vpnc 0.5.3.r501 on Arch Linux causes openconnect to not work

[marvinbernhardt]

I'm not sure if this is the right place to submit this issue, but this repo is referenced here.

I'll just copy what I posted in the Arch Forum:

Hello everyone

Yesterday, i had VPN to university (Cisco AnyConnect) working on both my computer and laptop with openconnect. Then I updated my computer. The output of openconnect 8.20 looks different. And there was appareantly no connection. I could not ping any server in the university network (except my own ip address. After a minute or so, openconnect would say

DTLS Dead Peer Detection detected dead peer!
CSTP Dead Peer Detection detected dead peer!

At the same time it was still working on my Laptop.

Then I thought this looks like it is an issue with openconnect. But downgrading openconnect to 8.10 would not solve the issue. The output of openconnect would return to what I was used to, but I still can not connect.

Any idea what I could check or which component/package could cause the issue or what I can check?

full openconnect ouput (privatized):

$ pass foo/bar | sudo openconnect --cafile="/path/to/cert.pem" --authgroup=extern --user="foo" --passwd-on-stdin --verbose https://vpn.foo
connection with profile extern
POST https://vpn.FOO
Attempting to connect to server [IP6FOO]:443
Connected to [2001:FOO]:443
SSL negotiation with vpn.FOO
Connected to HTTPS on vpn.FOO with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:51 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://vpn.FOO
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:52 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://vpn.FOO
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:52 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1420, pmtu 1492
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: IP4FOO
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address-IP6: IP6FOO
X-CSTP-Hostname: DOMAINFOO
X-CSTP-DNS: IP4FOO
X-CSTP-DNS: IP4FOO
X-CSTP-DNS-IP6: IP6FOO
X-CSTP-DNS-IP6: IP6FOO
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: none
X-CSTP-Idle-Timeout: 3600
X-CSTP-Disconnected-Timeout: 3600
X-CSTP-Default-Domain: FOO
X-CSTP-Split-Include: IP4FOO/255.255.0.0
X-CSTP-Split-Include-IP6: IP6FOO/40
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: FOO
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1287
X-DTLS-MTU: 1356
X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID : FOO
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1356
DTLS option X-DTLS12-CipherSuite : ECDHE-RSA-AES256-GCM-SHA384
DTLS initialised. DPD 30, Keepalive 20
Connected as IP4FOO + IP6FOO, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Initiating MTU detection (min=576, max=1356)
No change in MTU after detection (was 1356)
Send CSTP Keepalive
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
DTLS Dead Peer Detection detected dead peer!
CSTP Dead Peer Detection detected dead peer!

Then I found out, that with vpnc-0.5.3.r496 it works. Is this a vpnc bug?

[streambinder]

Hi @marvinbernhardt, sorry to hear that, but as stated in the Development status documentation section, this project is neither under active development or am I currently in the position to investigate such issues as I'm not actually using vpnc.

I'd like to help you out, but that would be too much of an effort I'm not willing to undertake: if you happen to find an issue, though, just like you did, feel free to dive deep into the codebase (even more if you already found a workaround), to compare what changed between different versions and narrow down the possible causes. I'd be more than welcome to merge PRs for that matter.

[marvinbernhardt]

Ok, I will see what I can do. Thanks.