(sending this mail again from a different address, as my first mail didn't make it to the list)
Dear Openconnect devs, when my employer switched to a globalprotect VPN a few weeks ago, I tried openconnect for the first time, but immediately ran into the error: "Keepalive fails: GPST Dead Peer Detection detected dead peer" (details in https://gitlab.com/openconnect/openconnect/-/issues/701#note_2197418179 ) What caught my interest was the fact that my coworker had no issues, even though he was using a pretty similar setup. After a few days of trial and error and gdb'ing openconnect, I could single out the cause: While his ISP was providing him with an IPv6 stack, I was still using an IPv4-only setup. Our gateway was announcing both addresses in its config XML, and gpst_parse_config_xml was picking the "better" one, IPv6. I created a branch from the v9.12 tag to tackle the issue and was successful in fixing this bug my making sure that --disable-ipv6 was handled correctly in this case. Then, when taking a look at how to merge this fix to master, I saw that Daniel Lenski had already fixed "my bug" on master, so I could have saved several hours by looking at the master first (interesting learning experience though!)... Why am I writing this mail to the list? Because Daniel's commit comment describes a different setup that causes the issue he tries to fix. To quote: > GP server may send only a Legacy IP client address, but both Legacy and IPv6 magic addresses for ESP. In this cornercase [...] My guess is that while he tried to fix a corner case (reacting to a weird response from the gateway), he also fixed a case that should be rather common: having a dual-stack server but an IPv4-only home ISP. If my assumption is correct, then it might warrant a new release of openconnect - that's why I'm letting you know. As far as I can tell from the release history, it is not customs to make patch releases for openconnect. However, if there were plans to do so, I could provide a merge request containing my fix on top of v9.12 - only adding two lines of code... Until then, I'll be using the master... Thanks for your effort! Regards, Philipp For the records: openconnect 9.12 Arch Linux GlobalProtect PanOS 11.1.5 _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
