Using OpenConnect instead of Pulse 8.1r7

Fri Jun 3 03:29:21 PDT 2016

On Thu, 2016-06-02 at 23:25 -0700, Bill Broadley wrote:
> Greetings,
> 
> I'm using ubuntu-16.04 which defaults to OpenSSL-1.0.2g.
> 
> I built OpenConnect from git tonight, installed all the optional 
> dependencies except for LIBPSKC.

I'd recommend using GnuTLS instead of OpenSSL.

> I'm trying to get OpenConenct to work instead of the pulse client.
> 
> The pulse instructions:
> 1) Download Pulse 8.1R7
> 2) download the example.com.der certificate

This isn't a personal certificate (which would have a corresponding
private key), issued to you personally, is it? It's "This is the
certificate which identifies our VPN server; download it because the
VPN server doesn't have a *proper* certificate that's signed by one of
the known public CAs."

> OpenConnect didn't seem to like the der cert, so I:
> $ openssl x509 -inform der -in vpn.example.com.der -out vpn.example.com.pem
> 
> Then tried (using example.com to keep site specific details to the minimum):
> 
> # ./openconnect --proto=nc --certificate=/home/bill/Downloads/vpn.example.com.pem 
> https://vpn.example.com
> GET https://vpn.example.com/
> Connected to 109.108.107.106:443
> Using client certificate '/C=US/postalCode=90210/ST=CA/L=Hollywood/street/OU=Library/CN=vpn.example.com'
> Using client certificate '/C=US/postalCode=90210/ST=CA/L=Hollywood/street 5th Ave/O=Example corp/OU=Library/CN=vpn.example.com'
> Failed to identify private key type in '/home/bill/Downloads/vpn.example.com.pem'

Right, that really does look like it's the *server's* certificate. So
you'd want to use that with '--cafile vpn.example.com.pem'. Although I
don't see a complaint in your log that the server's certificate wasn't
accepted, so you might not need it.

> I got similar with openconnect --juniper --certificate:
> Connected to 109.108.107.106:443
> SSL negotiation with vpn.example.com
> SSL connection failure
> 
> If I add --certificate I get the same private key error as above.

That example was *without* --certificate then, yes?

Using the stock OpenConnect 7.06 (using GnuTLS) on Fedora 24, it works
for me when I connect to what I think is your 'vpn.example.com'...

$ openconnect --juniper vpn.example.com
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://vpn.example.com/
Attempting to connect to server x.x.x.x:443
SSL negotiation with vpn.example.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.example.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: ^C

$ openconnect --juniper vpn.example.com --cafile vpn.example.com.pem
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://vpn.example.com/
Attempting to connect to server x.x.x.x:443
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
Got HTTP response: HTTP/1.1 302 Found
GET https://vpn.example.com/dana-na/auth/url_3/welcome.cgi
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
frmLogin
username:

At this point if I had a username and password it looks like I should
be able to proceed and get at least Legacy IP connectivity (we need to
implement the Pulse protocol before we get IPv6).

> My end goal is to get a Puppet managed OpenConnect working for linux 
> clients that enables IPv4 and IPv6.

You'll be using NetworkManager, I assume? So Puppet would be poking the
NM configuration into place with 'nmcli con add ...'?

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160603/edac08ed/attachment.bin>