Hey all!
While trying to understand how to get IPv6 on our GlobalProtect Clients,
we found out about OpenConnect!
You're asking for results about IPv6 with GP.
We're using IPv4 and IPv6 Split Tunneling with PanOS 11.0.3 and GP 6.1.2-83.
So far, I can tell you this: Works great, if we're using Version 8.20.
Split tunneling with IPv6 stopped working with 9.00 and newer. I assume
that's related to
https://gitlab.com/openconnect/openconnect/-/merge_requests/367
Due to the revert, the "include IPv6" is indeed recognized as "exclude
IPv6" (not v4 - that is included as it should) and instead of leaving
the default route alone, it's changed to the tunnel. Looks like
something is swapped here.
I could fix this with adding "access-routes-v6" to line 532 in gpst.c:
https://gitlab.com/openconnect/openconnect/-/blob/master/gpst.c?ref_type=heads#L532
(I've attached a patch, let me know if it's easier for you to create a
MR it GitLab, I'll create one then)
Before:
$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2a06:2380:0:1::/64 via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 metric 100
pref medium (this should be routed via the tunnel!)
[... redacted]
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f0 proto kernel metric 1024 pref medium
default dev tun0 metric 1 pref medium
default via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 proto ra metric 100
pref high
And after:
$ ip -6 r
2a06:2380:0:1::/64 dev tun0 metric 1024 pref medium (now routed via tunnel!)
[... redacted]
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f0 proto kernel metric 1024 pref medium
default via fe80::2e91:abff:fe9f:3514 dev enp2s0f0 proto ra metric 100
pref high
I can get you a (redacted) XML output from GlobalProtect if needed, and,
if you really want to test it, I *might* be able to get you an account
on our Palo for VPN (without any real access however, only to verify the
routes).
Kind regards,
*Daniel Loxtermann*
Unit Lead System Operations
daniel.loxterm...@greenbone.net
Greenbone_logo
Greenbone AG, Neumarkt 12, 49074 Osnabrück, Germany
https://www.greenbone.net
Handelsregister: Amtsgericht Osnabrück, HRB 218768
Vorstand: Dr. Jan-Oliver Wagner (CEO), Elmar Geese
Aufsichtsrats-Vorsitzender: Lukas Grunwald
diff --git a/gpst.c b/gpst.c
index 37235c1f..2da18810 100644
--- a/gpst.c
+++ b/gpst.c
@@ -529,7 +529,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
ret = -ENOMEM;
goto err;
}
- if (xmlnode_is_named(xml_node, "access-routes")) {
+ if (xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "access-routes-v6")) {
inc->route = add_option_steal(&new_opts, "split-include", &s);
inc->next = new_ip_info.split_includes;
new_ip_info.split_includes = inc;
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
