Fwd: openconnect v7.06 for Windows issue

David Woodhouse dwmw2 at infradead.org
Tue Apr 28 00:44:45 PDT 2015

On Tue, 2015-04-28 at 09:32 +0200, Horváth Szabolcs wrote:
> ,
> I have an issue connecting to one of our partner with openconnect.
> Symptoms are the following:
> - we can build a VPN with Openconnect on Linux to our partner and it
> is working fine (traffic is passing through as expected)
> - we can build a VPN with Cisco Anyconnect on Windows to our partner
> - we CANNOT build a VPN with Openconnect on Windows to our partner
> (technically, VPN is built but traffic is not passing through, 
> details
> below)
> - we CAN build VPN with OpenConnect on Windows to other partners
> From all of these, I would say there is nothing wrong with the 
> partner
> VPN (because connecting to it from windows/anyconnect and
> linux/openconnect combination are working fine).
> After days of investigation I found out that there are no ARP replies
> on the tun interface when connecting from openconnect/windows.

I can't look hard at this for another few hours at least, and I have a
2-year-old trying to "help" me type this.... first thought is to look
at the netmasks.

The whole ARP thing is a fiction because Windows doesn't do tunnel
devices properly; it makes us pretend to be Ethernet. So we have to
*fake* ARP in the driver for Legacy IP (and ND for IPv6).

We tell the driver the IP address of the faked "router" on the subnet,
and it fakes ARP replies from that IP address. This falls over when
the netmask is though, or something like that...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150428/ec7bb871/attachment.bin>

More information about the openconnect-devel mailing list