AnyConnect Secure Mobility Client (ACSMC) failed to connect to ocserv with certificate
tefeng
tefeng.em at gmail.com
Fri Jan 9 04:54:19 PST 2015
Hi, All,
I've installed ocserv 0.8.9 on Debian 7 with the authentication of
"user/pass", and it worked OK with the following clients:
Win 7 -- Cisco AnyConnect Secure Mobility Client (ACSMC) v3.1
iOS 7 -- Cisco AnyConnect v3.0
Android 4 -- OpenConnect v1.0.2
Then I changed the authentication to "certificate". So I made the
client certificate and then verified it OK. Then converted it to *.p12
format with the following command:
[ openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile
ca-cert.pem -out user-cert.p12 ]
After importing the *.p12 certificate, the clients for iOS and Android
worked OK but ACSMC on win7 failed.
##### ocserv.conf #####
auth = "certificate"
max-clients = 16
max-same-clients = 2
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 180
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
ca-cert = /etc/ssl/certs/ca-cert.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
mobile-idle-timeout
cookie-timeout = 86400000
rekey-time = 86400000
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nogroup
net-priority = 5
cgroup = "cpuset,cpu:test"
device = vpns
default-domain = example.com
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 208.67.222.222
ping-leases = false
output-buffer = 10
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat =true
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"
user-profile = /etc/ocserv/profile/profile.xml #copied from sample doc
##### END #####
##### syslog #####
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[4155]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[4155]: main: initialized ocserv 0.8.9
ocserv[4156]: sec-mod: sec-mod initialized (socket:
/var/run/ocserv-socket.4155)
ocserv[4156]: sec-mod: received request from pid 4155 and uid 0
ocserv[4156]: sec-mod: cmd [size=55] sm: sign
ocserv[4155]: main: processed 1 CA certificate(s)
ocserv[4155]: main: putting process 4157 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open:
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4157]: worker: *.*.*.*:49253 accepted connection
ocserv[4156]: sec-mod: received request from pid 4157 and uid 65534
ocserv[4156]: sec-mod: cmd [size=40] sm: sign
ocserv[4157]: GnuTLS error (at worker-vpn.c:749): The TLS connection was
non-properly terminated.
ocserv[4155]: main: *.*.*.*:49253 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49253 removing client '' with id '4157'
ocserv[4155]: main: putting process 4158 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open:
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4158]: worker: *.*.*.*:49254 accepted connection
ocserv[4156]: sec-mod: received request from pid 4158 and uid 65534
ocserv[4156]: sec-mod: cmd [size=40] sm: sign
ocserv[4158]: worker: *.*.*.*:49254 tlslib.c:372: error verifying client
certificate: No certificate was found.
ocserv[4158]: worker: *.*.*.*:49254 sending message 'resume data store
request' to main
ocserv[4155]: main: *.*.*.*:49254 main received message 'resume data
store request' of 277 bytes
ocserv[4155]: main: *.*.*.*:49254 TLS session DB storing
686ddc63ffb32dbaae7b8f3161837f74f7eba7c219fcbd32de3f436b55211abe
ocserv[4158]: worker: *.*.*.*:49254 TLS handshake completed
ocserv[4155]: main: *.*.*.*:49254 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49254 removing client '' with id '4158'
ocserv[4155]: main: putting process 4159 to cgroup 'cpuset:test'
ocserv[4155]: main: main-misc.c:755: cannot open:
/sys/fs/cgroup/cpuset/test/tasks
ocserv[4159]: worker: *.*.*.*:49255 accepted connection
ocserv[4159]: worker: *.*.*.*:49255 sending message 'resume data fetch
request' to main
ocserv[4155]: main: *.*.*.*:49255 main received message 'resume data
fetch request' of 34 bytes
ocserv[4155]: main: *.*.*.*:49255 TLS session DB resuming
686ddc63ffb32dbaae7b8f3161837f74f7eba7c219fcbd32de3f436b55211abe
ocserv[4155]: main: *.*.*.*:49255 sending message 'resume data fetch
reply' to worker
ocserv[4159]: worker: *.*.*.*:49255 tlslib.c:372: error verifying client
certificate: No certificate was found.
ocserv[4159]: worker: *.*.*.*:49255 TLS handshake completed
ocserv[4159]: worker: *.*.*.*:49255 User-agent: 'AnyConnect Windows
3.1.06073'
ocserv[4159]: worker: *.*.*.*:49255 cannot find 'group-select' in client
XML message
ocserv[4159]: worker: *.*.*.*:49255 cannot find 'group-select' in client
XML message
ocserv[4159]: worker: *.*.*.*:49255 failed reading groupname
ocserv[4159]: worker: *.*.*.*:49255 no certificate provided for
authentication
ocserv[4155]: main: *.*.*.*:49255 main-misc.c:426: command socket closed
ocserv[4155]: main: *.*.*.*:49255 removing client '' with id '4159'
##### END #####
It seemed that ACSMC on win7 didn't recognize the certificate (imported
via 'mmc' command, the same way for strongSwan certificate which works OK).
Any recommendations would be really appreciated. Thanks in adv.
regards,
Tefeng
More information about the openconnect-devel
mailing list