When setting small IPv6 block (/127), Router will get the same IP as Client
Description of problem:
When setting config-per-user with ipv6-network
with a small IPv6 Block, tun device will get same ip as client side.
Version of ocserv used:
1.1.2
Client used:
AnyConnect 4.10.01075
Distributor of ocserv
Build from Release 1.1.2 from gitlab
How reproducible:
Describe the steps to reproduce the issue:
- ocserv.conf
auth = "plain[passwd=/etc/ocserv/passwd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = nogroup
socket-file = /run/ocserv-socket
server-cert = /var/lib/acme/vpn.xxx.net/fullchain.pem
server-key = /var/lib/acme/vpn.xxx.net/key.pem
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
ipv6-network = fda9:4efe:7e3b:03ea::/48
# ipv6-subnet-prefix = 128
config-per-user = /etc/ocserv/config-per-user/
config-per-group = /etc/ocserv/config-per-group/
banner = "xxxxxx"
max-same-clients = 2
compression = true
no-compress-limit = 256
- config-per-user config
neverbehave
route = abcd:abcd:55:54::/64
ipv6-network = abcd:abcd:55:54:a::4/127
- Run
ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf
and try login
Actual results:
Both Client and Server will have IPv6 abcd:abcd:55:54:A::5
as their IP address
vpns0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1434
inet6 fe80::20f2:be4d:32e4:88e prefixlen 64 scopeid 0x20<link>
inet6 2602:fc52:55:54:a::5 prefixlen 128 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 732 (732.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Expected results:
Client should have different IP than Router, or refuse to continue if cannot assign IP
Edited by NeverBehave