Juniper SSL VPN login fails
Tom Metro
tmetro at tommetro.com
Thu Apr 9 14:33:18 PDT 2015
First, my complements to the developers for taking the time to reverse
engineer this proprietary protocol and giving us an open alternative.
I'm running OpenConnect built from the 7.05 tarball on 32-bit Lubuntu 14.10.
Several weeks ago I tried using OpenConnect to connect to a business
partner's Juniper VPN server using some test credentials, and all worked
fine.
Yesterday they supplied the real credentials, along with a certificate
(test setup didn't use a cert), and a different VPN server URL, and now
I get "Failed to obtain WebVPN cookie."
Below is a redacted transcript of the session. I've skimmed through the
list archives and didn't see any relevant postings. (I also did a web
search on the above error messages and a few of the messages that appear
upstream of it in the log.)
I see on:
http://www.infradead.org/openconnect/juniper.html
a section regarding "Host Checker." What would be the displayed error
message if that was required?
(The link to the repository for the tncc-wrapper.py script seems to be
obsolete. I found a copy here:
http://git.infradead.org/users/dwmw2/openconnect.git/blob_plain/HEAD:/tncc-wrapper.py
It was also unclear whether this approach needs just that script, or
also the compiled libraries from the ncsvc-socks-wrapper project.
Running OpenConnect with the addition of '--useragent 'Mozilla/5.0
(Linux) Firefox' --csd-wrapper=../tncc-wrapper/tncc-wrapper.py' has no
apparent impact on the behavior or logged transcript.)
(It may also be relevant to note that I'm also seeing a failure when I
attempt a traditional login to this VPN via a web browser. When I tried
connecting to the partner's test server via Firefox, it successfully
authenticated and launched the Java VPN client. Now it is successfully
authenticating (including accepting the installed certificate), but not
launching the Java app.
While debugging this I also tried using the partner's VPN server that
they use for employees, rather than business partners, and in that case
it launched tncc.jar, but never went beyond that. This might suggest
they don't have tncc.jar as a requirement for the VPN connections with
partners.)
Transcript:
$ sudo ./openconnect -v -v --juniper -c /path/cert.pfx --disable-ipv6
https://example.com/dana-na/auth/url_3/welcome.cgi
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://example.com/dana-na/auth/url_3/welcome.cgi
Attempting to connect to server 167.79.177.50:443
Using certificate file /path/cert.pfx
Enter PKCS#12 pass phrase:
Using client certificate 'cert'
SSL negotiation with example.com
Connected to HTTPS on example.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Thu, 09 Apr 2015 21:01:21 GMT
x-frame-options: SAMEORIGIN
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: -1
HTTP body http 1.0 (-1)
SSL socket closed uncleanly
frmLogin
username:myid
password:
POST https://example.com/dana-na/auth/url_3/login.cgi
SSL negotiation with example.com
Connected to HTTPS on example.com
Failed to read from SSL socket: Rehandshake was requested by the peer.
Error fetching HTTPS response
Failed to obtain WebVPN cookie
Suggestions?
Thanks,
-Tom
More information about the openconnect-devel
mailing list