Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Thomas Glanzmann thomas at glanzmann.de
Sat Jan 11 14:42:27 EST 2014 

Hello,
in order to find the problem I tapped into the SSL channel using socat
and tcpdump and extracted the handshake:

Client:
POST / HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: AnyConnect Windows 3.0.07059
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Content-Length: 243
Host: lync.gmvl.de

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init">
<device-id>win</device-id>
<version who="vpn">3.0.07059</version>
<group-select>full</group-select>
<group-access>https://lync.gmvl.de</group-access>
</config-auth>

Server:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 209
X-Transcend-Version: 1

<?xml version="1.0" encoding="UTF-8"?>
<auth id="main">
<message>Please enter your username</message>
<form method="post" action="/auth">
<input type="text" name="username" label="Username:" />
</form></auth>

Client:
POST /auth HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: AnyConnect Windows 3.0.07059
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Content-Length: 17
Host: lync.gmvl.de

username=sithglan

Server:
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 213
X-Transcend-Version: 1

<?xml version="1.0" encoding="UTF-8"?>
<auth id="main">
<message>Please enter your password</message>
<form method="post" action="/auth">
<input type="password" name="password" label="Password:" />
</form></auth>

Client:
POST /auth HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: AnyConnect Windows 3.0.07059
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Content-Length: 19
Host: lync.gmvl.de

password=password

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 209
X-Transcend-Version: 1

<?xml version="1.0" encoding="UTF-8"?>
<auth id="main">
<message>Please enter your username</message>
<form method="post" action="/auth">
<input type="text" name="username" label="Username:" />
</form></auth>

What I don't like here is that it is just using a post but on [1] it says it
should use a format similiar to:

<config-auth client="vpn" type="auth-reply">
    <version who="vpn">v5.01</version>
    <device-id>linux-64</device-id>
    <auth><username>test</username></auth>
</config-auth>

[1] http://nmav.gnutls.org/2013/11/inside-ssl-vpn-protocol.html

Than I tapped into my working Cisco ASA and tried again and got [I removed the
chunked encoding indicators]:

Client:
POST / HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: AnyConnect Windows 3.0.07059
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Content-Length: 243
Host: lync.gmvl.de

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init">
<device-id>win</device-id>
<version who="vpn">3.0.07059</version>
<group-select>full</group-select>
<group-access>https://lync.gmvl.de</group-access>
</config-auth>
HTTP/1.1 200 OK

Server:
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 11 Jan 2014 18:59:34 GMT
X-Aggregate-Auth: 1

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request">
<version who="sg">9.1(3)</version>
<opaque is-for="sg">
<tunnel-group>FullProfile</tunnel-group>
<group-alias>full</group-alias>
<config-hash>1389266861559</config-hash>
</opaque>
<auth id="main">
<form>
<input type="text" name="username" label="Username:"></input>
<input type="password" name="password" label="Password:"></input>
<select name="group_list" label="GROUP:">
<option>eclogic</option>
<option>fallback</option>
<option selected="true">full</option>
<option>split</option>
<option>svdc</option>
<option>vcloud</option>
<option>vl</option>
</select>
</form>
</auth>
</config-auth>

Client:
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: AnyConnect Windows 3.0.07059
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: win
Content-Length: 503
Host: lync.gmvl.de

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply">
<device-id>win</device-id>
<version who="vpn">3.0.07059</version>
<session-token></session-token>
<session-id></session-id>
<opaque is-for="sg">

<tunnel-group>FullProfile</tunnel-group>
<group-alias>full</group-alias>
<config-hash>1389266861559</config-hash></opaque>
<auth>
<password><![CDATA[password]]></password>
<username><![CDATA[sithglan]]></username></auth>
<group-select>full</group-select>
</config-auth>

Server:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 11 Jan 2014 18:59:39 GMT
X-Aggregate-Auth: 1

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="complete">
<version who="sg">9.1(3)</version>
<session-id>12288</session-id>
<session-token>02F9D1 at 12288@188C at D7B405A4A46480CF364F1A6FD51998A0025DC727</session-token>
<auth id="success">
<message id="0" param1="" param2=""></message>
</auth>
<config client="vpn" type="private">
<vpn-base-config>
<base-package-uri>/CACHE/stc/1</base-package-uri>
<server-cert-hash>2AE259E8BCA295F6EBABDE16CE9A8950B8BF9ADB</server-cert-hash>
</vpn-base-config>
<opaque is-for="vpn-client"><service-profile-manifest>
<ServiceProfiles rev="1.0">
  <Profile service-type="user">
    <FileName></FileName>
    <FileExtension>xml</FileExtension>
    <Directory></Directory>
    <DeployDirectory></DeployDirectory>
    <Description>AnyConnect VPN Profile</Description>
    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>
  </Profile>
  <Profile service-type="nam">
    <FileName>configuration.xml</FileName>
    <FileExtension>nsp</FileExtension>
    <Directory>Network Access Manager\system</Directory>
    <DeployDirectory>Network Access Manager\newConfigFiles</DeployDirectory>
    <Description>NAM Service Profile</Description>
    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>
  </Profile>
  <Profile service-type="telemetry">
    <FileName>Telemetry_ServiceProfile.xml</FileName>
    <FileExtension>tsp</FileExtension>
    <Directory>Telemetry</Directory>
    <DeployDirectory>Telemetry</DeployDirectory>
    <Description>Telemetry Service Profile</Description>
    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>
  </Profile>
  <Profile service-type="websecurity">
    <FileName>WebSecurity_ServiceProfile.wso</FileName>
    <FileExtension>wsp</FileExtension>
    <DerivedFileExtension>wso</DerivedFileExtension>
    <Directory>Web Security</Directory>
    <DeployDirectory>Web Security</DeployDirectory>
    <Description>Web Security Service Profile</Description>
    <DownloadRemoveEmpty>false</DownloadRemoveEmpty>
  </Profile>
</ServiceProfiles>

</service-profile-manifest>
<vpn-client-pkg-version>
<pkgversion>3,0,07059</pkgversion>
</vpn-client-pkg-version>
<vpn-core-manifest>
<vpn rev="1.0">
  <file version="3.0.07059" id="VPNCore" is_core="yes" type="exe" action="install">
    <uri>binaries/anyconnect-win-3.0.07059-web-deploy-k9.exe</uri>
    <display-name>AnyConnect Secure Mobility Client</display-name>
  </file>
  <file version="3.0.07059" id="gina" is_core="no" type="exe" action="install" module="vpngina">
    <uri>binaries/anyconnect-gina-win-3.0.07059-web-deploy-k9.exe</uri>
    <display-name>AnyConnect SBL</display-name>
  </file>
  <file version="3.0.07059" id="DART" is_core="no" type="msi" action="install" module="dart">
    <uri>binaries/anyconnect-dart-win-3.0.07059-k9.msi</uri>
    <display-name>AnyConnect DART</display-name>
  </file>
  <file version="3.0.07059" id="Posture" is_core="no" type="msi" action="install" module="posture">
    <uri>binaries/anyconnect-posture-win-3.0.07059-web-deploy-k9.msi</uri>
    <display-name>AnyConnect Posture</display-name>
  </file>
  <file version="3.0.07059" id="Telemetry" is_core="no" type="exe" action="install" module="telemetry">
    <uri>binaries/anyconnect-telemetry-win-3.0.07059-web-deploy-k9.exe</uri>
    <display-name>AnyConnect Telemetry</display-name>
  </file>
  <file version="3.0.07059" id="WebSecurity" is_core="no" type="exe" action="install" module="websecurity">
    <uri>binaries/anyconnect-websecurity-win-3.0.07059-web-deploy-k9.exe</uri>
    <display-name>AnyConnect Web Security</display-name>
  </file>
  <file version="3.0.07059" id="NAM" is_core="no" type="msi" action="install" module="nam">
    <uri>binaries/anyconnect-nam-win-3.0.07059-k9.msi</uri>
    <display-name>AnyConnect Network Access Manager</display-name>
  </file>
</vpn>
</vpn-core-manifest>
<custom-attr></custom-attr>
</opaque>
<vpn-profile-manifest>
<vpn rev="1.0">
<file type="profile" service-type="user">
<uri>/CACHE/stc/profiles/GlanzmannProfile.xml</uri>
<hash type="sha1">D7BF8E3C710D4E980563C370F5A5F5C529501B9A</hash>
</file>
</vpn>
</vpn-profile-manifest>
</config>
</config-auth>

Client:
CONNECT /CSCOSSLC/tunnel HTTP/1.1
Host: lync.gmvl.de
User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.07059
Cookie: webvpn=02F9D1 at 12288@188C at D7B405A4A46480CF364F1A6FD51998A0025DC727
X-CSTP-Version: 1
X-CSTP-Hostname: lenovo
X-CSTP-MTU: 1306
X-CSTP-Address-Type: IPv6,IPv4
X-DTLS-Master-Secret: D40F07275F15A18F5872905B79FDAC4FD8C33EA13503DF29878C10FE6DA1D025B1128C66AB06E3EB1CEBBBFFF00CBC08
X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
X-DTLS-Accept-Encoding: lzs
X-CSTP-Accept-Encoding: lzs,deflate
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.

Server:
HTTP/1.1 200 OK
Server: ASA (9.1(3))
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: 10.11.11.1
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2a01:x:y:z::1
X-CSTP-Netmask: 2a01:x:y:z::1/64
X-CSTP-DNS: 10.10.10.1
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 830073086B06ACC6188764C23C54CED37CB98A152487D68B7DF631BA9DCF0243
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1306
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true

So the initial handshake looks completly different. Any ideas what I'm
doing wrong?

Cheers,
        Thomas

More information about the openconnect-devel mailing list