Connecting with Linux when the CSD is available

Fri Dec 4 18:24:13 PST 2015

Hello openconnect team,

Here is a quick summary of what I've sent previously:  

My company doesn't official support Linux when connecting to a Cisco
Anywhere VPN.  I'm told if I can get it to work, it is fine, but they are
not going to support me.  So, what I've done is I referenced this thread
between David and Fromzy:
(switch to http)
hxxp://openconnect-devel.infradead.narkive.com/HaRKFi2f/csd-use-and-impossib
le-to-connect-linux

The problem I was having is openconnect would fail to continue if the CSD
could not be downloaded.  This is what the log showed:
GET hxxps://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
X-Transcend-Version: 1
HTTP body http 1.0 (-1)
Cannot receive HTTP 1.0 body without closing connection Failed to obtain
WebVPN cookie

I original directly modified the code to skip the download but later found
out that I could simply use "os=android" on the command line.  Once I got
past that I ended up using sslsplit and capturing a windows session
connecting.  I then basically ran Curl in the wrapper script using these
post values:

run_curl --data-ascii @-
"https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1" <<-END
endpoint.policy.location="Default";
endpoint.enforce="success";
endpoint.fw["MSWindowsFW"]={};
endpoint.fw["MSWindowsFW"].exists="true";
endpoint.fw["MSWindowsFW"].enabled="ok";
endpoint.as["MicrosoftAS"]={};
endpoint.as["MicrosoftAS"].exists="true";
endpoint.as["MicrosoftAS"].activescan="ok";
endpoint.av["MicrosoftAV"]={};
endpoint.av["MicrosoftAV"].exists="true";
endpoint.av["MicrosoftAV"].activescan="ok";
END

I got two other co-workers hook up this way as well and we are all
successfully able to connect now.  I'm having my co-workers use the
"--os-android" flag, but I question if this isn't going to lead to other
issues in the future.  All, I want to do is continue if the CSD failed to
download or skip it altogether.

What I'd like to eventually do is put together a tutorial for other Linux
users who are stuck.  I spent a long time getting this to work and I think
others might find it useful.

My next goal is to get this to work with network-manager but I'm still stuck
on how to correctly update the version of openconnect it uses and how to
pass in optional commandline arguments.

For now do you think it would make sense to add in a new commandline
argument?  Maybe something like "--csd-skip-download"?  I'm fine continuing
to use "--os=android", but it seems a bit odd.

I can reply to this thread sometime in the future once I complete my
tutorial.

Thanks

--Andy