Trouble with juniper connection - invalid HMAC

Thu Dec 15 01:30:41 PST 2016

On Thu, 2016-12-15 at 10:00 +0100, Gaute Amundsen wrote:
> It seems 7.08 still has the same issue in my case.

Oops, apologies for missing that.

This should probably fix the fact that --mtu doesn't work. Please
confirm, and I'll fix it.

diff --git a/oncp.c b/oncp.c
index afcbe8b..249f8dc 100644
--- a/oncp.c
+++ b/oncp.c
@@ -767,7 +767,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
 	kmp = reqbuf->pos;
 	buf_append_tlv(reqbuf, 6, 0, NULL); /* TLV group 6 */
 	group = reqbuf->pos;
-	buf_append_tlv_be32(reqbuf, 2, vpninfo->ip_info.mtu);
+	buf_append_tlv_be32(reqbuf, 2, vpninfo->reqmtu);
 	if (buf_error(reqbuf)) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Error creating oNCP negotiation request\n"));


> With -vv
> 
> ping -c1 -W 2 -s 1394 host.tld - succeeds
> 
> Sent ESP packet of 116 bytes
> No work to do; sleeping for 10000 ms...
> Received ESP packet of 132 bytes
> No work to do; sleeping for 15000 ms...
> Sent ESP packet of 1444 bytes
> Sent ESP packet of 84 bytes
> No work to do; sleeping for 15000 ms...
> Received ESP packet of 1460 bytes
> No work to do; sleeping for 15000 ms...
> Sent ESP packet of 116 bytes
> No work to do; sleeping for 15000 ms...
> Received ESP packet of 164 bytes
> No work to do; sleeping for 15000 ms...
> 
> 
> ping -c1 -W 2 -s 1395 host.tld - fails
> 
> Sent ESP packet of 116 bytes
> No work to do; sleeping for 4000 ms...
> Received ESP packet of 132 bytes
> No work to do; sleeping for 15000 ms...
> Sent ESP packet of 1444 bytes
> Sent ESP packet of 100 bytes
> No work to do; sleeping for 15000 ms...
> Received ESP packet of 1460 bytes
> Received ESP packet with invalid HMAC
> No work to do; sleeping for 15000 ms...

Hm, please could I have simultaneous captures of *both* the tun0 device
traffic, *and* the UDP Internet traffic between your public-facing
network adapter and the VPN server. Along with the verbose output of
openconnect where it gives the ESP keys I'll need to decrypt the
latter.

Kill the session before you send the email (on general principles you
don't want to be giving out the keys to a live session), and try not to
have any other traffic on the VPN when you do it (partly for ease of
analysis, and partly because you don't want to show me anything else).

You can send that in private mail if you prefer. Thanks.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161215/3f5124ca/attachment-0001.bin>
