ocserv give different IP address when openconnect reconnect
versions:
openconnect version: 8.02 ocserv version: 0.12.1
issue
My network provider disabled UDP communication with internet, so I disabled DTLS, openconnect uses TCP for tunneling. When openconnect reconnecting with ocserv, ocserv gave different IP address. But openconnect didn't set correct IP to tun device nor do disconnecting.
openconnect log
In the following log, lines between ==== and ------ were the environment variables printed by vpnc-sciprt. As we can see, openconnect got 192.168.99.3 at first connect; after reconnect server gave 192.168.99.60; openconnect got different IP, so openconnect reconnect again; But in second reconnect openconnect didn't think it got different IP(192.168.99.60) and stopped reconnecting.
SSL read error: The TLS connection was non-properly terminated.; reconnecting.
======================
vpnc-script: attempt-reconnect env
HOSTNAME=localhost
SHLVL=3
CISCO_CSTP_OPTIONS=X-CSTP-Version=1
X-CSTP-Server-Name=ocserv 0.12.1
X-CSTP-Hostname=localhost
X-CSTP-DPD=15
X-CSTP-Default-Domain=example.com
X-CSTP-Address=192.168.99.3
X-CSTP-Netmask=255.255.255.0
X-CSTP-DNS=8.8.8.8
X-CSTP-Tunnel-All-DNS=false
X-CSTP-Keepalive=30
X-CSTP-Idle-Timeout=none
X-CSTP-Smartcard-Removal-Disconnect=true
X-CSTP-Rekey-Time=172777
X-CSTP-Rekey-Method=ssl
X-CSTP-Session-Timeout=none
X-CSTP-Disconnected-Timeout=none
X-CSTP-Keep=true
X-CSTP-TCP-Keepalive=true
X-CSTP-License=accept
X-CSTP-Base-MTU=1300
X-CSTP-MTU=1272
X-CSTP-Content-Encoding=oc-lz4
VPNGATEWAY=47.99.12.34
HOME=/root
INTERNAL_IP4_NETMASK=255.255.255.0
reason=attempt-reconnect
CISCO_DEF_DOMAIN=example.com
INTERNAL_IP4_DNS=8.8.8.8
TUNDEV=tun0
PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INTERNAL_IP4_NETADDR=192.168.99.0
PWD=/
INTERNAL_IP4_ADDRESS=192.168.99.3
INTERNAL_IP4_MTU=1272
INTERNAL_IP4_NETMASKLEN=24
----------------------
SSL negotiation with 47.99.12.34
Server certificate verify failed: signer not found
Connected to HTTPS on 47.99.12.34
TCP_INFO rcv mss 768, snd mss 1280, adv mss 1448, pmtu 1500
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: 47.99.12.34:2011
> User-Agent: Open AnyConnect VPN Agent v8.02
> Cookie: webvpn=tIkI50xPEbqx5BNP1nIpdFJtoBEL59isdAiRZ9Gk6ag=
> X-CSTP-Version: 1
> X-CSTP-Hostname: localhost
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-Base-MTU: 1500
> X-CSTP-MTU: 1390
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
>
Reconnect gave different Legacy IP address (192.168.99.60 != 192.168.99.3)
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.12.1
X-CSTP-Hostname: localhost
X-CSTP-DPD: 15
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 192.168.99.60
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 30
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172777
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-CSTP-Base-MTU: 1300
X-CSTP-MTU: 1272
X-CSTP-Content-Encoding: oc-lz4
sleep 10s, remaining timeout 300s
======================
vpnc-script: attempt-reconnect env
HOSTNAME=localhost
SHLVL=3
CISCO_CSTP_OPTIONS=X-CSTP-Version=1
X-CSTP-Server-Name=ocserv 0.12.1
X-CSTP-Hostname=localhost
X-CSTP-DPD=15
X-CSTP-Default-Domain=example.com
X-CSTP-Address=192.168.99.3
X-CSTP-Netmask=255.255.255.0
X-CSTP-DNS=8.8.8.8
X-CSTP-Tunnel-All-DNS=false
X-CSTP-Keepalive=30
X-CSTP-Idle-Timeout=none
X-CSTP-Smartcard-Removal-Disconnect=true
X-CSTP-Rekey-Time=172777
X-CSTP-Rekey-Method=ssl
X-CSTP-Session-Timeout=none
X-CSTP-Disconnected-Timeout=none
X-CSTP-Keep=true
X-CSTP-TCP-Keepalive=true
X-CSTP-License=accept
X-CSTP-Base-MTU=1300
X-CSTP-MTU=1272
X-CSTP-Content-Encoding=oc-lz4
VPNGATEWAY=47.99.12.34
HOME=/root
INTERNAL_IP4_NETMASK=255.255.255.0
reason=attempt-reconnect
CISCO_DEF_DOMAIN=example.com
INTERNAL_IP4_DNS=8.8.8.8
TUNDEV=tun0
PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INTERNAL_IP4_NETADDR=192.168.99.0
PWD=/
INTERNAL_IP4_ADDRESS=192.168.99.3
INTERNAL_IP4_MTU=1272
INTERNAL_IP4_NETMASKLEN=24
----------------------
SSL negotiation with 47.99.12.34
Server certificate verify failed: signer not found
Connected to HTTPS on 47.99.12.34
TCP_INFO rcv mss 768, snd mss 1280, adv mss 1448, pmtu 1500
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: 47.99.12.34:2011
> User-Agent: Open AnyConnect VPN Agent v8.02
> Cookie: webvpn=tIkI50xPEbqx5BNP1nIpdFJtoBEL59isdAiRZ9Gk6ag=
> X-CSTP-Version: 1
> X-CSTP-Hostname: localhost
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-Base-MTU: 1500
> X-CSTP-MTU: 1390
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
>
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.12.1
X-CSTP-Hostname: localhost
X-CSTP-DPD: 15
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 192.168.99.60
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 30
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172826
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-CSTP-Base-MTU: 1300
X-CSTP-MTU: 1272
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 15, Keepalive 30
CSTP Ciphersuite: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
======================
vpnc-script: reconnect env
HOSTNAME=localhost
SHLVL=3
CISCO_CSTP_OPTIONS=X-CSTP-Version=1
X-CSTP-Server-Name=ocserv 0.12.1
X-CSTP-Hostname=localhost
X-CSTP-DPD=15
X-CSTP-Default-Domain=example.com
X-CSTP-Address=192.168.99.3
X-CSTP-Netmask=255.255.255.0
X-CSTP-DNS=8.8.8.8
X-CSTP-Tunnel-All-DNS=false
X-CSTP-Keepalive=30
X-CSTP-Idle-Timeout=none
X-CSTP-Smartcard-Removal-Disconnect=true
X-CSTP-Rekey-Time=172777
X-CSTP-Rekey-Method=ssl
X-CSTP-Session-Timeout=none
X-CSTP-Disconnected-Timeout=none
X-CSTP-Keep=true
X-CSTP-TCP-Keepalive=true
X-CSTP-License=accept
X-CSTP-Base-MTU=1300
X-CSTP-MTU=1272
X-CSTP-Content-Encoding=oc-lz4
VPNGATEWAY=47.99.12.34
HOME=/root
INTERNAL_IP4_NETMASK=255.255.255.0
reason=reconnect
CISCO_DEF_DOMAIN=example.com
INTERNAL_IP4_DNS=8.8.8.8
TUNDEV=tun0
PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INTERNAL_IP4_NETADDR=192.168.99.0
PWD=/
INTERNAL_IP4_ADDRESS=192.168.99.3
INTERNAL_IP4_MTU=1272
INTERNAL_IP4_NETMASKLEN=24
----------------------
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
SSL read error: The TLS connection was non-properly terminated.; reconnecting.
======================
vpnc-script: attempt-reconnect env
HOSTNAME=localhost
SHLVL=3
CISCO_CSTP_OPTIONS=X-CSTP-Version=1
X-CSTP-Server-Name=ocserv 0.12.1
X-CSTP-Hostname=localhost
X-CSTP-DPD=15
X-CSTP-Default-Domain=example.com
X-CSTP-Address=192.168.99.3
X-CSTP-Netmask=255.255.255.0
X-CSTP-DNS=8.8.8.8
X-CSTP-Tunnel-All-DNS=false
X-CSTP-Keepalive=30
X-CSTP-Idle-Timeout=none
X-CSTP-Smartcard-Removal-Disconnect=true
X-CSTP-Rekey-Time=172777
X-CSTP-Rekey-Method=ssl
X-CSTP-Session-Timeout=none
X-CSTP-Disconnected-Timeout=none
X-CSTP-Keep=true
X-CSTP-TCP-Keepalive=true
X-CSTP-License=accept
X-CSTP-Base-MTU=1300
X-CSTP-MTU=1272
X-CSTP-Content-Encoding=oc-lz4
VPNGATEWAY=47.99.12.34
HOME=/root
INTERNAL_IP4_NETMASK=255.255.255.0
reason=attempt-reconnect
CISCO_DEF_DOMAIN=example.com
INTERNAL_IP4_DNS=8.8.8.8
TUNDEV=tun0
PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INTERNAL_IP4_NETADDR=192.168.99.0
PWD=/
INTERNAL_IP4_ADDRESS=192.168.99.3
INTERNAL_IP4_MTU=1272
INTERNAL_IP4_NETMASKLEN=24
----------------------
SSL negotiation with 47.99.12.34
Server certificate verify failed: signer not found
Connected to HTTPS on 47.99.12.34
TCP_INFO rcv mss 768, snd mss 1280, adv mss 1448, pmtu 1500
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: 47.99.12.34:2011
> User-Agent: Open AnyConnect VPN Agent v8.02
> Cookie: webvpn=tIkI50xPEbqx5BNP1nIpdFJtoBEL59isdAiRZ9Gk6ag=
> X-CSTP-Version: 1
> X-CSTP-Hostname: localhost
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-Base-MTU: 1500
> X-CSTP-MTU: 1390
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
>
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.12.1
X-CSTP-Hostname: localhost
X-CSTP-DPD: 15
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 192.168.99.60
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 30
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172804
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-CSTP-Base-MTU: 1300
X-CSTP-MTU: 1272
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 15, Keepalive 30
CSTP Ciphersuite: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
======================
vpnc-script: reconnect env
HOSTNAME=localhost
SHLVL=3
CISCO_CSTP_OPTIONS=X-CSTP-Version=1
X-CSTP-Server-Name=ocserv 0.12.1
X-CSTP-Hostname=localhost
X-CSTP-DPD=15
X-CSTP-Default-Domain=example.com
X-CSTP-Address=192.168.99.3
X-CSTP-Netmask=255.255.255.0
X-CSTP-DNS=8.8.8.8
X-CSTP-Tunnel-All-DNS=false
X-CSTP-Keepalive=30
X-CSTP-Idle-Timeout=none
X-CSTP-Smartcard-Removal-Disconnect=true
X-CSTP-Rekey-Time=172777
X-CSTP-Rekey-Method=ssl
X-CSTP-Session-Timeout=none
X-CSTP-Disconnected-Timeout=none
X-CSTP-Keep=true
X-CSTP-TCP-Keepalive=true
X-CSTP-License=accept
X-CSTP-Base-MTU=1300
X-CSTP-MTU=1272
X-CSTP-Content-Encoding=oc-lz4
VPNGATEWAY=47.99.12.34
HOME=/root
INTERNAL_IP4_NETMASK=255.255.255.0
reason=reconnect
CISCO_DEF_DOMAIN=example.com
INTERNAL_IP4_DNS=8.8.8.8
TUNDEV=tun0
PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INTERNAL_IP4_NETADDR=192.168.99.0
PWD=/
INTERNAL_IP4_ADDRESS=192.168.99.3
INTERNAL_IP4_MTU=1272
INTERNAL_IP4_NETMASKLEN=24
----------------------
My finding
ssl_reconnect()->cstp_connect() --> start_cstp_connection(); At the first time openconnect get different IP, in start_scstp_connectiong() vpninfo->ip_info.addr was set to 192.168.99.60; openconnect didn't change tun device IP, start_scstp_connectiong() returns -EINVAL; start_scstp_connectiong() re executed again, at this second reconnect vpninfo->ip_info.addr was set to 192.168.99.60 again, the same with first time set, openconnect assumes IP didn't change and not doing reconnect again until network read error. But client host kept useing 192.168.99.3 all the time.