From 0d3846ac41df2653a43625b5f38baefd7869fb99 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Wed, 20 Dec 2017 22:56:58 -0800
Subject: [PATCH] Protocols should try explicitly request the same IP addresses
 on reconnect, since they will abort if new addresses are sent by the server.

* GlobalProtect:
  - Supported and used by official clients (POST /ssl-vpn/getconfig.esp with preferred-ip form field).
  - GlobalProtect servers often give different IP addresses on reconnect if this mechanism is *not* used,
    so this mechanism is necessary.
  - Same mechanism appears to exist for IPv6 (preferred-ipv6) and was added to OpenConnect in
    d6db0ec03394234d41fbec7ffc794ceeb486a8f0, even though IPv6 support is not yet complete.
* AnyConnect:
  - Not (yet) supported by ocserv
  - It appears that *some* AnyConnect server will try to provide the IP address provided in the X-CSTP-Address
    *request* header along with the CONNECT request, but other servers appear not to
  - This patch reproduces the behavior of GPST: attempt to request same IPv4 and IPv6 addresses on reconnect,
    via CONNECT headers.
* Juniper:
  - There does not appear to be any way to provide this using the Juniper NC protocol.
  - No known reports of Juniper servers giving out different IP address on reconnect.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 cstp.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/cstp.c b/cstp.c
index 1e38f56e..e67144f4 100644
--- a/cstp.c
+++ b/cstp.c
@@ -262,8 +262,18 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 		buf_append(reqbuf, "X-CSTP-MTU: %d\r\n", mtu);
 	buf_append(reqbuf, "X-CSTP-Address-Type: %s\r\n",
 			       vpninfo->disable_ipv6 ? "IPv4" : "IPv6,IPv4");
-	if (!vpninfo->disable_ipv6)
+	/* Explicitly request the same IPv4 and IPv6 addresses on reconnect
+	 *
+	 * XX: It's not clear which Cisco servers attempt to follow specific
+	 * IP address requests from the X-CSTP-Address headers in the CONNECT
+	 * request; most seem to ignore it. */
+	if (old_addr)
+		buf_append(reqbuf, "X-CSTP-Address: %s\r\n", old_addr);
+	if (!vpninfo->disable_ipv6) {
 		buf_append(reqbuf, "X-CSTP-Full-IPv6-Capability: true\r\n");
+		if (old_addr6)
+			buf_append(reqbuf, "X-CSTP-Address: %s\r\n", old_addr6);
+	}
 #ifdef HAVE_DTLS
 	if (vpninfo->dtls_state != DTLS_DISABLED) {
 		/* The X-DTLS-Master-Secret is only used for the legacy protocol negotation
-- 
2.49.0