From 35e3374fcb57cbf3a336f6bd74c8b21d6863bf35 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 23 Apr 2021 13:35:17 -0700 Subject: [PATCH] Log address family of ESP packets sent/received Aids in debugging GlobalProtect IPv6+ESP. Signed-off-by: Daniel Lenski --- esp.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/esp.c b/esp.c index 30743cdd..e5230c28 100644 --- a/esp.c +++ b/esp.c @@ -167,8 +167,6 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) if (len <= 0) break; - vpn_progress(vpninfo, PRG_TRACE, _("Received ESP packet of %d bytes\n"), - len); work_done = 1; /* both supported algos (SHA1 and MD5) have 12-byte MAC lengths (RFC2403 and RFC2404) */ @@ -198,13 +196,21 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) /* Possible values of the Next Header field are: 0x04: IP[v4]-in-IP 0x05: supposed to mean Internet Stream Protocol - (XXX: but used for LZO compressed packets by Juniper) + (XXX: but used for LZO compressed IPv4 packets by Juniper) 0x29: IPv6 encapsulation */ - if (pkt->data[len - 1] != 0x04 && pkt->data[len - 1] != 0x29 && - pkt->data[len - 1] != 0x05) { + if (pkt->data[len - 1] == 0x04) + vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes\n"), + len); + else if (pkt->data[len - 1] == 0x05) + vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes (LZO-compressed)\n"), + len); + else if (pkt->data[len - 1] == 0x29) + vpn_progress(vpninfo, PRG_TRACE, _("Received ESP IPv6 packet of %d bytes\n"), + len); + else { vpn_progress(vpninfo, PRG_ERR, - _("Received ESP packet with unrecognised payload type %02x\n"), - pkt->data[len-1]); + _("Received ESP packet of %d bytes with unrecognised payload type %02x\n"), + len, pkt->data[len-1]); continue; } @@ -295,14 +301,17 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) } while (1) { int len; + int ip_version; if (vpninfo->deflate_pkt) { this = vpninfo->deflate_pkt; len = this->len; + ip_version = this->data[0] >> 4; } else { this = dequeue_packet(&vpninfo->outgoing_queue); if (!this) break; + ip_version = this->data[0] >> 4; if (vpninfo->proto->proto == PROTO_NC || vpninfo->proto->proto == PROTO_PULSE) { @@ -311,11 +320,11 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) /* Pulse/NC can only accept ESP of the same protocol as the one * you connected to it with. The other has to go over IF-T/TLS. */ if (vpninfo->dtls_addr->sa_family == AF_INET6) - dontsend = 0x40; + dontsend = 4; else - dontsend = 0x60; + dontsend = 6; - if ( (this->data[0] & 0xf0) == dontsend) { + if (ip_version == dontsend) { store_be32(&this->pulse.vendor, 0xa4c); store_be32(&this->pulse.type, 4); store_be32(&this->pulse.len, this->len + 16); @@ -362,8 +371,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) } else { vpninfo->dtls_times.last_tx = time(NULL); - vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP packet of %d bytes\n"), - len); + vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP IPv%d packet of %d bytes\n"), + ip_version, len); } if (this == vpninfo->deflate_pkt) { unmonitor_write_fd(vpninfo, dtls); -- 2.50.1