Trouble with network-manager-openconnect-gnome when using a gateway with multiple IP addresses

Sun Feb 3 04:18:33 EST 2013

Hi,

First, this is all done from Ubuntu 12.04, running the Cinnamon desktop.
I didn't have any luck from Unity either. Didn't try Gnome Shell, but I
expect that to be similar to Cinnamon 1.6.

I have been having trouble getting openconnect to work through the
network manager GUI. I managed to get it working fine from the command
line:

$ sudo openconnect -v --script /etc/vpnc/vpnc-script remoteaccessvpn.nih.gov

I am using a username + password (SecurID). It would ask me if the
certificate was OK, and I would answer yes. If I gave it the vpnc script
it changed my routing tables and worked fine from command-line. However,
when I used the network manager, I would get a window asking if I would
accept the certificate, then fail to connect _after_ I entered my
username/password.  Looking at the tail of /var/log/syslog I saw a
problem with the certificate:

Feb  3 03:01:59 S076804 NetworkManager[1446]: <info> Starting VPN service 'openconnect'...
Feb  3 03:01:59 S076804 NetworkManager[1446]: <info> VPN service 'openconnect' started (org.freedesktop.NetworkManager.openconnect), PID 3525
Feb  3 03:01:59 S076804 NetworkManager[1446]: <info> VPN service 'openconnect' appeared; activating connections
Feb  3 03:02:39 S076804 NetworkManager[1446]: <info> VPN plugin state changed: starting (3)
Feb  3 03:02:39 S076804 NetworkManager[1446]: <info> VPN connection 'RemoteAccess' (Connect) reply received.
Feb  3 03:02:39 S076804 openconnect[3536]: Attempting to connect to 192.231.145.18:443
Feb  3 03:02:39 S076804 openconnect[3536]: SSL negotiation with remoteaccessvpn.nih.gov
Feb  3 03:02:39 S076804 openconnect[3536]: Server SSL certificate didn't match: 62283086430A2E57E1F7A2AAD9D666A86F10C0ED
Feb  3 03:02:39 S076804 openconnect[3536]: SSL connection failure: Error in the certificate.
Feb  3 03:02:39 S076804 NetworkManager[1446]: <warn> VPN plugin failed: 1
Feb  3 03:02:39 S076804 NetworkManager[1446]: <info> VPN plugin state changed: stopped (6)
Feb  3 03:02:39 S076804 NetworkManager[1446]: <info> VPN plugin state change reason: 0
Feb  3 03:02:39 S076804 NetworkManager[1446]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Feb  3 03:02:39 S076804 NetworkManager[1446]: <info> Policy set 'mySSID' (wlan0) as default for IPv4 routing and DNS.
Feb  3 03:02:40 S076804 NetworkManager[1446]:    keyfile: updating /etc/NetworkManager/system-connections/RemoteAccess
Feb  3 03:02:44 S076804 NetworkManager[1446]: <info> VPN service 'openconnect' disappeared

It seemed to me that the server certificate should have worked when I
accepted it in the GUI dialog. In fact, it would put the certificate SHA
in the file at /etc/Networkmanager/system-connections/RemoteAccess under
the [vpn-secrets] section.

I noticed that when I tried to connect repeatedly, the IP address
sometimes changed (and I would get different server certificates). There
are apparently multiple IPs for the same host name. That finally gave me
an idea, and I just made a connection with one of the IP addresses for
the gateway instead of the "correct" hostname. I got a dialog asking if
I would accept the certificate, I accepted it, and it connected! I'm not
sure where the problem is, but at least it is working for now.

Anyone have a clue as to why I couldn't get it to work through the
network manager GUI? It seemed to add multiple SHAs to the file from
different server IPs (tab-delimited), but it never connected
successfully until I limited to one IP.

-Thanks for any insight,

Brian

P.S.
Since in this process I ended up adding the PPA and upgrading to 4.06, I
may try to get my smartcard authentication to work next!
$ openconnect --version
OpenConnect version v4.06
Using GnuTLS. Features present: PKCS#11, DTLS (using OpenSSL)
$ NetworkManager --version
0.9.4.0
(network-manager-openconnect-gnome = 0.9.4.0-0ubuntu1)
--Would I need to get an updated n-m-openconnect to use the GUI?