Trouble with juniper connection - invalid HMAC

Gaute Amundsen gaute at div.org
Thu Dec 15 02:11:57 PST 2016


No worries, thanks for quick response this time :)

Unfortunately it seems that made no difference.

I did:
make clean
git pull
git apply patch_MTU.txt
./autogen.sh
./configure --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
make

Just to make sure:

$ ./openconnect -V
OpenConnect version v7.08-3-ga01a167-dirty
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP 
software token, TOTP software token, DTLS

$ grep buf_append_tlv_be32 oncp.c
static void buf_append_tlv_be32(struct oc_text_buf *buf, uint16_t val, 
uint32_t data)
     buf_append_tlv_be32(reqbuf, 2, vpninfo->reqmtu);


1394 bytes

Sent ESP packet of 116 bytes
No work to do; sleeping for 10000 ms...
Received ESP packet of 132 bytes
No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 84 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
No work to do; sleeping for 15000 ms...
Sent ESP packet of 116 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 164 bytes
No work to do; sleeping for 15000 ms...


1395 bytes

Sent ESP packet of 116 bytes
No work to do; sleeping for 11000 ms...
Received ESP packet of 132 bytes
No work to do; sleeping for 15000 ms...
Sent ESP packet of 1444 bytes
Sent ESP packet of 100 bytes
No work to do; sleeping for 15000 ms...
Received ESP packet of 1460 bytes
Received ESP packet with invalid HMAC
No work to do; sleeping for 15000 ms...


G.


On 15. des. 2016 10:30, David Woodhouse wrote:
> On Thu, 2016-12-15 at 10:00 +0100, Gaute Amundsen wrote:
>> It seems 7.08 still has the same issue in my case.
> Oops, apologies for missing that.
>
> This should probably fix the fact that --mtu doesn't work. Please
> confirm, and I'll fix it.
>
> diff --git a/oncp.c b/oncp.c
> index afcbe8b..249f8dc 100644
> --- a/oncp.c
> +++ b/oncp.c
> @@ -767,7 +767,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
>   	kmp = reqbuf->pos;
>   	buf_append_tlv(reqbuf, 6, 0, NULL); /* TLV group 6 */
>   	group = reqbuf->pos;
> -	buf_append_tlv_be32(reqbuf, 2, vpninfo->ip_info.mtu);
> +	buf_append_tlv_be32(reqbuf, 2, vpninfo->reqmtu);
>   	if (buf_error(reqbuf)) {
>   		vpn_progress(vpninfo, PRG_ERR,
>   			     _("Error creating oNCP negotiation request\n"));
>
>
>> With -vv
>>
>> ping -c1 -W 2 -s 1394 host.tld - succeeds
>>
>> Sent ESP packet of 116 bytes
>> No work to do; sleeping for 10000 ms...
>> Received ESP packet of 132 bytes
>> No work to do; sleeping for 15000 ms...
>> Sent ESP packet of 1444 bytes
>> Sent ESP packet of 84 bytes
>> No work to do; sleeping for 15000 ms...
>> Received ESP packet of 1460 bytes
>> No work to do; sleeping for 15000 ms...
>> Sent ESP packet of 116 bytes
>> No work to do; sleeping for 15000 ms...
>> Received ESP packet of 164 bytes
>> No work to do; sleeping for 15000 ms...
>>
>>
>> ping -c1 -W 2 -s 1395 host.tld - fails
>>
>> Sent ESP packet of 116 bytes
>> No work to do; sleeping for 4000 ms...
>> Received ESP packet of 132 bytes
>> No work to do; sleeping for 15000 ms...
>> Sent ESP packet of 1444 bytes
>> Sent ESP packet of 100 bytes
>> No work to do; sleeping for 15000 ms...
>> Received ESP packet of 1460 bytes
>> Received ESP packet with invalid HMAC
>> No work to do; sleeping for 15000 ms...
> Hm, please could I have simultaneous captures of *both* the tun0 device
> traffic, *and* the UDP Internet traffic between your public-facing
> network adapter and the VPN server. Along with the verbose output of
> openconnect where it gives the ESP keys I'll need to decrypt the
> latter.
>
> Kill the session before you send the email (on general principles you
> don't want to be giving out the keys to a live session), and try not to
> have any other traffic on the VPN when you do it (partly for ease of
> analysis, and partly because you don't want to show me anything else).
>
> You can send that in private mail if you prefer. Thanks.
>




More information about the openconnect-devel mailing list