openconnect/ocserv ipv6 setting

Michael Leung gbcbooksmj at gmail.com
Sun Jan 22 01:30:52 PST 2017


seems ocserve will automatic correct the mtu value,   any one how to stop it ?

On Sun, Jan 22, 2017 at 2:58 PM, Michael Leung <gbcbooksmj at gmail.com> wrote:
> i think the following error would indicate why ipv6 did not work for me
> "Connection MTU (1268) is not sufficient for IPv6 (1280)"
>
> for now , i still dont know why it gave out a low value for interface mtu
>
> here is the mtu setting on my ocserv.conf
>
> auth = "plain[/etc/ocserv/passwd]"
> use-occtl = true
> banner = "Welcome ocs server"
> max-clients = 16
> max-same-clients = 2
> tcp-port = 5551
> udp-port = 5551
> keepalive = 32400
> dpd = 240
> mobile-dpd = 1800
> ###################
> try-mtu-discovery = true
> ###################
> server-cert = /etc/ocserv/certs/anyconnect.cert
> server-key = /etc/ocserv/private/prikey.pem
> tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
> auth-timeout = 40
> cookie-timeout = 86400
> rekey-time = 172800
> rekey-method = ssl
> disconnect-script = /usr/bin/myscript
> use-utmp = true
> use-dbus = false
> pid-file = /var/run/ocserv.pid
> socket-file = /var/run/ocserv-socket
> run-as-user = root
> run-as-group = root
> device = vpns
> default-domain = ocserv.eu.org.
> ipv4-network = 10.200.254.0
> ipv4-netmask = 255.255.255.128
> dns = 9.9.9.9
> dns = 2.2.2.2
> ipv6-network = 2001:470:f916:ffff::
> ipv6-prefix = 64
> ping-leases = false
> ###################
> mtu = 1320
> ###################
> config-per-user = /etc/ocserv/config-per-user
> config-per-group = /etc/ocserv/config-per-group
>
> On Sat, Jan 21, 2017 at 11:45 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
>>
>> On Sat, Jan 21, 2017 at 5:52 AM, Goodman Leung <gbcbooksmj at gmail.com>
>> wrote:
>> > does any one have ipv6 work on ocserv ?
>> >
>> > i add configure "ipv6-network = 2001:470:c19d:xxxx:xxxx::/64"
>> >
>> > and from the debug log output
>> >
>> >   assigned IPv6: 2001:470:f91d:c15c:0:74:f141:e500
>> >
>> > ipv6 address had been assigned, from when i check my client side , it
>> > did not found ipv6 address on the tun interface
>>
>> It's working for me, using explicit-ipv6 to provide a /128 to specific
>> clients.
>>
>> You might want to run the client with --dump-http-traffic and look for
>> these headers:
>>
>> X-CSTP-Address-Type: IPv6,IPv4
>> X-CSTP-Address-IP6: 2001:470:f91d:c15c:0:74:f141:e500/128
>>
>> If your ipv6-network (i.e. the delegation you received from your ISP)
>> is only a /64, you can try ipv6-subnet-prefix = 128.  Ideally you'd
>> want to get a /48 or /56 from your ISP, and then hand out a /64 to
>> each VPN client.
>
>



More information about the openconnect-devel mailing list