Can't connect with DTLS, using SSL instead

Abdulla Bubshait darkstego at gmail.com
Thu Sep 28 14:48:27 PDT 2017


> You should use --dump to show the complete chain of HTTPS request and
> response headers.

Thanks for this. It seems openconnect is indeed issuing the three DTLS
lines, but nothing seems to be coming in response.
I wonder how the anyconnect client is able to create a DTLS connection
in this case.


HTTP body length:  (130)
< <?xml version="1.0" encoding="UTF-8"?><auth id="success"><title>SSL
VPN Service</title><message>Success</message><success/></auth>
TCP_INFO rcv mss 536, snd mss 536, adv mss 1460, pmtu 1500
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: company.com
> User-Agent: Open AnyConnect VPN Agent v7.08
> Cookie: webvpn=00 at 1303835295@33337 at 3715556236@3831327201 at MainVPNContext
> X-CSTP-Version: 1
> X-CSTP-Hostname: punch
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-Base-MTU: 1500
> X-CSTP-MTU: 1406
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
> X-DTLS-Master-Secret: D514BF73ED72D3DCA808FD72766E6006A25B90CA9164E23F10DFB52DF84D9A00476E5E9999965699D8F926E12DBD5091
> X-DTLS-CipherSuite: PSK-NEGOTIATE:OC-DTLS1_2-AES256-GCM:OC2-DTLS1_2-CHACHA20-POLY1305:DHE-RSA-AES256-SHA:OC-DTLS1_2-AES128-GCM:DHE-RSA-AES128-SHA:DES-CBC3-SHA:AES256-SHA:AES128-SHA
> X-DTLS-Accept-Encoding: oc-lz4,lzs
>
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.200.200.184
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Keep: true
X-CSTP-DNS: 10.200.200.11
X-CSTP-Lease-Duration: 43200
X-CSTP-MTU: 1406
X-CSTP-Default-Domain: company.com
X-CSTP-Split-Include: 10.200.200.0/255.255.255.0
X-CSTP-Split-Include: 10.200.0.0/255.255.0.0
X-CSTP-Rekey-Time: 3600
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 300
X-CSTP-Disconnected-Timeout: 2100
X-CSTP-Idle-Timeout: 2100
X-CSTP-Session-Timeout: 0
X-CSTP-Keepalive: 30
CSTP connected. DPD 300, Keepalive 30
CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
Set up DTLS failed; using SSL instead



More information about the openconnect-devel mailing list