Hrrrm… No dice here.
Summary: Getting some RNETLINK barking and "policy FAIL" on the serer side,
but ESP connection does seem to connect.
But no traffic flowing through it. The "clients" tun0 interface does show
OUTPUT packets, but nothing seems to be coming back from the other end?
See detailed output from both sides below -- I've probably missed something.
--------
Server Side:
$ sudo ./espsetup.sh
0x87654321 0x12345678
RTNETLINK answers: No such process
RTNETLINK answers: No such process
$ sudo ./esplisten.pl &
setsockopt:: policy FAIL
setsockopt:: policy FAIL
setsockopt:: UDP_ENCAP OK
$ openssl s_server -accept 8443 -crlf -cert server-cert.pem -key server-key.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALALwQABDC7IgsOtJgDJlfJjHIKuR5TC9tfSenNr4DLZdwdxSpv
0gSTz+NsZY90x2qyRjt/rOuhBgIEXKusc6IEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared
ciphers:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES128-SHA256:AES256-SHA:AES256-SHA256:CAMELLIA128-SHA:CAMELLIA256-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-CAMELLIA128-SHA:DHE-DSS-CAMELLIA256-SHA:EDH-DSS-DES-CBC3-SHA
Signature Algorithms:
RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms:
RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384:P-521
Shared Elliptic curves: P-256:P-384:P-521
CIPHER is ECDHE-RSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
POST /ssl-vpn/getconfig.esp HTTP/1.1
Host: 10.181.43.20:8443
User-Agent: PAN GlobalProtect
X-Pad: 0000000000000000000000000000000000000000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2cmd5&enc-algo=aes-128-cbc%2caes-256-cbc&asd
################## Pasted gpconf.xml here ##################
HTTP/1.1 200 OK
Content-Length: 991
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<response>
<ip-address>172.16.0.1</ip-address>
<netmask>255.255.255.0</netmask>
<mtu>1460</mtu>
<gw-address>172.16.0.2</gw-address>
<ipsec>
<udp-port>8443</udp-port>
<enc-algo>aes128</enc-algo>
<hmac-algo>sha1</hmac-algo>
<c2s-spi>12345678</c2s-spi>
<s2c-spi>87654321</s2c-spi>
<ekey-c2s>
<bits>512</bits>
<val>1234567890123456789012345678901234567890123456789012345678901234</val>
</ekey-c2s>
<ekey-s2c>
<bits>512</bits>
<val>1234567890123456789012345678901234567890123456789012345678901234</val>
</ekey-s2c>
<akey-c2s>
<bits>512</bits>
<val>1234567890123456789012345678901234567890123456789012345678901234</val>
</akey-c2s>
<akey-s2c>
<bits>512</bits>
<val>1234567890123456789012345678901234567890123456789012345678901234</val>
</akey-s2c>
<ipsec-mode>esp-tunnel</ipsec-mode>
</ipsec>
</response>
HTTP/1.1 200 OK
Content-Length: 124
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<response>
<hip-report-needed>no</hip-report-needed>
</response>
################## End of Paste ##################
START_TUNNEL
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
POST /ssl-vpn/hipreportcheck.esp HTTP/1.1
Host: 10.181.43.20:8443
User-Agent: PAN GlobalProtect
X-Pad: 00000000000000000000000000000000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
client-role=global-protect-full&asd&client-ip=172.16.0.1&md5=7815696ecbf1c96e6894b779456d330eERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
From CLIENT side (logged in as root)
# ip tuntap add mode tun user $LOGNAME
# ip link set tun0 up
# ifconfig tun0 172.16.0.1 pointopoint 172.16.0.2
# ./openconnect 10.181.43.20:8443 --protocol gp -C asd --servercert
pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --dtls-local-port=8443
-i tun0 -s /bin/true
POST https://10.181.43.20:8443/ssl-vpn/getconfig.esp
Connected to 10.181.43.20:8443
SSL negotiation with 10.181.43.20
Server certificate verify failed: signer not found
Connected to HTTPS on 10.181.43.20
POST https://10.181.43.20:8443/ssl-vpn/hipreportcheck.esp
Connected as 172.16.0.1, using SSL, with ESP in progress
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.
^Z
[1]+ Stopped ./openconnect 10.181.43.20:8443 --protocol gp -C
asd --servercert pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=
--dtls-local-port=8443 -i tun0 -s /bin/true
# bg
[1]+ ./openconnect 10.181.43.20:8443 --protocol gp -C asd --servercert
pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --dtls-local-port=8443
-i tun0 -s /bin/true &
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.181.43.29 netmask 255.255.255.0 broadcast 10.181.43.255
inet6 fe80::250:56ff:fea9:795c prefixlen 64 scopeid 0x20<link>
ether 00:50:56:a9:79:5c txqueuelen 1000 (Ethernet)
RX packets 13604 bytes 1966636 (1.8 MiB)
RX errors 0 dropped 103 overruns 0 frame 0
TX packets 12400 bytes 2155612 (2.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 951 bytes 60520 (59.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 951 bytes 60520 (59.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1460
inet 172.16.0.1 netmask 255.255.255.255 destination 172.16.0.2
inet6 fe80::6484:59f6:9a57:76c1 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500
(UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.181.43.1 0.0.0.0 UG 0 0 0 eth0
10.181.43.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
[root@flehpcvpn0009 openconnect-PATCHED3]# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.018 ms
^C
--- 172.16.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.018/0.018/0.018/0.000 ms
# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
^C
--- 172.16.0.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 2999ms
----------------------------------------------
From: David Woodhouse [mailto:[email protected]]
Sent: Monday, April 8, 2019 3:09 PM
To: Phillips, Tony
Cc: Nikos Mavrogiannopoulos; Daniel Lenski;
[email protected]
Subject: RE: [EXTERNAL] Re: What throughput is reasonable?
Sounds good. Run s_server on the fake server. Paste the HTTP responses when the
client connects to it. Don't forget to run esplisten.pl on the server too.
--
dwmw2
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
