ocserv: iOS Anyconnect unexpected POST URL /VPN?

[sskaje]

I sniffed full request using socat, seems to be a new URL

POST /VPN HTTP/1.1
User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.12169
Host: XXX.sskaje.me
Accept: */*
Accept-Encoding: identity
X-Transcend-Version: 1
X-Transcend-Version: 1
X-AnyConnect-Identifier-ClientVersion: 3.0.12169
X-AnyConnect-Identifier-Platform: apple-ios
X-AnyConnect-Identifier-PlatformVersion: 9.1
X-AnyConnect-Identifier-DeviceType: iPhone6,2
X-AnyConnect-Identifier-Device-UniqueID: XXX
X-Aggregate-Auth: 1
Connection: close
Content-Length: 432
Content-Type: application/x-www-form-urlencoded

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init">
<device-id platform-version="9.1" device-type="iPhone6,2"
unique-id="XXXXXX">apple-ios</device-id>
<mac-address-list>
<mac-address>unknown</mac-address></mac-address-list>
<version who="vpn">3.0.12169</version>
<group-select>DEFAULT</group-select>
<group-access>https://XXX.sskaje.me:XXXX/VPN</group-access>
</config-auth>



sskaje at gmail.com
https://sskaje.me/


On Sun, Dec 6, 2015 at 3:39 AM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Sat, Dec 5, 2015 at 11:29 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
>> On Sat, 2015-12-05 at 22:42 +0800, sskaje wrote:
>>> I tried both haproxy + ocserv and ocserv, same error.
>>> Anyone else met this?
>>>
>>> iOS 9.1, AnyConnect 3.0.12169
>> [...]
>>> ocserv[22505]: worker: 1.1.1.1 HTTP POST /VPN
>>> ocserv[22505]: worker: 1.1.1.1 unexpected POST URL /VPN
>>
>> Hi,
>>  That URL is not something ocserv handles. They must have changed their
>> protocol.
>
> If I configure the client to connect to e.g. "https://10.0.0.1/VPN"
> instead of just "https://10.0.0.1", then it will POST the initial
> request to /VPN.  Maybe it is just a configuration issue?
>
> IIRC, the ASA lets you set up URL aliases that autoselect a specific
> authgroup, which is why the user is allowed to specify a full URL
> instead of just a hostname.