Problem with establishing VPN connections with client
Tony Zhou
tonytzhou at gmail.com
Thu Nov 14 09:11:21 EST 2013
Hi all,
I have problems making various clients connecting to the ocserv. So far
none of the clients are able to successfully make a VPN connection.
Platform: Debian 7, ocserv 2.1
Tried with Android (Anyconnect ICS+), it can successfully authenticate,
but after accepting the banner client will prompt "The required license
for this type of VPN client is not available on the secure gateway.
Please contact your network administrator." I guess it's just Cisco does
not like the idea of 3rd party server that can accept Anyconnect Client
connections? ;-) Fair enough. Here's the log:
Nov 14 22:48:08 hostname ocserv[13183]: [client.ip.addr]:12385 accepted
connection
Nov 14 22:48:09 hostname ocserv[13183]: GnuTLS error (at
worker-vpn.c:546): A TLS fatal alert has been received.: Unknown certificate
Nov 14 22:48:09 hostname ocserv[13093]: [client.ip.addr]:12385 command
socket closed
Nov 14 22:48:13 hostname ocserv[13184]: [client.ip.addr]:37496 accepted
connection
Nov 14 22:48:13 hostname ocserv[13184]: [client.ip.addr]:37496 TLS
handshake completed
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
User-Agent: AnyConnect Android 3.0.09242
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Host: server.ip.addr
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept: */*
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept-Encoding: identity
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Platform: android
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Device-UniqueID: someuniqueid
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Aggregate-Auth: 1
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Connection: close
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Length: 319
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Type: application/x-www-form-urlencoded
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST /
Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 POST
body: '<?xml version="1.0" encoding="UTF-8"?>#012<config-auth
client="vpn" type="init">#012<device-id platform-version="4.3.1"
device-type="MOTO MB526"
unique-id="someuniqueid">android</device-id>#012<version
who="vpn">3.0.09242</version>#012<group-access>https://server.ip.addr/</group-access>#012</config-auth>#012'
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
User-Agent: AnyConnect Android 3.0.09242
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Host: server.ip.addr
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept: */*
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept-Encoding: identity
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Platform: android
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Device-UniqueID: someuniqueid
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Aggregate-Auth: 1
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Length: 13
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Type: application/x-www-form-urlencoded
Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST
/auth
Nov 14 22:48:16 hostname ocserv[13093]: [client.ip.addr]:37496 auth init
for user 'tony' from '[client.ip.addr]:37496'
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
User-Agent: AnyConnect Android 3.0.09242
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Host: server.ip.addr
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept: */*
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Accept-Encoding: identity
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Transcend-Version: 1
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Platform: android
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-AnyConnect-Identifier-Device-UniqueID: someuniqueid
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
X-Aggregate-Auth: 1
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Length: 19
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP:
Content-Type: application/x-www-form-urlencoded
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST
/auth
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 sending
auth request
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 auth req
for user 'tony'
Nov 14 22:48:29 hostname ocserv[13093]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1218834648.
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 accepting
user 'tony'
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 auth
deinit for user 'tony'
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 Selected
IP: [192.168.1.0]:0
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 assigning
tun device vpns0
Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 user
'tony' of group 'tony' authenticated
Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 User
'tony' logged in
Nov 14 22:48:33 hostname ocserv[13192]: [client.ip.addr]:44997 accepted
connection
Nov 14 22:48:33 hostname ocserv[13192]: [client.ip.addr]:44997 TLS
handshake completed
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP:
User-Agent: AnyConnect Android 3.0.09242
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP:
Host: server.ip.addr
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP:
Accept: */*
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP:
Cookie: webvpn=somesecretcookie
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP GET
/+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect
Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 requested
fixed string:
/+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect
Nov 14 22:48:34 hostname ocserv[13093]: [client.ip.addr]:44997 command
socket closed
Nov 14 22:48:35 hostname ocserv[13193]: [client.ip.addr]:10753 accepted
connection
Nov 14 22:48:36 hostname ocserv[13193]: [client.ip.addr]:10753 TLS
handshake completed
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
Host: server.ip.addr
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
User-Agent: Cisco AnyConnect VPN Agent for Android 3.0.09242
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
Cookie: webvpn=somesecretcookie
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-Version: 1
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-Hostname: localhost
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-MTU: 1405
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-Address-Type: IPv6,IPv4
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-License: mobile
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-AnyConnect-Identifier-Platform: android
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-AnyConnect-Identifier-Device-UniqueID: someuniqueid
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-DTLS-Master-Secret: somesecret
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-DTLS-Accept-Encoding: lzs
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-Accept-Encoding: lzs,deflate
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP:
X-CSTP-TCP-Keepalive: false
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP
CONNECT /CSCOSSLC/tunnel
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 sending
cookie authentication request
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 accepting
user 'tony'
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 auth
deinit for user 'tony'
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 Selected
IP: [192.168.1.0]:0
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 assigning
tun device vpns1
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 user
'tony' of group 'tony' re-authenticated (using cookie)
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 sending
IPv4 192.168.1.1
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 adding
route 192.168.1.0/255.255.255.0
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 peer CSTP
MTU is 1405
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 TCP MSS
is 1375
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 reducing
MTU due to TCP MSS to 1367
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 DTLS
ciphersuite: AES128-SHA
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753
suggesting DTLS MTU 1301
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753
suggesting CSTP MTU 1301
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 plaintext
MTU is 1366
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 setting
vpns1 MTU to 1367
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 TCP MSS
is 1375
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 reducing
MTU due to TCP MSS to 1346
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 setting
MTU to 1346
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 received
59 byte(s) (TLS)
Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 received
BYE packet; exiting
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 setting
vpns1 MTU to 1345
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 ioctl
SIOCSIFMTU error: No such device
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 command
socket closed
Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:37496 command
socket closed
And another attempt was made with Windows Client. (3.0.08057, the latest
3.1.04072 won't connect at all), and this one cannot even finish the
authentication process - repeatedly asking for username/password.
Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 accepted
connection
Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 TLS
handshake completed
Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 error
receiving client data
Nov 14 23:06:04 hostname ocserv[13093]: [client.ip.addr]:53934 command
socket closed
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 accepted
connection
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 sending
resumption request (fetch)
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 TLS
handshake completed
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
Cache-Control: no-cache
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
Connection: close
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
Pragma: no-cache
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
User-Agent: AnyConnect Windows 3.0.08057
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
X-Transcend-Version: 1
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
X-Aggregate-Auth: 1
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
X-AnyConnect-Platform: win
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
Content-Length: 212
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP:
Host: server.ip.addr
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP POST /
Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 POST body:
'<?xml version="1.0" encoding="UTF-8"?>#012<config-auth client="vpn"
type="init">#012<device-id>win</device-id>#012<version
who="vpn">3.0.08057</version>#012<group-access>https://server.ip.addr/</group-access>#012</config-auth>#012'
Nov 14 23:06:07 hostname ocserv[13093]: [client.ip.addr]:5566 command
socket closed
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 accepted
connection
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 sending
resumption request (fetch)
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 TLS
handshake completed
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
Cache-Control: no-cache
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
Connection: Close
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
Pragma: no-cache
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
User-Agent: AnyConnect Windows 3.0.08057
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
X-Transcend-Version: 1
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
X-Aggregate-Auth: 1
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
X-AnyConnect-Platform: win
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
Content-Length: 13
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP:
Host: server.ip.addr
Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP POST
/auth
Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 auth init
for user 'tony' from '[client.ip.addr]:64475'
Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 command
socket closed
Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 auth
deinit for user 'tony'
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 accepted
connection
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 sending
resumption request (fetch)
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 TLS
handshake completed
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
Cache-Control: no-cache
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
Connection: Close
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
Pragma: no-cache
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
User-Agent: AnyConnect Windows 3.0.08057
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
X-Transcend-Version: 1
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
X-Aggregate-Auth: 1
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
X-AnyConnect-Platform: win
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
Content-Length: 17
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP:
Host: server.ip.addr
Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP POST
/auth
Nov 14 23:06:17 hostname ocserv[13093]: [client.ip.addr]:57886 command
socket closed
Somehow it started authentication, but immediately closed the socket and
deinited.
Tried with some other clients, including SmoothConnect (Android 3rd
party client connecting to Cisco ASA) and HP webOS, but none of them
works. Don't have the log at hand at this moment...
Any suggestions will be appreciated.
Thanks,
TZ
More information about the openconnect-devel
mailing list