problems connecting with openconnect

eric.sandgren at regionorebrolan.se eric.sandgren at regionorebrolan.se
Wed Nov 29 23:05:32 PST 2017 

I’ve got problems with openconnect it seems to work but sometihing
seems to be wrong with default gw or such
im here posting the output of the openconnect command:

sudo openconnect XXXX.XXX.XX --dump-http-traffic --user=userxxx
[sudo] password for eric:
Sorry, try again.
[sudo] password for eric:
POST https://XXXX.XXX.XX/
Attempting to connect to server xxx.xxx.xxx.xx:443
Connected to 1 xxx.xxx.xx.xx :443
SSL negotiation with XXXXXX.XXXXX.XX
Connected to HTTPS on XXXXXX.XXXXX.XX

POST / HTTP/1.1
Host: XXXXXX.XXXXX.XX
User-Agent: Open AnyConnect VPN Agent v7.08
Accept: /
Accept-Encoding: identity
X-Transcend-Version: 1
X-Aggregate-Auth: 1
X-AnyConnect-Platform: linux-64
X-Support-HTTP-Auth: true
X-Pad: 000000000000000000000000000000000000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 217

<?xml version=“1.0” encoding=“UTF-8”?>
<config-auth client=“vpn” type=“init”><version
who=“vpn”>v7.08</version><device-id>linux-64</device-id><group-access>h
ttps://XXXXXX.XXXXX.XX</group-access></config-auth>;
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0Q1BfQ29ubmVjdC1kb3Q=; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 28 Nov 2017 08:49:43 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length: (0)
GET https://XXXXXX.XXXXX.XX/
Attempting to connect to server xxx.xxx.xxx.xx:443
Connected to xxx.xxx.xxx.xx:443
SSL negotiation with XXXXXX.XXXXX.XX
Connected to HTTPS on XXXXXX.XXXXX.XX
GET / HTTP/1.1
Host: XXXXXX.XXXXX.XX
User-Agent: Open AnyConnect VPN Agent v7.08
Cookie: tg=0Q1BfQ29ubmVjdC1kb3Q=
Accept: /
Accept-Encoding: identity
X-Transcend-Version: 1
X-Support-HTTP-Auth: true
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0Q1BfQ29ubmVjdC1kb3Q=; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 28 Nov 2017 08:49:44 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length: (0)
GET https://XXXXXX.XXXXX.XX/+webvpn+/index.html
SSL negotiation with XXXXXX.XXXXX.XX
Connected to HTTPS on XXXXXX.XXXXX.XX

GET /+webvpn+/index.html HTTP/1.1
Host: XXXXXX.XXXXX.XX
User-Agent: Open AnyConnect VPN Agent v7.08
Cookie: tg=0Q1BfQ29ubmVjdC1kb3Q=
Accept: /
Accept-Encoding: identity
X-Transcend-Version: 1
X-Support-HTTP-Auth: true
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/;
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/;
secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version=“1.0” encoding=“UTF-8”?>
< <!–
< Copyright © 2013 by Cisco Systems, Inc.
< All rights reserved.
< -->
< <auth id=“main”>
< <title>SSL VPN Service</title>
< <ca status=“disabled” href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method=“post” action="/+webvpn+/index.html">
<
< <input type=“text” name=“username” label=“Username:” />
< <input type=“password” name=“password” label=“Password:” />
<
<
< <input type=“hidden” name=“tgroup” value=“CP_Connect-dot” />
<
< <input type=“submit” name=“Login” value=“Login” />
< <input type=“reset” name=“Clear” value=“Clear” />
<
<
< </form>
< </auth>
<
Please enter your username and password.
Password:
POST https://XXXXXX.XXXXX.XX/+webvpn+/index.html

POST /+webvpn+/index.html HTTP/1.1
Host: XXXXXX.XXXXX.XX
User-Agent: Open AnyConnect VPN Agent v7.08
Cookie: tg=0Q1BfQ29ubmVjdC1kb3Q=; webvpnlogin=1
Accept: /
Accept-Encoding: identity
X-Transcend-Version: 1
X-Support-HTTP-Auth: true
X-Pad: 0000000
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

username=userxxx&password=4717900042&tgroup=CP_Connect-dot
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie:
webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:3586B5BFBB2E5B9BCE941D080B1AB542449
6D049&lu:/+CSCOT+/translation-
table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2FCPRO_Conn
ect-dot.xml&fh:2D688AB42581E931DCC461496BDA1CA9E3A0CEAF; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version=“1.0” encoding=“UTF-8”?>
< <auth id=“success”>
< <title>SSL VPN Service</title>
< <message>Success</message>
< <success/>
< </auth>
<
<
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500
CONNECT /CSCOSSLC/tunnel HTTP/1.1
Host: XXXXXX.XXXXX.XX
User-Agent: Open AnyConnect VPN Agent v7.08
Cookie: webvpn=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-CSTP-Version: 1
X-CSTP-Hostname: lovdot064bx
X-CSTP-Accept-Encoding: oc-lz4,lzs
X-CSTP-Base-MTU: 1500
X-CSTP-MTU: 1406
X-CSTP-Address-Type: IPv6,IPv4
X-CSTP-Full-IPv6-Capability: true
X-DTLS-Master-Secret:
E2BCF0FDB0BCFC28501F71A45327A4218DF5887BBCF38E4AEE3ED65A4DA18249CF5BA35
CC0E92F728F62022BC2B9EE9E
X-DTLS-CipherSuite: PSK-NEGOTIATE:OC-DTLS1_2-AES256-GCM:OC2-DTLS1_2-
CHACHA20-POLY1305:DHE-RSA-AES256-SHA:OC-DTLS1_2-AES128-GCM:DHE-RSA-
AES128-SHA:DES-CBC3-SHA:AES256-SHA:AES128-SHA
X-DTLS-Accept-Encoding: oc-lz4,lzs
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright © 2004 Cisco Systems, Inc.
X-CSTP-Address: 10.16.10.10
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Hostname: a-uso-01mh11-30wf04-2.orebroll.se
X-CSTP-DNS: 10.10.55.10
X-CSTP-DNS: 10.50.55.10
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 36000
X-CSTP-Disconnected-Timeout: 36000
X-CSTP-Default-Domain: orebroll.se
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID:
2D193D167309B0422B7D32B1589B24F89DCF0B0D2CF899056C8C13AF9437C0B1
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1200
X-DTLS-MTU: 1200
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
DTLS option X-DTLS-Session-ID :
2D193D167309B0422B7D32B1589B24F89DCF0B0D2CF899056C8C13AF9437C0B1
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1200
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected as 10.16.10.10, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-
(RSA)-(AES-128-CBC)-(SHA1).
Initiating IPv4 MTU detection (min=600, max=1200)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1200 -5)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1199 -5)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1198 -5)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1197 -5)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1196 -5)
Failed to write to SSL socket: The transmitted packet is too large
(EMSGSIZE).
Failed to send DPD request (1195 -5)
Detected MTU of 1194 bytes (was 1200)
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response

after this I’m able to connect to internet but noting on the “inside”
of my company net

checkin ip a yealds

: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 00:28:f8:d9:68:31 brd ff:ff:ff:ff:ff:ff
inet 192.168.43.90/24 brd 192.168.43.255 scope global dynamic wlp3s0
valid_lft 3301sec preferred_lft 3301sec
inet6 fe80::9581:8bb6:10e7:c87a/64 scope link
valid_lft forever preferred_lft forever
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
fq_codel state DOWN group default qlen 1000
link/ether ac:e2:d3:3a:b2:59 brd ff:ff:ff:ff:ff:ff
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1194 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.16.10.11/32 scope global tun0
valid_lft forever preferred_lft forever

and
ip route show
default dev tun0 scope link
default via 192.168.43.1 dev wlp3s0 proto static metric 600
10.16.10.0/24 dev tun0 scope link
10.16.10.0/24 dev tun0 scope link metric 5
192.168.43.0/24 dev wlp3s0 proto kernel scope link src 192.168.43.90
metric 600
xxx.xxx.xxx.xx via 192.168.43.1 dev wlp3s0 src 192.168.43.90

any ideas are welcome

/Eric

More information about the openconnect-devel mailing list