On Thu, Oct 31, 2019 at 6:59 PM Nikos Mavrogiannopoulos
<[email protected]> wrote:
>
> Is there something we can do on the ocserv side to improve that?
> Should if we send the routes to the mobile client would it work? Would you
> like to propose a patch?
I do have a patch for ocserv. In fact, its very similar to a patch that you
suggested back in 2014. It's in a different spot because the code changed, but
the concept is the same.
diff --git a/src/worker-http.c b/src/worker-http.c
index 7951931a..6c796556 100644
--- a/src/worker-http.c
+++ b/src/worker-http.c
@@ -377,6 +377,8 @@ void header_value_check(struct worker_st *ws, struct
http_req_st *req)
req->user_agent_type = AGENT_OPENCONNECT;
} else if (strncasecmp(req->user_agent, "OpenConnect VPN
Agent", 21) == 0) {
req->user_agent_type = AGENT_OPENCONNECT;
+ } else if (strncasecmp(req->user_agent, "Cisco Any", 9) == 0) {
+ req->user_agent_type = AGENT_OPENCONNECT;
}
break;
I haven't sent it yet because:
1) IPv6 dns didn't work. I have solved this now, see below.
2) I want to understand why full tunnel mode doesn't work. The split route is a
hack that works but it is not very elegant.
I did fix the DNS issue. It turns out that ocserv is sending the wrong answer
back to an anyconnect client. For an IPv6 address it should use the following:
X-CSTP-DNS-IP6: 2604:8800:164:0:202:c9ff:fe4d:97b3
Instead the code sends (with my above patch):
X-CSTP-DNS: 2604:8800:164:0:202:c9ff:fe4d:97b3
which anyconnect flags as an invalid server configuration.
I'm not sure this is an oversight because the ocserv code does determine
whether the dns address is an ipv6 address or not, but then ignores it in the
response.
I'm also not sure how this impacts openconnect clients, so I don't want to
change the ocserv responses before understanding that better.
Anyway, the dns fix patch is:
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 1acecb17..8b93950e 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -1991,7 +1991,8 @@ static int connect_handler(worker_st * ws)
oclog(ws, LOG_INFO, "adding DNS %s", ws->user_config->dns[i]);
ret =
- cstp_printf(ws, "X-CSTP-DNS: %s\r\n",
+ cstp_printf(ws, "X-CSTP-%s: %s\r\n",
+ ip6 ? "DNS-IP6" : "DNS",
ws->user_config->dns[i]);
SEND_ERR(ret);
}
- Leendert
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
