Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Sat Jan 11 12:08:22 EST 2014

Hello,
I compiled ocserv git head and 0.2.4 on Debian Wheezy using the gnutls
library from backports, I configured it and I'm able to connect using the
Android AnyConenct Client without any issue, however I'm not able to
connect using AnyConenct 3.0 and 3.1 from a Windows 7 PC. My config is:

auth = "pam"
listen-host = 78.47.70.72
max-clients = 16
max-same-clients = 0
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 440
try-mtu-discovery = false
server-cert = /home/sithglan/work/certificates/wildcard_2013-02-17/half_chain.pem
server-key = /home/sithglan/work/certificates/wildcard_2013-02-17/server.key
dh-params = /local/ocserv-2014-01-11/etc/dh.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
cookie-validity = 172800
use-utmp = true
use-dbus = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nogroup
device = vpns
default-domain = gmvl.de
ipv4-network = 10.12.12.0
ipv4-netmask = 255.255.255.0
ipv4-dns = local
ping-leases = false
output-buffer = 10
route = 0.0.0.0/0.0.0.0
config-per-user = /local/ocserv-2014-01-11/etc/config-per-user/
config-per-group = /local/ocserv-2014-01-11/etc/config-per-group/
route-add-cmd = "ip route add %R dev %D"
route-del-cmd = "ip route delete %R dev %D"
user-profile = /local/ocserv-2014-01-11/etc/profile.xml
always-require-cert = false

profile.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

        <ClientInitialization>
                <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
                <StrictCertificateTrust>false</StrictCertificateTrust>
                <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
                <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
                <BypassDownloader>true</BypassDownloader>
                <CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
                <CertificateMatch>
                        <KeyUsage>
                                <MatchKey>Digital_Signature</MatchKey>
                        </KeyUsage>
                        <ExtendedKeyUsage>
                                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
                        </ExtendedKeyUsage>
                </CertificateMatch>

                <BackupServerList>
                    <HostAddress>localhost</HostAddress>
                </BackupServerList>
        </ClientInitialization>

        <ServerList>
                <HostEntry>
                    <HostName>view-01.gmvl.de</HostName>
                    <HostAddress>view-01.gmvl.de</HostAddress>
                </HostEntry>
        </ServerList>
</AnyConnectProfile>

My server cert has the certificate itself and the intermediate certificate in
it. I tried to use a wildcard and a certificate with only one CN. Here
is the debug log:

http://pbot.rmdir.de/PhPvw1B5B14p5be5FCCepw

I tried with and without DH. The debug log is without DH.

When I connect using Cisco AnyConnect on Windows, I'm asked for a username and
a password. Once I type them in it prompts me again for username. I made sure
than I open all ports in both of my firewalls.

I would appreciate if someone could tell me what I'm doing wrong.

Cheers,
        Thomas