Juniper Pulse doesn't connect properly

David Woodhouse dwmw2 at infradead.org
Mon Dec 14 02:01:11 PST 2015 

On Fri, 2015-12-11 at 16:53 +0000, Pavel Kogan wrote:
> 
> ```
> $ sudo ./juniper-vpn.py --host pulse.example.com --user pavel.kogan
> --stdin DSID=%DSID% openconnect --juniper %HOST% --cookie-on-stdin
> --interface=tun0
> Password:
> WARNING: Juniper Network Connect support is experimental.
> It will probably be superseded by Junos Pulse support.
> Attempting to connect to server 19X.XXX.XXX.XXX:443
> SSL negotiation with pulse.example.com
> Connected to HTTPS on pulse.example.com
> SSL negotiation with pulse.example.com
> Connected to HTTPS on pulse.example.com
> Connected tun0 as 10.XXX.XXX.XXX, using SSL
> ESP session established with server
> Server terminated connection (session expired)
> Unknown error; exiting.
> WARNING: Juniper Network Connect support is experimental.
> It will probably be superseded by Junos Pulse support.
> Attempting to connect to server 19X.XXX.XXX.XXX:443
> SSL negotiation with pulse.example.com
> Connected to HTTPS on pulse.example.com
> Got HTTP response: HTTP/1.1 302 Found
> Unexpected 302 result from server
> Creating SSL connection failed
> Waiting 10...
> ```
> The error then repeats until I Ctrl-C.

That's odd. I assume you're using a fresh DSID cookie each time you
connect? And it then kicks you off almost immediately, telling you
'session expired'? How long does it remain connected for?

I wonder if this is a problem with tncc.py from the scripts you're
using to authenticate. In some modes the host checker script is
expected to keep running all the time you're connected to the VPN, but
ISTR that isn't implemented in Russ's tncc.py.

Can you try running the *real* one? OpenConnect has support for
spawning it... do you actually need external scripts at all for
authentication, in fact? Anything we can do in an external python
script parsing the forms, we *should* be able to add to OpenConnect's
own parsing hacks.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20151214/d1e1564a/attachment.bin>

More information about the openconnect-devel mailing list