I suggest that you check https://gitlab.com/openconnect/ocserv/-/blob/master/doc/README-radius.md
and if setting all the necessary IPv6 variables with the latest ocserv at the radius config fails, to open an issue at: https://gitlab.com/openconnect/ocserv/-/issues regards, Nikos ________________________________________ From: Thore <th...@selfnet.de> Sent: Friday, November 19, 2021 15:31 To: Nikos Mavrogiannopoulos; openconnect-devel@lists.infradead.org Subject: Re: Configure ocserv to hand out IPv6 addresses from radius Good evening, we are currently using the version shipped with debian stable (1.1.2 + debian patches) and have also tested the backports version (1.1.3) which shows the same behaviour. Do the IPv6 changes in 1.1.5 affect us here? For openconnect: OpenConnect version v8.10 Using GnuTLS 3.7.2. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse Best regards Thore On 11/17/21 23:01, Nikos Mavrogiannopoulos wrote: > Hi, > Which openconnect and ocserv version are these? Have you tried with the > latest? > > regards, > Nikos > > ________________________________________ > From: openconnect-devel <openconnect-devel-boun...@lists.infradead.org> on > behalf of Thore <th...@selfnet.de> > Sent: Saturday, November 13, 2021 15:08 > To: openconnect-devel@lists.infradead.org > Subject: Configure ocserv to hand out IPv6 addresses from radius > > Good evening, > > we are currently evaluating ocserv as an option to replace a srx used as > vpn apliance. > > And while authentication and IPv4 assignments via radius (freeradius) > work as expected, we are having some trouble to configure IPv6. > > The current configuration very much resembles the default config, with > these options set: > > ipv4-network = 2.71.9.254/32 > > # The IPv6 subnet that leases will be given from. > # Crashes wen uncommented > #ipv6-network = 2001:2:71:9:ffff:ffff:ffff:ffff/64 > > # Specify the size of the network to provide to clients. It is > # generally recommended to provide clients with a /64 network in > # IPv6, but any subnet may be specified. To provide clients only > # with a single IP use the prefix 128. > ipv6-subnet-prefix = 128 > > route = default > > > When trying to connect and having freeradius in debug mode, it logs > something like this: > > Sent Access-Accept Id 200 from ...:1812 to ...:49136 length 0 > Framed-IP-Address = 3.141.59.26 > Framed-IPv6-Prefix = 2001:3:141::5926/128 > Finished request > > However, we couldn't yet figure out why this would not pass the IP to > the client. > We've also tried Framed-IPv6-Address and also Delegated-IPv6-Prefix, but > all with the same result. > > Can someone here shed some light onto what we are missing? > > Best regards > Thore > > > > > For convenience the debug log from ocserv and openconnect: > > root@ocserv:# ocserv -f -d 1 > note: vhost:default: setting 'radius' as primary authentication method > note: setting 'radius' as accounting method > note: setting 'radius' as supplemental config option > listening (TCP) on 0.0.0.0:443... > listening (TCP) on [::]:443... > listening (UDP) on 0.0.0.0:443... > listening (UDP) on [::]:443... > ocserv[17800]: main: Starting 1 instances of ocserv-sm > ocserv[17800]: main: initialized ocserv 1.1.2 > ocserv[17801]: sec-mod: reading supplemental config from radius > ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1812 > ocserv[17801]: radcli: set_option_srv: processing server: 141.70.126.58:1813 > ocserv[17801]: sec-mod: sec-mod initialized (socket: > /run/ocserv.socket.e0a2f140.0) > note: vhost:default: setting 'radius' as primary authentication method > note: setting 'radius' as accounting method > note: setting 'radius' as supplemental config option > note: vhost:default: setting 'radius' as primary authentication method > note: setting 'radius' as accounting method > note: setting 'radius' as supplemental config option > ocserv[17801]: sec-mod: sec-mod instance 0 issue cookie > ocserv[17801]: sec-mod: using 'radius' authentication to authenticate > user (session: qVE9wU) > ocserv[17801]: radius-auth: communicating username (u...@example.net) > and password > ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server: > creating socket to: ... > ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3 > local 0 : 0, remote radius : 1812 > ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned > success for server 0 > note: vhost:default: setting 'radius' as primary authentication method > note: setting 'radius' as accounting method > note: setting 'radius' as supplemental config option > ocserv[17801]: radius-auth: opening session ... > ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: rc_send_server: > creating socket to: 141.70.126.58 > ocserv[17801]: radcli: rc_send_server_ctx: DEBUG: timeout=10 retries=3 > local 0 : 0, remote radius-acct : 1813 > ocserv[17801]: radcli: rc_aaa_ctx_server: rc_send_server_ctx returned > success for server 0 > ocserv[17801]: sec-mod: initiating session for user 'u...@example.net' > (session: qVE9wU) > ocserv[17800]: > main[u...@example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274 new > user session > ocserv[17800]: > main[u...@example.net]:[2003:e7:ef12:c400:9475:e36a:d449:5dc1]:42274 > user logged in > > > > thore@host:# sudo openconnect -u user@example-net ocserv.example.net -v > POST > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2F&data=04%7C01%7C%7C40e41fb4139f42d1d33d08d9ab694771%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637729290934509161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=J%2B1fcEFYZSY0GXUoxNlabbieZLmpWnVcMaV5LfCdCAo%3D&reserved=0 > Attempting to connect to server [...]:443 > Connected to [...]:443 > SSL negotiation with ocserv.example.net > Server certificate verify failed: signer not found > > Connected to HTTPS on ocserv.example.net with ciphersuite > (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; > path=/; Secure > Content-Type: text/xml > Content-Length: 306 > X-Transcend-Version: 1 > HTTP body length: (306) > XML POST enabled > Please enter your username. > POST > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2Fauth&data=04%7C01%7C%7C40e41fb4139f42d1d33d08d9ab694771%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637729290934509161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aNctrwCkn4GxLVIMV9b4n4nzgFR8QU0kIy007f%2BfRxs%3D&reserved=0 > Got HTTP response: HTTP/1.1 200 OK > Set-Cookie: webvpncontext=...; Max-Age=300; Secure > Content-Type: text/xml > Content-Length: 310 > X-Transcend-Version: 1 > HTTP body length: (310) > Please enter your password. > Password: > POST > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Focserv.example.net%2Fauth&data=04%7C01%7C%7C40e41fb4139f42d1d33d08d9ab694771%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637729290934509161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aNctrwCkn4GxLVIMV9b4n4nzgFR8QU0kIy007f%2BfRxs%3D&reserved=0 > Got HTTP response: HTTP/1.1 200 OK > Connection: Keep-Alive > Content-Type: text/xml > Content-Length: 189 > X-Transcend-Version: 1 > Set-Cookie: webvpncontext=...; Secure > Set-Cookie: webvpn=<elided>; Secure > Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure > Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:...; path=/; Secure > HTTP body length: (189) > TCP_INFO rcv mss 1420, snd mss 1420, adv mss 1420, pmtu 1492 > Got CONNECT response: HTTP/1.1 200 CONNECTED > X-CSTP-Version: 1 > X-CSTP-Server-Name: ocserv 1.1.2 > X-CSTP-Hostname: T480s > X-CSTP-DPD: 60 > X-CSTP-Default-Domain: example.net > X-CSTP-Address: 3.141.59.26 > X-CSTP-Netmask: 255.255.255.255 > X-CSTP-DNS: 8.8.8.8 > X-CSTP-Tunnel-All-DNS: true > X-CSTP-Keepalive: 300 > X-CSTP-Idle-Timeout: 1200 > X-CSTP-Smartcard-Removal-Disconnect: true > X-CSTP-Rekey-Time: 172776 > X-CSTP-Rekey-Method: ssl > X-CSTP-Session-Timeout: none > X-CSTP-Disconnected-Timeout: none > X-CSTP-Keep: true > X-CSTP-TCP-Keepalive: true > X-CSTP-License: accept > X-DTLS-DPD: 60 > X-DTLS-Port: 443 > X-DTLS-Rekey-Time: 172786 > X-DTLS-Rekey-Method: ssl > X-DTLS-Keepalive: 300 > X-DTLS-App-ID: ... > X-DTLS-CipherSuite: PSK-NEGOTIATE > X-CSTP-Base-MTU: 1492 > X-CSTP-MTU: 1406 > X-DTLS-Content-Encoding: oc-lz4 > X-CSTP-Content-Encoding: oc-lz4 > CSTP connected. DPD 60, Keepalive 300 > DTLS option X-DTLS-DPD : 60 > DTLS option X-DTLS-Port : 443 > DTLS option X-DTLS-Rekey-Time : 172786 > DTLS option X-DTLS-Rekey-Method : ssl > DTLS option X-DTLS-Keepalive : 300 > DTLS option X-DTLS-App-ID : ... > DTLS option X-DTLS-CipherSuite : PSK-NEGOTIATE > DTLS option X-DTLS-Content-Encoding : oc-lz4 > DTLS initialised. DPD 60, Keepalive 300 > Connected as 3.141.59.26, using SSL + LZ4, with DTLS + LZ4 in progress > Established DTLS connection (using GnuTLS). Ciphersuite > (DTLS1.2)-(PSK)-(AES-256-GCM). > DTLS connection compression using LZ4. > Initiating MTU detection (min=576, max=1406) > Detected MTU of 1394 bytes (was 1406) > ^CSend BYE packet: Aborted by caller > Error: argument "via" is wrong: use nexthop syntax to specify multiple via > > User cancelled (SIGINT/SIGTERM); exiting. > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Fopenconnect-devel&data=04%7C01%7C%7C40e41fb4139f42d1d33d08d9ab694771%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637729290934509161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FPUvNQ4FFBWwnUjgccjZNBy2PRtVzGwuLNlaGKjwRwc%3D&reserved=0 > _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
