Openconnect and GP with IPv6

Daniel Loxtermann daniel.loxtermann at greenbone.net
Fri Jan 19 04:32:49 PST 2024 

Hey all!

While trying to understand how to get IPv6 on our GlobalProtect Clients, 
we found out about OpenConnect!

You're asking for results about IPv6 with GP.

We're using IPv4 and IPv6 Split Tunneling with PanOS 11.0.3 and GP 6.1.2-83.

So far, I can tell you this: Works great, if we're using Version 8.20. 
Split tunneling with IPv6 stopped working with 9.00 and newer. I assume 
that's related to 
https://gitlab.com/openconnect/openconnect/-/merge_requests/367

Due to the revert, the "include IPv6" is indeed recognized as "exclude 
IPv6" (not v4 - that is included as it should) and instead of leaving 
the default route alone, it's changed to the tunnel. Looks like 
something is swapped here.

I could fix this with adding "access-routes-v6" to line 532 in gpst.c: 
https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c?ref_type=heads#L532 
(I've attached a patch, let me know if it's easier for you to create a 
MR it GitLab, I'll create one then)

Before:

$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a06:2380:0:1::/64 via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 metric 100 
pref medium (this should be routed via the tunnel!)
[... redacted]
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f0 proto kernel metric 1024 pref medium
default dev tun0 metric 1 pref medium
default via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 proto ra metric 100 
pref high

And after:

$ ip -6 r
2a06:2380:0:1::/64 dev tun0 metric 1024 pref medium (now routed via tunnel!)
[... redacted]
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f0 proto kernel metric 1024 pref medium
default via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 proto ra metric 100 
pref high

I can get you a (redacted) XML output from GlobalProtect if needed, and, 
if you really want to test it, I *might* be able to get you an account 
on our Palo for VPN (without any real access however, only to verify the 
routes).

Kind regards,

*Daniel Loxtermann*
Unit Lead System Operations

daniel.loxtermann at greenbone.net

Greenbone_logo

Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany

https://www.greenbone.net

Handelsregister: Amtsgericht Osnabrück, HRB 218768
Vorstand: Dr. Jan-Oliver Wagner (CEO), Elmar Geese
Aufsichtsrats-Vorsitzender: Lukas Grunwald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpst.patch
Type: text/x-patch
Size: 557 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20240119/4a56e890/attachment.bin>

More information about the openconnect-devel mailing list