ocserv 0.11.7 (on FreeBSD 11) can't negotiate DTLS with AC 4.4

failedexpectancy failedexpectancy at onet.pl
Sun May 7 10:49:23 PDT 2017 

Running FreeBSD 11 ocserv 0.11.7 cannot seemingly establish the DTLS channel with a Cisco AnyConnect 4.4 client for Windows. Communication between the server and the client is free and open. Looks like there is a problem with procedures in main.c around 868.

ocserv runs with default config (only tiny changes, e.g. ip/port). 

Gathered with --debug=7

Problematic log pieces below. Full log at: https://paste.ee/r/B4E1U

May  7 19:29:17 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 main received worker's message 'tun mtu change' of 3 bytes
May  7 19:29:17 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 setting tun0 MTU to 1353
May  7 19:29:20 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0)
May  7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 main.c:868: bind UDP to 10.0.1.31:443: Address already in use
May  7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 sending (socket) message 10 to worker
May  7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 passed UDP socket from 10.0.1.50:49360
May  7 19:29:20 test0 ocserv[27666]: sec-mod: received request from a processes with uid 903
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 sending message 'sm: worker cli stats' to secmod
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 sent periodic stats (in: 0, out: 0) to sec-mod
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 worker received message udp fd of 103 bytes
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 received new UDP fd and connected to peer
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 setting up DTLS-0.9 connection
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 Initializing MTU discovery; initial MTU: 1447
May  7 19:29:20 test0 ocserv[27666]: sec-mod: cmd [size=63] sm: worker cli stats
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 received 84 byte(s) (TLS)
May  7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 writing 76 byte(s) to TUN
May  7 19:29:21 test0 ocserv[27677]: worker[one]: 10.0.1.50 sending 76 byte(s)
May  7 19:29:21 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0)
May  7 19:29:21 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 received UDP connection too soon from 10.0.1.50:49360
May  7 19:29:23 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0)
May  7 19:29:23 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 received UDP connection too soon from 10.0.1.50:49360
May  7 19:29:27 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0)

At the same time there clearly is an UDP connection established between the server and the client:
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
_ocserv  ocserv     27677 1  udp4   10.0.1.31:55738       10.0.1.50:49360
_ocserv  ocserv     27677 11 tcp4   10.0.1.31:443         10.0.1.50:49260
root     ocserv     27665 4  tcp4   10.0.1.31:443         *:*
root     ocserv     27665 5  udp4   10.0.1.31:443         *:*

But occtl shows no dtls set (which is correct re problems in the log):
id     user    group             ip         vpn-ip device   since    dtls-cipher    status
27677      one  default      10.0.1.50     10.250.3.3   tun0    42s      (no-dtls) connected

Thanks for any help to get this fixed. The VPN works well using TCP only, but I'd like to use its full potential and have DTLS along with that. 

I realize not many people use (Free)BSD, so if you need me to run any extra tests/debugs, let me know. Won't be a problem.
--
Tomasz

More information about the openconnect-devel mailing list