Debugging UDP ESP failure
Daniel Lenski
dlenski at gmail.com
Wed Jul 24 16:19:38 PDT 2024
On Wed, Jul 24, 2024 at 3:02 PM Karl O. Pinc <kop at karlpinc.com> wrote:
>
> No matter the -vvv, I get no real information as to why.
"No real information" is not actionable.
If you run a recent version of OpenConnect with `-vvv
--dump-http-traffic --protocol=gp`, you should ALWAYS get AT LEAST ONE
log line that specifically mentions ESP, even if it is to simply tell
you why OpenConnect thinks ESP is unavailable. (Like
https://gitlab.com/openconnect/openconnect/-/blob/64f0c03d660f1d17834f7ff7ce9d0151704bb32f/gpst.c#L621)
Please share those.
> Although I did notice some ICMP IPv6 packets. Which would have to
> go through the VPN or else won't be passed by my firewall.
> It's unclear if these have to do with ESP or not. Further,
> FYI, they seem to be sent even when using --disable-ipv6.
When OpenConnect sends ICMP packets to initiate/activate/enable the
GlobalProtect ESP tunnel, those packets are themselves encapsulated
via ESP and sent over the tunnel.
https://gitlab.com/openconnect/openconnect/-/blob/64f0c03d660f1d17834f7ff7ce9d0151704bb32f/gpst.c#L1565
So if you aren't capturing these ICMP IPv6 packets *on the tunnel
interface itself*, then they have nothing to do with
OpenConnect/GlobalProtect/ESP.
> I can use the VPN without ESP, and maybe the issue is
> server-side anyway, but I thought I'd ask to see if there
> was anything easy to try.
What I always recommend is that you test with a PAN GlobalProtect
proprietary client running on the same local network as OpenConnect.
- If the proprietary client can't establish an ESP tunnel, then it's
unsurprising if OpenConnect also can't establish an ESP tunnel. Quite
likely either something is broken in the VPN server's configuration,
or some middlebox isn't passing ESP-over-UDP traffic.
- If the proprietary client *can* establish an ESP tunnel, but
OpenConnect can't, then we certainly want to know more… but over the
past ~6 years we think we've eliminated almost all of those cases.
https://gitlab.com/openconnect/openconnect/-/commits/64f0c03d660f1d17834f7ff7ce9d0151704bb32f/gpst.c?search=ESP
More information about the openconnect-devel
mailing list