From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 27 Apr 2021 23:14:52 +0000 (+0100)
Subject: Attempt to allow Fortinet reconnect over TCP
X-Git-Tag: v8.20~250
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=eef5e65f7b7e3e3fe6bbf69453c8a5bca3856864;p=users%2Fdwmw2%2Fopenconnect.git

Attempt to allow Fortinet reconnect over TCP

We can't just reconnect; we have to fetch the XML config again. Even that
isn't always sufficient; it seems the server only allows *one* reconnect
before it starts to fail.

The *first* reconnection shows this in server logs:

[2326:root:0]ipcp: down ppp:0x7f1e1d218000 caller:0x7f1e1d15f900 tun:37
[2326:root:78]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:37)
[2326:root:78]tunnel is down, wait for next connection.
[2326:root:78]sslvpn_release_dynip:1309 free app session, idx[0]
...
[2326:root:79]req: /remote/fortisslvpn_xml
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]sslvpn_reserve_dynip:1275 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2326:root:79]req: /remote/sslvpn-tunnel
[2326:root:79]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]sslvpn_tunnel_handler,153, Calling tunnel.
[2326:root:79]tunnelEnter:498 0x7f1e1d15f900:0x7f1e1d1e9000 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[2326:root:79]sconn 0x7f1e1d15f900 (0:root) vfid=0 local=[178.238.156.110] remote=[90.155.92.213] dynamicip=[10.212.134.200]
[2326:root:79]Prepare to launch ppp service...

The *second* reconnection doesn't say anything about waiting for next
connection:

[2326:root:0]ipcp: down ppp:0x7f1e1d21a800 caller:0x7f1e1d15f900 tun:37
[2326:root:79]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:37)
[2326:root:79]sslvpn_release_dynip:1309 free app session, idx[0]
...
[2326:root:7a]req: /remote/fortisslvpn_xml
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]sslvpn_reserve_dynip:1275 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2326:root:0]sslvpn_internal_remove_apsession_by_idx:2586 free app session, idx[0]
[2326:root:7a]req: /remote/sslvpn-tunnel
[2326:root:7a]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]sslvpn_tunnel_handler,153, Calling tunnel.
[2326:root:7a]tunnelEnter:498 0x7f1e1d15f900:0x7f1e1d1e9000 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[2326:root:7a]tunnelEnter:520 failed to retrieve tunnel address

Compare with the behaviour when we don't get the XML config again and
just try to re-establish PPP:

[385:root:0]ipcp: down ppp:0x7f19b6084800 caller:0x7f19b5fb2b00 tun:36
[385:root:f]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:36)
[385:root:f]tunnel is down, wait for next connection.
[385:root:f]sslvpn_release_dynip:1309 free app session, idx[0]
...
[385:root:10]req: /remote/sslvpn-tunnel
[385:root:10]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[385:root:10]deconstruct_session_id:426 decode session id ok, user=…
[385:root:10]sslvpn_tunnel_handler,153, Calling tunnel.
[385:root:10]tunnelEnter:498 0x7f19b5fb2b00:0x7f19b6043800 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[385:root:10]tunnelEnter:512 no more IP address available.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/fortinet.c b/fortinet.c
index d32e6943..057f6810 100644
--- a/fortinet.c
+++ b/fortinet.c
@@ -614,15 +614,7 @@ int fortinet_connect(struct openconnect_info *vpninfo)
 {
 	int ret = 0;
 
-	if (!vpninfo->ppp) {
-		/* Initial connection */
-		ret = fortinet_configure(vpninfo);
-	} else if (vpninfo->ppp->ppp_state != PPPS_DEAD) {
-		/* TLS/DTLS reconnection with already-established PPP session
-		 * (PPP session will persist past reconnect.)
-		 */
-		ret = ppp_reset(vpninfo);
-	}
+	ret = fortinet_configure(vpninfo);
 	if (ret) {
 	err:
 		openconnect_close_https(vpninfo, 0);