v --mtu 1300 --base-mtu 1300 --script vpnc-script-win.js
WARNING: This version of openconnect is v7.06 but
         the libopenconnect library is v7.06-unknown
 Attempting to connect to server 195.228.84.1:443
 Connected to 195.228.84.1:443
 SSL negotiation with 195.228.84.1
 Server certificate verify failed: certificate does not match hostname
 Connected to HTTPS on 195.228.84.1
 Got CONNECT response: HTTP/1.1 200 OK
 X-CSTP-Version: 1
 X-CSTP-Address: 10.219.35.7
 X-CSTP-Netmask: 255.255.255.255
 X-CSTP-DNS: 172.19.230.44
 X-CSTP-DNS: 172.18.2.7
 X-CSTP-Lease-Duration: 1209600
 X-CSTP-Session-Timeout: none
 X-CSTP-Idle-Timeout: 1800
 X-CSTP-Disconnected-Timeout: 1800
 X-CSTP-Split-Include: 10.219.0.0/255.255.0.0
 X-CSTP-Split-Include: 172.19.230.44/255.255.255.255
 X-CSTP-Split-Include: 172.18.2.7/255.255.255.255
 X-CSTP-Split-DNS: elmu.hu
 X-CSTP-Split-DNS: rwehun.local
 X-CSTP-Keep: true
 X-CSTP-Tunnel-All-DNS: false
 X-CSTP-DPD: 30
 X-CSTP-Keepalive: 20
 X-CSTP-MSIE-Proxy-Lockdown: true
 X-CSTP-Smartcard-Removal-Disconnect: true
 X-DTLS-Session-ID: 92B12E7BE78DDD60E5DEB65C2F105D39F9808F2905F22309C857960802577980
 X-DTLS-Port: 443
 X-DTLS-Keepalive: 20
 X-DTLS-DPD: 30
 X-CSTP-MTU: 1300
 X-DTLS-CipherSuite: AES128-SHA
 X-CSTP-Routing-Filtering-Ignore: false
 X-CSTP-Quarantine: false
 X-CSTP-Disable-Always-On-VPN: false
 X-CSTP-TCP-Keepalive: true
 CSTP connected. DPD 30, Keepalive 20
 CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
 Microsoft (R) Windows Script Host 5.8 verzió
Copyright (C) Microsoft Corporation 1996-2001. Minden jog fenntartva.

Opened tun device tun
 TAP-Windows driver v9.21 (0)
 Microsoft (R) Windows Script Host 5.8 verzió
Copyright (C) Microsoft Corporation 1996-2001. Minden jog fenntartva.

route print
VPN Gateway: 195.228.84.1
Internal Address: 10.219.35.7
Internal Netmask: 255.255.255.255
Internal Gateway: 10.219.35.8
Interface: "tun"
MTU: 1300
netsh interface ipv4 set subinterface "tun" mtu=1300 store=active
Configuring "tun" interface for Legacy IP...
netsh interface ip set address "tun" static 10.219.35.7 255.255.255.255
route add 195.228.84.1 mask 255.255.255.255 10.35.76.1
netsh interface ip add dns "tun" 172.19.230.44 index=1
netsh interface ip add dns "tun" 172.18.2.7 index=2
done.
Configuring Legacy IP networks:
Waiting for interface to come up...
route print
Waiting for interface to come up...
route print
route add 172.18.2.7 mask 255.255.255.255 10.219.35.8
route add 172.19.230.44 mask 255.255.255.255 10.219.35.8
route add 10.219.0.0 mask 255.255.0.0 10.219.35.8
Route configuration done.
DTLS option X-DTLS-Session-ID : 92B12E7BE78DDD60E5DEB65C2F105D39F9808F2905F22309C857960802577980
 DTLS option X-DTLS-Port : 443
 DTLS option X-DTLS-Keepalive : 20
 DTLS option X-DTLS-DPD : 30
 DTLS option X-DTLS-CipherSuite : AES128-SHA
 DTLS initialised. DPD 30, Keepalive 20
 Connected tun as 10.219.35.7, using SSL
 Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
-------------- next part --------------

Ethernet-adapter tun:

   Kapcsolatspecifikus DNS-utótag. . :
   Leírás. . . . . . . . . . . . . . : TAP-Windows Adapter V9
   Fizikai cím . . . . . . . . . . . : 00-FF-11-26-6C-FD
   DHCP engedélyezve . . . . . . . . : Nem
   Automatikus konfiguráció engedélyezve : Igen
   Kapcsolati szintű IPv6-cím  . . . : fe80::61c9:bee8:8db2:6c28%34(Kívánt)
   IPv4-cím. . . . . . . . . . . . . : 10.219.35.7(Kívánt)
   Alhálózati maszk. . . . . . . . . : 255.255.255.255
   Alapértelmezett átjáró. . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 402718481
   DHCPv6-ügyfél DUID azonosítója . . . . . . . : 00-01-00-01-17-6B-BF-B1-D4-BE-D9-0C-74-6A
   DNS-kiszolgálók . . . . . . . . . : 172.19.230.44
                                       172.18.2.7
   NetBIOS a TCP/IP felett . . . . . : Engedélyezve
-------------- next part --------------
C:\>route print -4
===========================================================================
Kapcsolatlista
 34...00 ff 11 26 6c fd ......TAP-Windows Adapter V9
 26...54 26 24 db a2 1d ......Check Point Virtual Network Adapter For Endpoint VPN Client
 18...54 79 95 48 d1 14 ......Check Point Virtual Network Adapter For SSL Network Extender
 17...10 0b a9 03 19 e5 ......Microsoft Virtual WiFi Miniport Adapter
 12...10 0b a9 03 19 e4 ......Intel(R) Centrino(R) Advanced-N 6205
 11...d4 be d9 0c 74 6a ......Intel(R) 82579LM Gigabit Network Connection
 29...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 30...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
 23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
 27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
===========================================================================

IPv4 útvonaltábla
===========================================================================
Aktív útvonalak:
Hálózati cél               Hálózati maszk   Átjáró        Kapcsolat  Metrika
          0.0.0.0          0.0.0.0       10.35.76.1      10.35.76.20     10
       10.35.76.0    255.255.255.0   Kapcsolaton belüli       10.35.76.20    266
      10.35.76.20  255.255.255.255   Kapcsolaton belüli       10.35.76.20    266
     10.35.76.255  255.255.255.255   Kapcsolaton belüli       10.35.76.20    266
       10.219.0.0      255.255.0.0      10.219.35.8      10.219.35.7     21
      10.219.35.7  255.255.255.255   Kapcsolaton belüli       10.219.35.7    276
      10.219.40.0    255.255.255.0         46.0.0.1      10.219.35.7     21
       46.107.8.0    255.255.255.0         46.0.0.1      10.219.35.7     21
        127.0.0.0        255.0.0.0   Kapcsolaton belüli         127.0.0.1    306
        127.0.0.1  255.255.255.255   Kapcsolaton belüli         127.0.0.1    306
  127.255.255.255  255.255.255.255   Kapcsolaton belüli         127.0.0.1    306
       172.18.2.7  255.255.255.255      10.219.35.8      10.219.35.7     21
    172.19.230.44  255.255.255.255      10.219.35.8      10.219.35.7     21
       172.25.0.0      255.255.0.0         46.0.0.1      10.219.35.7     21
     195.228.84.1  255.255.255.255       10.35.76.1      10.35.76.20     11
===========================================================================
Állandó útvonalak:
  Nincs

More information about the openconnect-devel mailing list