ESP issues connecting ipv4-only client to dual-stack Globalprotect
Philipp Gortan
philipp at gortan.org
Mon Nov 11 00:40:12 PST 2024
(sending this mail again from a different address, as my first mail
didn't make it to the list)
Dear Openconnect devs,
when my employer switched to a globalprotect VPN a few weeks ago, I
tried openconnect for the first time, but immediately ran into the
error:
"Keepalive fails: GPST Dead Peer Detection detected dead peer" (details
in
https://gitlab.com/openconnect/openconnect/-/issues/701#note_2197418179
)
What caught my interest was the fact that my coworker had no issues,
even though he was using a pretty similar setup. After a few days of
trial and error and gdb'ing openconnect, I could single out the cause:
While his ISP was providing him with an IPv6 stack, I was still using
an IPv4-only setup. Our gateway was announcing both addresses in its
config XML, and gpst_parse_config_xml was picking the "better" one,
IPv6. I created a branch from the v9.12 tag to tackle the issue and was
successful in fixing this bug my making sure that --disable-ipv6 was
handled correctly in this case.
Then, when taking a look at how to merge this fix to master, I saw that
Daniel Lenski had already fixed "my bug" on master, so I could have
saved several hours by looking at the master first (interesting
learning experience though!)...
Why am I writing this mail to the list? Because Daniel's commit comment
describes a different setup that causes the issue he tries to fix. To
quote:
> GP server may send only a Legacy IP client address, but both Legacy
and IPv6 magic addresses for ESP. In this cornercase [...]
My guess is that while he tried to fix a corner case (reacting to a
weird response from the gateway), he also fixed a case that should be
rather common: having a dual-stack server but an IPv4-only home ISP.
If my assumption is correct, then it might warrant a new release of
openconnect - that's why I'm letting you know.
As far as I can tell from the release history, it is not customs to
make patch releases for openconnect. However, if there were plans to do
so, I could provide a merge request containing my fix on top of v9.12
- only adding two lines of code...
Until then, I'll be using the master...
Thanks for your effort!
Regards, Philipp
For the records:
openconnect 9.12
Arch Linux
GlobalProtect PanOS 11.1.5
More information about the openconnect-devel
mailing list