Bug 3404

Summary: Openconnect fails to connect to VPN with DTLS handshake failed
Product: Mageia Reporter: Lucien XU <sfietkonstantin>
Component: RPM PackagesAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: balcaen.john, guillomovitch, marianne, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: vpnc-0.5.3-5.mga2.src.rpm CVE:
Status comment:

Description Lucien XU 2011-11-21 11:52:07 CET 
Description of problem:
When using openconnect to try to connect the the VPN network of my school, the connection "success", by creating a tunnel, but in the log there is a failure :

Error: either "to" is duplicate, or "ipid" is a garbage.
DTLS handshake failed: 5

Then the VPN don't work. Even if routes are set, it is impossible to have a response from google when pinging for example.

Maybe there is a link with openssl, but I'm not sure.

Version-Release number of selected component (if applicable):
openconnect 3.13

How reproducible:
Always

Steps to Reproduce:
1. Use openconnect in command line : 
openconnect --script /etc/vpnc/vpnc-script
2. Type username and login
3. The tunnel is created, but pinging google gives unknown host
Lucien XU 2011-11-21 11:52:20 CET

Hardware: i586 => x86_64

Comment 1 John Balcaen 2011-11-21 12:25:01 CET 
Just in case i pushed the last version 3.14 of openconnect on the buildsystem (thought there's nothing in the changelog regarding that part).

CC: (none) => balcaen.john
Source RPM: (none) => openconnect-3.13-1.mga2.src.rpm

Comment 2 Marianne Lombard 2011-11-21 12:45:08 CET 
Hi, 

Can you check you have stop the firewall ? It can bloc DNS resolution in the tunnel if there is a network filtering 

can you try the command sudo openconnect  --script /etc/vpnc/vpnc-script https://vpn.society.com (or as root without the sudo) ?

CC: (none) => marianne

Comment 3 Lucien XU 2011-11-21 19:09:08 CET 
Without firewall (with 3.14) it produces 
DTLS handshake failed: 2
Comment 4 Lucien XU 2011-11-29 15:29:39 CET 
I found the solution.
It is linked to vpnc script

http://aptosid.com/index.php?name=PNphpBB2&file=viewtopic&p=8788&sid=6a9007adc7c91385fce220706a402b20#8788

[...]
The LKML thread suggests replacing line 119 in vpnc-script with

sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit[0-9]\+//g;s/ipid 0x....//g' 

[...]

It seems to be realted to new kernels. Since it works here, maybe patching the vpnc script should be interesting.
Lucien XU 2011-11-29 15:30:22 CET

Source RPM: openconnect-3.13-1.mga2.src.rpm => vpnc-0.5.3-5.mga2.src.rpm

Comment 5 Marja Van Waes 2012-01-23 08:12:24 CET 
(In reply to comment #4)
> I found the solution.
> It is linked to vpnc script
> 
> http://aptosid.com/index.php?name=PNphpBB2&file=viewtopic&p=8788&sid=6a9007adc7c91385fce220706a402b20#8788
> 
> [...]
> The LKML thread suggests replacing line 119 in vpnc-script with
> 
> sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit[0-9]\+//g;s/ipid
> 0x....//g' 
> 
> [...]
> 
> It seems to be realted to new kernels. Since it works here, maybe patching the
> vpnc script should be interesting.


No maintainer.
cc'ing guillomovitch who committed vpnc very often in Mdv

CC: (none) => guillomovitch, marja11

Comment 6 Guillaume Rousse 2012-02-02 18:28:41 CET 
I also tested the fix, and it works. I'll fix the vpnc script in vpnc package when the BS will be back. And I think we should add a dependency for it in openconnect package too.

Status: NEW => ASSIGNED
Assignee: bugsquad => guillomovitch

Comment 7 Guillaume Rousse 2012-02-05 11:31:18 CET 
Fixed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED