Bug 3404 - Openconnect fails to connect to VPN with DTLS handshake failed
Summary: Openconnect fails to connect to VPN with DTLS handshake failed
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-21 11:52 CET by Lucien XU
Modified: 2012-02-05 11:31 CET (History)
4 users (show)

See Also:
Source RPM: vpnc-0.5.3-5.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Lucien XU 2011-11-21 11:52:07 CET 
Description of problem:
When using openconnect to try to connect the the VPN network of my school, the connection "success", by creating a tunnel, but in the log there is a failure :

Error: either "to" is duplicate, or "ipid" is a garbage.
DTLS handshake failed: 5

Then the VPN don't work. Even if routes are set, it is impossible to have a response from google when pinging for example.

Maybe there is a link with openssl, but I'm not sure.

Version-Release number of selected component (if applicable):
openconnect 3.13

How reproducible:
Always

Steps to Reproduce:
1. Use openconnect in command line : 
openconnect --script /etc/vpnc/vpnc-script
2. Type username and login
3. The tunnel is created, but pinging google gives unknown host
Lucien XU 2011-11-21 11:52:20 CET

Hardware: i586 => x86_64

Comment 1 John Balcaen 2011-11-21 12:25:01 CET 
Just in case i pushed the last version 3.14 of openconnect on the buildsystem (thought there's nothing in the changelog regarding that part).

CC: (none) => balcaen.john
Source RPM: (none) => openconnect-3.13-1.mga2.src.rpm

Comment 2 Marianne Lombard 2011-11-21 12:45:08 CET 
Hi, 

Can you check you have stop the firewall ? It can bloc DNS resolution in the tunnel if there is a network filtering 

can you try the command sudo openconnect  --script /etc/vpnc/vpnc-script https://vpn.society.com (or as root without the sudo) ?

CC: (none) => marianne

Comment 3 Lucien XU 2011-11-21 19:09:08 CET 
Without firewall (with 3.14) it produces 
DTLS handshake failed: 2
Comment 4 Lucien XU 2011-11-29 15:29:39 CET 
I found the solution.
It is linked to vpnc script

http://aptosid.com/index.php?name=PNphpBB2&file=viewtopic&p=8788&sid=6a9007adc7c91385fce220706a402b20#8788

[...]
The LKML thread suggests replacing line 119 in vpnc-script with

sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit[0-9]\+//g;s/ipid 0x....//g' 

[...]

It seems to be realted to new kernels. Since it works here, maybe patching the vpnc script should be interesting.
Lucien XU 2011-11-29 15:30:22 CET

Source RPM: openconnect-3.13-1.mga2.src.rpm => vpnc-0.5.3-5.mga2.src.rpm

Comment 5 Marja Van Waes 2012-01-23 08:12:24 CET 
(In reply to comment #4)
> I found the solution.
> It is linked to vpnc script
> 
> http://aptosid.com/index.php?name=PNphpBB2&file=viewtopic&p=8788&sid=6a9007adc7c91385fce220706a402b20#8788
> 
> [...]
> The LKML thread suggests replacing line 119 in vpnc-script with
> 
> sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit[0-9]\+//g;s/ipid
> 0x....//g' 
> 
> [...]
> 
> It seems to be realted to new kernels. Since it works here, maybe patching the
> vpnc script should be interesting.


No maintainer.
cc'ing guillomovitch who committed vpnc very often in Mdv

CC: (none) => guillomovitch, marja11

Comment 6 Guillaume Rousse 2012-02-02 18:28:41 CET 
I also tested the fix, and it works. I'll fix the vpnc script in vpnc package when the BS will be back. And I think we should add a dependency for it in openconnect package too.

Status: NEW => ASSIGNED
Assignee: bugsquad => guillomovitch

Comment 7 Guillaume Rousse 2012-02-05 11:31:18 CET 
Fixed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.