Getting started

Paul Floyd paulf at
Fri Dec 11 03:25:49 EST 2009

David Woodhouse wrote:

> Can't you run Linux binaries on Solaris? Other people have been looking
> into what that shell script is actually doing, and it should be fairly
> simple to just make something that posts an 'Accepted' or 'OK' response
> to let you login proceed.

Yes and no. There's an old, old tool called lxrun which basically did 
syscall translation (back in the days of Red Hat 6 or thereabouts). I 
can't imagine it would work now. Otherwise there are 'branded zones'. 
I've never tried using one (branded or not), and I don't know if the vpn 
would be limited to the zone or not.

 From what I can see, the script extracts 1 binary, csd, which ends up 
in  ~/.cisco. csd seems to communicate back to the concentrator using 
http and Virata-EmWeb, and it downloads and executes another binary, 
hostscan. Also in ~/.cisco there are log files. hostscan seems to do 
some checking (firewall, antivirus, open ports), and also communicates 
over http. Looking in the log, it seems to connect once every minute.

[dtls warning]

> No, it should work without; just less efficiently. The openconnect web
> page has a link to an explanation of why TCP over TCP is bad.

>>and this remains, but with my employer's domain added to the line. That 
>>doesn't seem right to me (though perhaps harmless).
> Harmless. Do you have nameservers listed in the file?

Yes, 2, belonging to my employer, it seemed correct to me so I didn't 
mention it.

> By default, openconnect won't do any routing setup. It expects you to
> use a script for that, and it's compatible with the one from vpnc. Did
> you use that?

Yes, I used the vpnc-script from the link on the openconnect website.

> Does look like you're using some kind of routing script.
> So what does the routing look like when you're connected? Can you try
> basic IP connectivity first, and then debug DNS once you've sure that's
> working?

The IP connectivity is fine. E.g., I managed to connect to a VNC by 
using the IP address obtained by nslookup, but it didn't work with 
vncviewer and the human readable address.

Paul Floyd       

More information about the openconnect-devel mailing list