Openconnect 4 and 5 doesn't want to connect to my ssl vpn.

ed bond celpa.firl at gmail.com
Wed May 29 05:41:44 EDT 2013


I am trying to connect to my work vpn via open connect.

If I try to connect without the CSD the error is as follows:

Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.
This facility is disabled by default for security reasons, so you may wish to enable it.
Failed to obtain WebVPN cookie


If I try to connect with getting the shell to work properly and passing a wrapper, it loads a jnlp and doesn't properly execute.

ebond:vpn ebond$ sudo openconnect --csd-wrapper=asdf.sh --csd-user=root --user=bonde --cafile=/Users/ebond/work/vpn/rsa.pem vpn-usa-west.NOTREAL.COM
Attempting to connect to server 137.69.122.5:443
SSL negotiation with vpn-usa-west.NOTREAL.COM
Connected to HTTPS on vpn-usa-west.NOTREAL.COM
POST https://vpn-usa-west.NOTREAL.COM/
Got HTTP response: HTTP/1.0 302 Temporary moved
Attempting to connect to server 137.69.122.7:443
SSL negotiation with scl02-01i11-vn04.NOTREAL.COM
Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM
POST https://scl02-01i11-vn04.NOTREAL.COM/
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with scl02-01i11-vn04.NOTREAL.COM
Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM
GET https://scl02-01i11-vn04.NOTREAL.COM/+webvpn+/index.html
GET https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/binaries/sfinst
Trying to run Linux CSD trojan script.
GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html
Params
/tmp/csdvpwe38 -ticket "3AE4DA8B75D2785A5205C005" -stub "0" -group "" -certhash "9CE3B7DC697B5FDAA01538E4ECA4B741:" -url "https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/result.htm" -langselen
working with: -url
"https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/result.htm"
ok cool trying this
https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/webstart.xml?ticket="3AE4DA8B75D2785A5205C005"&stub="0"&group=""&certhash="9CE3B7DC697B5FDAA01538E4ECA4B741:"&langselen=&noCC=1
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
SSL negotiation with scl02-01i11-vn04.NOTREAL.COM
Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM
GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
/usr/bin/javaws https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/webstart.xml?ticket="3AE4DA8B75D2785A5205C005"&stub="0"&group=""&certhash="9CE3B7DC697B5FDAA01538E4ECA4B741:"&langselen=&noCC=1
SSL negotiation with scl02-01i11-vn04.NOTREAL.COM
Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM
GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
SSL negotiation with scl02-01i11-vn04.NOTREAL.COM
#### Java Web Start Error:
#### Unable to load resource: https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/binaries/extensions/SwordFish.jar
Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM
GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

I have the issue with the following versions:

OpenConnect version v5.00
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), DTLS

OpenConnect version v4.07
Using GnuTLS. Features present: PKCS#11, DTLS (using OpenSSL)


If I load the web page from safari it works. If I connect via the any connect client it works as well.


I can capture the https traffic via a Man in the middle attack as well. I am just having issues generating a CSD wrapper that properly does what is needed that automatically happens for the website. Anyone have any pointers?

- Firl




More information about the openconnect-devel mailing list