Hi,
Note that 59 is the decimal ASCII encoding for ";".
Also, 59 cannot is not an octal number, making the "\059" notation even
more awkward.
Therefore I suspect this is a problem with the Fortigate configuration.
Using my own corporate VPN, I do not see such a character:
At some point openconnect reports:
Got search domain
intra.xxxx.xxx;extra.xxxx.xxx;saclay.xxxx.xxx;partenaires.xxxx.xxx;xxxx.xxx
And after connecting, resolvectl reports:
$ resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s31f6)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8 192.168.0.254
Link 3 (tun0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: xxx.xxx.xxx.7
DNS Servers: xxx.xxx.xxx.7 xxx.xxx.xxx.6
DNS Domain: xxxx.xxx extra.xxxx.xxx intra.xxxx.xxx
partenaires.xxxx.xxx saclay.xxxx.xxx
We could work around this peculiar separator, but human imagination has
no limits, so where should we stop? More importantly, how do we know the
separator is "\059" and not "\"? I haven't read recent DNS RFCs, but I
suspect that "059ns2.redacted.com" is as legit as "ns2.redacted.com"
nowadays.
Let's try a different angle: Does FortiCLient handle this in a better way?
Dimitri
Le 22/06/2023 à 05:02, Aaron Smith a écrit :
Running on Ubuntu 23.04 and connecting to a system Fortinet running version
4.71.113.194.
After successful connection, the VPN routes and DNS server settings are
applied
to my system. The DNS server list is correct, but the servers are
separate by
'059' instead of a space character, as displayed by 'resolvectl' below
~/ resolvectl status
Link 2 (enxe04f439490d4) Current Scopes: DNS Protocols: +DefaultRoute
+LLMNR
-mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.22.11.1 DNS
Servers: 172.22.11.1 DNS Domain: redacted.net
Link 3 (wlp0s20f3) Current Scopes: none Protocols: -DefaultRoute +LLMNR
-mDNS
-DNSOverTLS DNSSEC=no/unsupported
Link 4 (vpn00449b7858) Current Scopes: none Protocols: -DefaultRoute +LLMNR
-mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (vpn00fa8f88cb) Current Scopes: none Protocols: -DefaultRoute +LLMNR
-mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 6 (tun0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS
-DNSOverTLS DNSSEC=no/unsupported
Link 22 (tun1) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS
-DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.0.60.2 DNS
Servers:
10.0.60.2 10.0.60.3 DNS Domain: ns1.redacted.com\059ns2.redacted.com
~/ openconnect --version OpenConnect version v9.01-3 Using GnuTLS 3.7.8.
Features present: TPMv2, PKCS#11, RSA software token, HOTP software
token, TOTP
software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols:
anyconnect (default), nc, gp, pulse, f5, fortinet, array Default
vpnc-script
(override with --script): /usr/share/vpnc-scripts/vpnc-script
Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf
mode: stub DNS Domain redacted.com private.net
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
--
Dimitri Papadopoulos
Université Paris-Saclay, CEA, NeuroSpin
91191 Gif-sur-Yvette
France
+33 (0)1 69 08 79 12
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
