paulf at free.fr
Fri Dec 11 03:25:49 EST 2009
David Woodhouse wrote:
> Can't you run Linux binaries on Solaris? Other people have been looking
> into what that shell script is actually doing, and it should be fairly
> simple to just make something that posts an 'Accepted' or 'OK' response
> to let you login proceed.
Yes and no. There's an old, old tool called lxrun which basically did
syscall translation (back in the days of Red Hat 6 or thereabouts). I
can't imagine it would work now. Otherwise there are 'branded zones'.
I've never tried using one (branded or not), and I don't know if the vpn
would be limited to the zone or not.
From what I can see, the script extracts 1 binary, csd, which ends up
in ~/.cisco. csd seems to communicate back to the concentrator using
http and Virata-EmWeb, and it downloads and executes another binary,
hostscan. Also in ~/.cisco there are log files. hostscan seems to do
some checking (firewall, antivirus, open ports), and also communicates
over http. Looking in the log, it seems to connect once every minute.
> No, it should work without; just less efficiently. The openconnect web
> page has a link to an explanation of why TCP over TCP is bad.
>>and this remains, but with my employer's domain added to the line. That
>>doesn't seem right to me (though perhaps harmless).
> Harmless. Do you have nameservers listed in the file?
Yes, 2, belonging to my employer, it seemed correct to me so I didn't
> By default, openconnect won't do any routing setup. It expects you to
> use a script for that, and it's compatible with the one from vpnc. Did
> you use that?
Yes, I used the vpnc-script from the link on the openconnect website.
> Does look like you're using some kind of routing script.
> So what does the routing look like when you're connected? Can you try
> basic IP connectivity first, and then debug DNS once you've sure that's
The IP connectivity is fine. E.g., I managed to connect to a VNC by
using the IP address obtained by nslookup, but it didn't work with
vncviewer and the human readable address.
Paul Floyd http://paulf.free.fr
More information about the openconnect-devel