openconnect server 問題

set左個 ocserv server,可以用電話同電腦個 anyconnect client connect 到,但好奇怪

係兩個唔同地方connect,一個就一connect就斷,connect 10次可能有一次唔斷,唔斷之後就好穩定,另一個就一直好穩定,我開 luci個 interface睇

發現兩個connection個 cipher唔同,但唔知咩意思, no-dtls 個就係好唔穩定,另就一個寫(AES-128-CBC) (SHA1) 就無問題

有無人知係咩問題?

thank you very much
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

本帖最後由 solexkey 於 2018-3-4 14:41 編輯

資料太少

手機 client 用 AnyConnect 定 OpenConnect ?
post 個log file 睇吓行到邊到出問題(一connect就斷)
post 埋個 AnyConnect server template/config

利申 : 用咗N年 lede/openwrt 行 OpenConnect(用cert)  +  Windows/IOS/Android Anyconnect client , 家居Wifi/公共Wifi/數據,本地/海外, 基本上用過哂, 從未試過有no-dtls 呢d情況

TOP

電話、電腦都係用 cisco anyconnect client

anyconnect 個 log無咩資料:
    1:26:17 PM    Ready to connect.
    1:26:19 PM    Contacting myip.
    1:26:24 PM    User credentials entered.
    1:26:27 PM    User credentials entered.
    1:26:27 PM    Establishing VPN session...
    1:26:27 PM    The AnyConnect Downloader is performing update checks...
    1:26:27 PM    Checking for profile updates...
    1:26:27 PM    Checking for product updates...
    1:26:32 PM    Checking for customization updates...
    1:26:32 PM    Performing any required updates...
    1:26:32 PM    The AnyConnect Downloader updates have been completed.
    1:26:32 PM    Establishing VPN session...
    1:26:32 PM    Establishing VPN - Initiating connection...
    1:26:35 PM    Establishing VPN - Examining system...
    1:26:35 PM    Establishing VPN - Activating VPN adapter...
    1:26:35 PM    Establishing VPN - Configuring system...
    1:26:36 PM    Establishing VPN...
    1:26:36 PM    Connected to myip
    1:26:44 PM    Reconnecting to myip...
    1:26:47 PM    Disconnect in progress, please wait...


ocserv.conf:
############################################################################
# NOTE: Do not modify this file to configure ocserv. Add new directives    #
# in /etc/ocserv/ocserv.conf.local and these will be included in ocserv's  #
# configuration                                                            #
############################################################################


# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
#auth = "pam"

# The gid-min option is used by auto-select-group option, in order to
# select the minimum group ID.
#auth = "pam[gid-min=1000]"

# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
auth = "plain[passwd=/var/etc/ocpasswd]"

# A banner to be displayed on clients
#banner = "Welcome to OpenWRT"

#isolate-workers = true

# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
listen-host-is-dyndns = false

# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 10

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 5

# TCP and UDP port number
tcp-port = 443
udp-port = 443

# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360

# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds.
dpd = 1800

# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800

# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 25

# MTU discovery (DPD must be enabled)
try-mtu-discovery = true

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem

# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

# The object identifier that will be used to read the user group in the
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
#  OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /etc/ocserv/crl.pem

# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true

# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240

# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200

# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 360

# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 80

# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 1200

# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1

# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300

# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true

# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false

# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800

# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".

# These scripts are not needed if you have setup an interface for all vpns+
# devices.
#connect-script = /usr/bin/ocserv-script
#disconnect-script = /usr/bin/ocserv-script

# UTMP
use-utmp = false

# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true

# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
occtl-socket-file = /var/run/occtl.socket

# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
chroot-dir = /var/lib/ocserv

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
#socket-file = /var/run/ocserv-socket
socket-file = ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = ocserv
run-as-group = ocserv

# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3

# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"

#
# Network settings
#

# The name of the tun device
device = vpns

# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true

# The default domain to be advertised
default-domain = lan

# The pool of addresses that leases will be given from.
ipv4-network = 192.168.100.1
ipv4-netmask = 255.255.255.0

# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
dns = 8.8.8.8

# The NBNS server (if any)
#nbns = 192.168.1.3

# The IPv6 subnet that leases will be given from.
#ipv6-network =

# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = lan

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = true

# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true

# Unset to assign the default MTU of the device
# mtu =

# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10

# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64

# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).

config-per-user = /etc/ocserv/config-per-user/
config-per-group = /etc/ocserv/config-per-group/

# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.

#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf

# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
#select-group = group1
#select-group = group2[My group 2]
#select-group = tost[The tost group]

# The name of the group that if selected it would allow to use
# the assigned by default group.
#default-select-group = DEFAULT

# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list. That
# option is only functional on plain authentication.
#auto-select-group = true

# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24

#route-add-cmd = "/usr/sbin/ip route add %{R} dev %{D}"
#route-del-cmd = "/usr/sbin/ip route delete %{R} dev %{D}"

route-add-cmd = "/sbin/route add -net %{RI} dev %{D}"
route-del-cmd = "/sbin/route del -net %{RI} dev %{D}"

# This option allows to forward a proxy. The special strings '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/%{G}/hello

#
# The following options are for (experimental) AnyConnect client
# compatibility.

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml

# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
cisco-client-compat = true

#Advanced options

# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"

expose-iroutes = true
dns = 8.8.8.8

TOP

ching, 麻煩晒

TOP

而家情況:client location 1 (唔穩定,connect完幾秒,跟住reconnect,然後就斷,如果無出現reconnect,就會穩定一直connect住)
client location 2 (穩定,一直connect住)
server1 (自己setup,linksys WRT1200AC + LEDE)
server2 (公司,anyconnect server)

重有個information,如果 client location1 connect server2,佢都會斷一斷,但reconnect 時就可以再connect到,然後又係好穩定,但 server1,就reconnect唔到

TOP

本帖最後由 solexkey 於 2018-3-4 15:44 編輯

server 嗰邊disconnect嘅時候前後有d乜嘢message ?

一connect就斷嘅地方(i.e. location 1) 喺邊到 ? 政府公共wifi ? 麥記 ?

TOP

本帖最後由 solexkey 於 2018-3-4 16:09 編輯

估計你個template file喺跟ocserv installation, 無自己customize過

你先將原本嗰個ocserv template backup起 !!!
clear咗整個template, 跟住將以下内容整個paste落去

auth = "plain[passwd=/var/etc/ocpasswd]"
listen-host-is-dyndns = true
max-clients = 16
max-same-clients = 10
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 240
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
#cert-group-oid = 2.5.4.11
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
mobile-idle-timeout
cookie-timeout = 86400000
rekey-time = 86400000
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = ocserv
run-as-group = ocserv
net-priority = 5
cgroup = "cpuset,cpu:test"
device = vpns
default-domain = lan
ipv4-network = 192.168.100.1
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
output-buffer = 10
#route = ip
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat =true
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"
之後 save 咗個template

restart router, check吓process睇吓個ocserv可唔可以成功啟動到, 如果可以成功啟動到, 之後再逐步測試

TOP

location 1係大陸屋企
location 2係大陸公司
server 1係香港屋企
server 2係香港公司

岩岩又試左如果用電話4G網又係connect到無問題,而且又係 no dtls

另外,Anyconnect client 斷既時候有時會出以下message (又唔係次次出)
The secure gateway has rejected the connection attempt.  A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.

TOP

server log:

Sun Mar  4 08:10:52 2018 daemon.info ocserv[1017]: sec-mod: using 'plain' authentication to authenticate user (session: e2/f9e)
Sun Mar  4 08:11:07 2018 daemon.info ocserv[1016]: main: myip:53831 user disconnected (reason: unspecified, rx: 0, tx: 0)
Sun Mar  4 08:11:07 2018 daemon.info ocserv[1016]: main: myip:53832 user disconnected (reason: unspecified, rx: 0, tx: 0)
Sun Mar  4 08:11:08 2018 daemon.info ocserv[1017]: sec-mod: initiating session for user 'username' (session: e2/f9e)
Sun Mar  4 08:11:08 2018 daemon.info ocserv[1016]: main[username]: 39.155.192.2:53833 new user session
Sun Mar  4 08:11:08 2018 daemon.notice hostapd: wlan0: AP-STA-POLL-OK 78:3a:84:b6:db:6d
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1016]: main: pinged 192.168.100.93 and is not in use
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1016]: main[username]: myip:53833 user logged in
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip suggesting DPD of 1800 secs
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip configured link MTU is 1500
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip peer's link MTU is 1500
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip sending IPv4 192.168.100.93
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip adding DNS 8.8.8.8
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip adding DNS 8.8.8.8
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip DTLS ciphersuite: AES128-SHA
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip DTLS data MTU 1406
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip Link MTU is 1500 bytes
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1352]: worker[username]: myip setting up DTLS-0.9 connection
Sun Mar  4 08:11:11 2018 daemon.info ocserv[1016]: main: myip:53830 user disconnected (reason: unspecified, rx: 0, tx: 0)
Sun Mar  4 08:11:19 2018 daemon.info ocserv[1352]: worker[username]: myip received BYE packet; exiting
Sun Mar  4 08:11:19 2018 daemon.info ocserv[1352]: worker[username]: myip sent periodic stats (in: 8667, out: 39398) to sec-mod
Sun Mar  4 08:11:19 2018 daemon.info ocserv[1017]: sec-mod: invalidating session of user 'username' (session: e2/f9e)
Sun Mar  4 08:11:19 2018 daemon.info ocserv[1016]: main[username]: myip:53833 user disconnected (reason: user disconnected, rx: 8667, tx: 39398)
Sun Mar  4 08:11:20 2018 daemon.info ocserv[1017]: sec-mod: session open but with non-existing SID!
Sun Mar  4 08:11:20 2018 daemon.info ocserv[1016]: main: myip:53838 could not open session
Sun Mar  4 08:11:20 2018 daemon.info ocserv[1016]: main: myip:53838 failed authentication attempt for user ''
Sun Mar  4 08:11:20 2018 daemon.warn ocserv[1371]: worker: myip failed cookie authentication attempt
Sun Mar  4 08:11:20 2018 daemon.info ocserv[1016]: main: myip:53838 user disconnected (reason: unspecified, rx: 0, tx: 0)

TOP

server 真實 LAN segment 喺唔喺同 VPN LAN segment 都喺 192.168.100.x ?

如果喺, 就將其中一個改做另一個

TOP