Getting started

David Woodhouse dwmw2 at infradead.org
Fri Dec 11 04:53:43 EST 2009 

On Fri, 2009-12-11 at 09:25 +0100, Paul Floyd wrote:
> David Woodhouse wrote:
> 
> > Can't you run Linux binaries on Solaris? Other people have been looking
> > into what that shell script is actually doing, and it should be fairly
> > simple to just make something that posts an 'Accepted' or 'OK' response
> > to let you login proceed.
> 
> Yes and no. There's an old, old tool called lxrun which basically did 
> syscall translation (back in the days of Red Hat 6 or thereabouts). I 
> can't imagine it would work now. Otherwise there are 'branded zones'. 
> I've never tried using one (branded or not), and I don't know if the vpn 
> would be limited to the zone or not.
> 
>  From what I can see, the script extracts 1 binary, csd, which ends up 
> in  ~/.cisco. csd seems to communicate back to the concentrator using 
> http and Virata-EmWeb, and it downloads and executes another binary, 
> hostscan. Also in ~/.cisco there are log files. hostscan seems to do 
> some checking (firewall, antivirus, open ports), and also communicates 
> over http. Looking in the log, it seems to connect once every minute.

See earlier discussions on this list about what hostscan is actually
doing. It shouldn't be too hard to write a tool which emulates it
sufficiently well to allow your VPN login to complete.

> [dtls warning]
> 
> > No, it should work without; just less efficiently. The openconnect web
> > page has a link to an explanation of why TCP over TCP is bad.
> 
> >>and this remains, but with my employer's domain added to the line. That 
> >>doesn't seem right to me (though perhaps harmless).
> > 
> > Harmless. Do you have nameservers listed in the file?
> 
> Yes, 2, belonging to my employer, it seemed correct to me so I didn't 
> mention it.

OK -- so you were just querying the fact that your original search
domain is retained, while adding the new VPN-derived one? That's just
how vpnc-script does it.

> The IP connectivity is fine. E.g., I managed to connect to a VNC by 
> using the IP address obtained by nslookup, but it didn't work with 
> vncviewer and the human readable address.

OSX has a strange way of setting up DNS -- you don't just
edit /etc/resolv.conf. It's possible that that doesn't work correctly on
(recent versions of) OSX with vpnc-script. There have been reports of
that on the vpnc-devel mailing list too, recently. My version of
vpnc-script doesn't have any modifications for OSX.

-- 
dwmw2

More information about the openconnect-devel mailing list