Fwd: openconnect v7.06 for Windows issue

Horváth Szabolcs hszhsz at gmail.com
Wed May 6 23:49:35 PDT 2015


Hello!

Short feedback for anyone else who might have found this post: instead
of rebuilding Openconnect on Windows, we ended up changing the VPN
netmask to /27.
It works like a charm.

Looks like Windows TAP driver from OpenVPN has issues with /32 netmask.

Szabolcs

2015-04-28 9:44 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Tue, 2015-04-28 at 09:32 +0200, Horváth Szabolcs wrote:
>> ,
>>
>> I have an issue connecting to one of our partner with openconnect.
>> Symptoms are the following:
>> - we can build a VPN with Openconnect on Linux to our partner and it
>> is working fine (traffic is passing through as expected)
>> - we can build a VPN with Cisco Anyconnect on Windows to our partner
>> - we CANNOT build a VPN with Openconnect on Windows to our partner
>> (technically, VPN is built but traffic is not passing through,
>> details
>> below)
>> - we CAN build VPN with OpenConnect on Windows to other partners
>>
>> From all of these, I would say there is nothing wrong with the
>> partner
>> VPN (because connecting to it from windows/anyconnect and
>> linux/openconnect combination are working fine).
>>
>> After days of investigation I found out that there are no ARP replies
>> on the tun interface when connecting from openconnect/windows.
>
> I can't look hard at this for another few hours at least, and I have a
> 2-year-old trying to "help" me type this.... first thought is to look
> at the netmasks.
>
> The whole ARP thing is a fiction because Windows doesn't do tunnel
> devices properly; it makes us pretend to be Ethernet. So we have to
> *fake* ARP in the driver for Legacy IP (and ND for IPv6).
>
> We tell the driver the IP address of the faked "router" on the subnet,
> and it fakes ARP replies from that IP address. This falls over when
> the netmask is 255.255.255.255 though, or something like that...
>
> --
> dwmw2



More information about the openconnect-devel mailing list