]> www.infradead.org Git - users/dwmw2/openconnect.git/commitdiff
projects / users / dwmw2 / openconnect.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5867033)
Protocols should try explicitly request the same IP addresses on reconnect, since...
authorDaniel Lenski <dlenski@gmail.com>
Thu, 21 Dec 2017 06:56:58 +0000 (22:56 -0800)
committerDaniel Lenski <dlenski@gmail.com>
Wed, 20 May 2020 01:31:31 +0000 (18:31 -0700)
* GlobalProtect:
  - Supported and used by official clients (POST /ssl-vpn/getconfig.esp with preferred-ip form field).
  - GlobalProtect servers often give different IP addresses on reconnect if this mechanism is *not* used,
    so this mechanism is necessary.
  - Same mechanism appears to exist for IPv6 (preferred-ipv6) and was added to OpenConnect in
    d6db0ec03394234d41fbec7ffc794ceeb486a8f0, even though IPv6 support is not yet complete.
* AnyConnect:
  - Not (yet) supported by ocserv
  - It appears that *some* AnyConnect server will try to provide the IP address provided in the X-CSTP-Address
    *request* header along with the CONNECT request, but other servers appear not to
  - This patch reproduces the behavior of GPST: attempt to request same IPv4 and IPv6 addresses on reconnect,
    via CONNECT headers.
* Juniper:
  - There does not appear to be any way to provide this using the Juniper NC protocol.
  - No known reports of Juniper servers giving out different IP address on reconnect.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
cstp.c patch | blob | history

diff --git a/cstp.c b/cstp.c
index 1e38f56efbd95e5ad0a3481b0cef4d107e265437..e67144f4c63f30cba43a04d71aea98dc2777c009 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -262,8 +262,18 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                buf_append(reqbuf, "X-CSTP-MTU: %d\r\n", mtu);
        buf_append(reqbuf, "X-CSTP-Address-Type: %s\r\n",
                               vpninfo->disable_ipv6 ? "IPv4" : "IPv6,IPv4");
-       if (!vpninfo->disable_ipv6)
+       /* Explicitly request the same IPv4 and IPv6 addresses on reconnect
+        *
+        * XX: It's not clear which Cisco servers attempt to follow specific
+        * IP address requests from the X-CSTP-Address headers in the CONNECT
+        * request; most seem to ignore it. */
+       if (old_addr)
+               buf_append(reqbuf, "X-CSTP-Address: %s\r\n", old_addr);
+       if (!vpninfo->disable_ipv6) {
                buf_append(reqbuf, "X-CSTP-Full-IPv6-Capability: true\r\n");
+               if (old_addr6)
+                       buf_append(reqbuf, "X-CSTP-Address: %s\r\n", old_addr6);
+       }
 #ifdef HAVE_DTLS
        if (vpninfo->dtls_state != DTLS_DISABLED) {
                /* The X-DTLS-Master-Secret is only used for the legacy protocol negotation
Unnamed repository; edit this file 'description' to name the repository.