Closed thraxte closed 7 years ago
Hmmm… looks like everything is fine, except that your VPN's routing configuration is quite strange.
The routes enabled for the VPN are…
<access-routes>
<member>192.168.0.0/16</member>
<member>172.31.0.0/16</member>
</access-routes>
But all the VPN-internal addresses I can see in your debug log are not in either of these routes: DNS servers are in 172.24.0.0/16, and the VPN-internal IP address is in 172.23.0.0/16. How about the addresses of the hosts you're trying to connect to? Are those also not in the routes specified in the config?
Try this: after connecting with openconnect
, run this to route the entire 20-bit block IPv4 private address space over the VPN.
$ sudo ip route add 172.16.0.0/12 dev tun0
After doing that… can you contact the hosts you're trying to connect to? If so, the problem is with the server-side configuration of the VPN.
Hi.
Thanks for your comments.
The routes are there, i just removed them as there are also some public ips on those routes.
The host i'm trying to reach is 17.17.72.XX which is part of those segments, but i've also tested some other ip's which I know can be reached with the windows client but no luck here.
I've also tried inserting the new route as you suggested, but no luck either.
See a more complete route list here.
< <access-routes>
< <member>192.168.0.0/16</member>
< <member>172.31.0.0/16</member>
< <member>172.28.0.0/16</member>
< <member>172.26.0.0/16</member>
< <member>172.25.215.0/24</member>
< <member>172.25.213.0/24</member>
< <member>172.25.212.0/24</member>
< <member>172.24.0.0/16</member>
< <member>172.23.0.0/16</member>
< <member>172.22.0.0/16</member>
< <member>172.20.0.0/16</member>
< <member>172.18.0.0/16</member>
< <member>172.17.0.0/16</member>
< <member>172.16.0.0/16</member>
< <member>10.254.5.0/24</member>
< <member>10.200.5.0/24</member>
< <member>10.15.1.18/32</member>
< <member>10.6.0.20/32</member>
< <member>172.31.3.0/24</member>
< <member>10.6.0.0/24</member>
< <member>10.196.52.0/24</member>
< <member>10.95.70.0/24</member>
< <member>10.95.61.0/24</member>
< <member>10.144.85.0/24</member>
< <member>10.146.33.0/24</member>
< <member>172.25.0.0/16</member>
< <member>172.28.10.0/24</member>
< <member>10.118.1.0/24</member>
< <member>172.24.0.222/32</member>
< <member>172.24.0.223/32</member>
also the routes are configured system-wide
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.43.1 0.0.0.0 UG 600 0 0 wlp3s0
10.6.0.0 * 255.255.255.0 U 0 0 0 tun0
10.6.0.20 * 255.255.255.255 UH 0 0 0 tun0
10.15.1.18 * 255.255.255.255 UH 0 0 0 tun0
10.95.61.0 * 255.255.255.0 U 0 0 0 tun0
10.95.70.0 * 255.255.255.0 U 0 0 0 tun0
10.118.1.0 * 255.255.255.0 U 0 0 0 tun0
10.144.85.0 * 255.255.255.0 U 0 0 0 tun0
10.146.33.0 * 255.255.255.0 U 0 0 0 tun0
10.196.52.0 * 255.255.255.0 U 0 0 0 tun0
10.200.5.0 * 255.255.255.0 U 0 0 0 tun0
10.254.5.0 * 255.255.255.0 U 0 0 0 tun0
172.16.0.0 * 255.255.0.0 U 0 0 0 tun0
172.17.0.0 * 255.255.0.0 U 0 0 0 tun0
172.18.0.0 * 255.255.0.0 U 0 0 0 tun0
172.20.0.0 * 255.255.0.0 U 0 0 0 tun0
172.22.0.0 * 255.255.0.0 U 0 0 0 tun0
172.23.0.0 * 255.255.0.0 U 0 0 0 tun0
172.23.61.112 * 255.255.255.255 UH 0 0 0 tun0
172.24.0.0 * 255.255.0.0 U 0 0 0 tun0
172.25.0.0 * 255.255.0.0 U 0 0 0 tun0
172.25.212.0 * 255.255.255.0 U 0 0 0 tun0
172.25.213.0 * 255.255.255.0 U 0 0 0 tun0
172.25.215.0 * 255.255.255.0 U 0 0 0 tun0
172.26.0.0 * 255.255.0.0 U 0 0 0 tun0
172.28.0.0 * 255.255.0.0 U 0 0 0 tun0
172.28.10.0 * 255.255.255.0 U 0 0 0 tun0
172.31.0.0 * 255.255.0.0 U 0 0 0 tun0
172.31.3.0 * 255.255.255.0 U 0 0 0 tun0
192.168.0.0 * 255.255.0.0 U 0 0 0 tun0
192.168.43.0 * 255.255.255.0 U 600 0 0 wlp3s0
Okay, I just noticed another unusual detail in your VPN's config:
<gw-address>201.246.158.230</gw-address> <!-- external VPN gateway -->
<ip-address>172.23.61.114</ip-address> <!-- your computer's VPN-internal IP address -->
<default-gateway>172.28.69.256</default-gateway> <!-- normally the *same* as IP address -->
172.28.69.256 doesn't make any sense. .256
is not a valid IP address.
Furthermore, it doesn't really make sense for a peer-to-peer VPN (GlobalProtect or otherwise) to tell the client to use a default gateway isn't the same as the IP address. (The original openconnect authors apparently agree that this is weird or meaningless.)
So… two questions for you:
<default-gateway>
is actually the same as the <ip-address>
?Also, given that the routing configuration here is unclear, it'd be helpful to save the routing configuration with this VPN under Windows (use route print
) so we can see what the official GlobalProtect client is doing with these settings.
Sorry for the delay.
The default gw really is the same ip addres. My mistake when cleaning the sensitive information. I´ve attached logs and routes taken from the windows client.
windows routes.txt vpn log.txt
I´m suspecting this might be a issue between openconnect and ElementaryOS. I´ve tryed to connect to a juniper endpoint which gest successfully conected, but no packets are sent or received on that case.
Okay. So no VPN clients are working on the Linux side? Do you have some overly-aggressive firewall or IP-filter running? You should check that sudo tcpdump -v -i tun0
shows packets going to/from the tunnel interface when you try to ping hosts inside the VPN. If not, then packets are getting dropped before they make it to openconnect.
Assuming that's not the case, the Windows log shows that you are getting a persistent IP address of 172.18.62.19
.
It's possible that there is some special mechanism by which your VPN doesn't work unless you request this specific address. I've seen a couple reports of this before.
Try this to do a 2-phase connection. First login and get the authentication cookie:
$ eval $(openconnect --prot=gp --authenticate vpn-address.com)
Please enter your username and password
Username:
Password:
Check that the environment variables got set as expected:
$ env | egrep 'COOKIE|HOST|FINGERPRINT'
COOKIE='authcookie=deadbeefdeadbeef&portal=PORTAL&user=USERNAME&domain=DOMAIN'
HOST='gateway.ip.address'
FINGERPRINT='sha256:...'
Now we'll append &preferred-ip=172.18.62.19
to the cookie, telling the server that you want your normal "reserved" IP address, and do the second connection phase:
$ openconnect --prot=gp "$HOST" -C "${COOKIE}&preferred-ip=172.18.62.19"
...
Does the network connectivity work when you do this?
Hi. I don't have any firewall/ip filter running. I've checked and the packets are being sent to the tun0 interface.
I've done the test the way you suggested but the results are the same.
$ ping 172.17.72.201
PING 172.17.72.201 (172.17.72.201) 56(84) bytes of data.
^C
--- 172.17.72.201 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7054ms
$ ifconfig -a
enp2s0 Link encap:Ethernet HWaddr c4:2c:03:32:6d:e6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16
eth0 Link encap:Ethernet HWaddr 4a:d7:05:73:02:5e
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:998 errors:0 dropped:0 overruns:0 frame:0
TX packets:998 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:100685 (100.6 KB) TX bytes:100685 (100.6 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.23.62.204 P-t-P:172.23.62.204 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:4072 (4.0 KB) TX bytes:4719 (4.7 KB)
wlp3s0 Link encap:Ethernet HWaddr 60:33:4b:1c:dc:70
inet addr:192.168.43.141 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::4efb:b15f:99b1:9e6a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6402 errors:0 dropped:0 overruns:0 frame:54385
TX packets:5718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4986992 (4.9 MB) TX bytes:991947 (991.9 KB)
Interrupt:17
sh
I don't have any firewall/ip filter running. I've checked and the packets are being sent to the tun0 interface.
Okay, so it seems that packets are getting sent to the tun0
interface, and to the VPN gateway over the public Internet. But the only packets that are received from the VPN gateway are keepalive packets.
I've done the test the way you suggested but the results are the same.
I'm running out of ideas here, but a few things to try…
--no-dtls
. This disables the ESP/UDP based tunnel and only uses the HTTPS tunnel. We have previously seen GlobalProtect gateways that are misconfigured so that ESP never works, even though the gateway claims it works (see #5).Beyond that I'm out of ideas… you'd need to run mitmproxy to log the connection from a Windows system and see how it differs from the way I think it works.
Getting a very similar "good connection but no data" on ubuntu, here's my log vpnlog.md.txt
--no-dtld
doesn't work for me
POST https://[gateway]/ssl-vpn/login.esp
GlobalProtect login returned authentication source=RADIUS Authentication
POST https://[gateway]/ssl-vpn/getconfig.esp
No MTU received. Calculated 1410
Set up DTLS failed; using SSL instead
Connected as 10.211.167.12, using SSL
GPST Dead Peer Detection detected dead peer!
POST https://[gateway]/ssl-vpn/getconfig.esp
SSL negotiation with [gateway]
Server certificate verify failed: signer not found
Connected to HTTPS on 63.137.86.165
No MTU received. Calculated 1410
Failed to connect ESP tunnel; using HTTPS instead.
^CPOST https://[gateway]/ssl-vpn/logout.esp
SSL negotiation with [gateway]
Server certificate verify failed: signer not found
Connected to HTTPS on [gateway]
loop
I'm afraid that I have no further insight into what's wrong with these connections. OpenConnect is doing exactly what the GP protocol expects it to do, based on my knowledge of it.
Do either of you know how to run mitmproxy
to log the Windows connection to figure out what the official client is doing differently?
I have a couple small helper scripts for mitm'ing the GP VPN which I'll share if so …
@0atman, this is very weird: in your ESP mode log, at least the keepalive/ping packets are successfully transmitted, but in HTTPS-only mode (--no-dtls
) the keepalive packets aren't getting through.
That's a puzzling inconsistency. If you can run the get-portal-config.py
script, what version is the GP server software reporting?
Found the problem: The network I was connecting over was heavily filtered. Over the normal Internet it works great! Thank you so much for your help! Now, to persuade IT to officially bless this...!
Found the problem: The network I was connecting over was heavily filtered. Over the normal Internet it works great! Thank you so much for your help!
Huh… your original logs showed:
Parameters for incoming ESP: SPI 0x309d4974
ESP encryption type AES-128-CBC (RFC3602) key 0xf5bed1a32c727cbb2b1b897d0d4f7bba
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0x9422f7f8233bfed9175ea84681a2e84e648ac560
Parameters for outgoing ESP: SPI 0x6a198c3a
ESP encryption type AES-128-CBC (RFC3602) key 0x5ac8008a4db7dc073c14fc5a231407bd
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0x03eee97daa9c706e824707e4586c07614cac101e
Send ESP probes
Connected as 10.211.167.10, using SSL
No work to do; sleeping for 5000 ms...
Received ESP packet of 84 bytes
ESP session established with server
Received ESP packet of 84 bytes
Received ESP packet of 84 bytes
ESP tunnel connected; exiting HTTPS mainloop.
[about 10 seconds of trying to connect to stuff]
I have no idea what kind of network filtering would cause these symptoms!!
Now, to persuade IT to officially bless this...!
Good luck, but lack of support from IT is the reason I created this in the first place. OpenConnect is supposed to behave in a way that's indistinguishable from the "official" client(s), so that IT can't not support it :angry:
lack of support from IT is the reason I created this in the first place. OpenConnect is supposed to behave in a way that's indistinguishable from the "official" client(s), so that IT can't not support it
The word "Hero" is thrown about a lot these days, but it is correct in this instance :-D
@thraxte, are you still having a problem here? Did --no-dtls
fix anything?
I had a similar issue - connected successfully and had internet connection, but then I was unable to reach our internal services like JIRA, Jenkins or Git. Running the client with --no-dtls
fixed the issue :)
Problem description
i've checked the interface and routes configured correctly, but the ping, traceroute or any type of packed reach the destination
Operating system and openconnect-gp version
openconnect-gp version:
operating system:
GlobalProtect VPN information