[ocserv]Anyconnect profile editing?
Quan Zhou
qzhou at live.de
Wed Aug 13 18:53:17 PDT 2014
Hi,
Background:
I'm currently having a problem with anyconnect client on PC/Mac, though it works well on iOS devices.
Symptoms:
1. On Windows, after first successful session, anyconnect will no longer work and keep saying that the network requires web authentication.
2. On Mac, same problem as it was on windows, but
2.1 I can try once with arbitrary address that doesn't have AnyConnect service, like fjdsaklfsdjk
2.2 After anyconnect server failed to connect to that non-existent server
2.3 reconnect to the original good server
2.4 connection will then be established without further errors
3. I have assigned a /48 IPv6 pool in the ocserv, that /48 was came from my ISP, and works on other machines
3.1 Upon successful connection was established, the clients has obtained an valid IPv6 address
3.2 in details, "Secured connect" is ::/0, means everything IPv6 was route to the ocserv by default, but
3.3 clients cannot connect to any v6 sites, neither can do ping6.
The first two symptoms can be related to the certificate problem, however, after I have imported the server CA to trusted list, the problem persists.
I'll attach the my profile and .conf, hopefully someone would kindly help me through this interesting yet very difficult problem.
Warm Regards,
Quan Zhou
Attachment 1 <profile.xml>:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ServerAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>hostname.example.org</HostName>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Attachement 2 <ocserv.conf>:
auth = "plain[/etc/ocserv/ocpasswd]"
max-clients = 16
max-same-clients = 5
tcp-port = 8443
udp-port = 443
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
use-utmp = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nogroup
device = vpns
ipv4-network = 10.88.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
# Original IPv6 address replaced with the address from rfc3849
ipv6-network = 2001:DB8::
ipv6-prefix = 64
ipv6-dns = 2001:DB8::2
ipv6-dns = 2001:DB8::2
output-buffer = 10
route-add-cmd = "ip route add %R dev %D"
route-del-cmd = "ip route delete %R dev %D"
user-profile = /etc/ocserv/profile.xml
cisco-client-compat = true
custom-header = "X-DTLS-MTU: 1360"
custom-header = "X-CSTP-MTU: 1360"
custom-header = "X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0"
More information about the openconnect-devel
mailing list