OpenConnect on a Windows11-ARM VM

Dev Faye dev.laminefaye at gmail.com
Tue Dec 14 13:46:41 PST 2021 

Hi,

I'm not a programmer at all? Though, it's been nearly 1 week I'm going
back and forth, trying to get at least one VPN client working on my
virtual machine. I've tried built-in VPN, CheckPointCapsule,
GlobalProtectUWP, GlobalProtect MacOS client, no success. Plus, I
didn't succeed deploying gp-saml-gui, due to repetitive python
dependencies I couldn't solve :(

Now back to OpenConnect.

Platform : Windows11 on ARM, hosted on a ParallelsDesktop17 VM
installed on MacOS 12.1 on ARM
OpenConnect version v8.10-727-gbd6a7e71
My company authentication requires SAML with 2FA.

=============================================__________________=_____________________=============================================
first
C:\Program Files\OpenConnect>openconnect --protocol=gp
--usergroup=portal --user=91000318 at CORP --os=windows --passwd-on-stdin
portal.ras.biomerieux.com
||myPassword||
POST https://portal.ras.biomerieux.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to 193.240.245.231:443
SSL negotiation with portal.ras.biomerieux.com
Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
SAML REDIRECT authentication is required via
https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFPT8MwDMW%2FSpX7mjRtmbDWSmU7MGmIai0cuKCsNSxSm5Q4Rfv4dBuIP4dJHC0%2FPz%2F%2FvCDVdwMUo9%2BbLb6NSD449J0hODUyNjoDVpEmMKpHAt9AVdxtQIYCBme9bWzHgoIIndfWLK2hsUdXoXvXDT5sNxnbez8QcD5Y51UXOkXhTttJpHE8hI3tIUlifnSVglclL5YVC1ZTEm3U0fPbQU0x%2F8xy1b4Q74izYL3K2HNyJVGKWCQtYpymSmEaqyaOcNe08%2FhaTjKiEdeGvDI%2BY1LIaBbJWZTUUkAyB5E%2BsaD8vOxGm1ab18sYdmcRwW1dl7PyvqpZ8IiOTtEnAcsXR5hwWux%2B4L1sq76YsvyfBBf8x778XP3%2Bcf4B&RelayState=dBNlABd8MWBhYWNjYWQxMDNkZDA5MDFlOTc0NjE5NDQ1NGM0NmIwNg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Tie5OOdnOBxSW5ROLcA0hoxrjDf2%2FPYMgFiuTP1cGZWrCistZ9LiuJsmjIWZmv74VF%2F38wJN7Z8q6JO3GMP%2Fpu4lR360HQMh6liR06mepWvWacktgtbEiDF5F6OlE7icedJDdgemJ1LuuAS7pxSS1oHz1dXS6tI%2B4EAb0Bc24iyCZRIbse5jwmljZcp9MnDzJv86ibtI%2FSl%2B7bYaG94Vc53syLsexQj%2FDZ%2F9tV8ZFJz5j1gleVQlsHUm2YwKF3Nxkfv%2BCLrn128nQC%2B17WBloQmEcftY3szjbCEVv5z9qFwQhrHT6hB7d4Y%2Fu5fq9G4VMKSuDV0AJHC%2B5aAJmGvg2A%3D%3D
When SAML authentication is complete, specify destination form field
by appending :field_name to login URL.
Failed to complete authentication

then
C:\Program Files\OpenConnect>openconnect --protocol=gp
--usergroup=portal:prelogin-cookie --user=91000318 at CORP --os=windows
--passwd-on-stdin --cookie-on-stdin portal.ras.biomerieux.com
||myPassword||
uRCVTTz/E/kAGrw9y+PGRapC0o0RvSww2n957aU8ysipJ1JasFhJ2CChMlupz/u/
POST https://portal.ras.biomerieux.com/ssl-vpn/getconfig.esp
Connected to 193.240.245.231:443
SSL negotiation with portal.ras.biomerieux.com
Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Failed to parse server response
Creating SSL connection failed
Cookie was rejected by server; exiting.


=============================================__________________=_____________________=============================================

Now trying directly with gateway, as supposed after reading this
exchange : https://github.com/dlenski/openconnect/issues/109 and
https://githubmemory.com/repo/dlenski/gp-saml-gui/issues/6?page=2

C:\Program Files\OpenConnect>openconnect --protocol=gp
--usergroup=gateway --user=91000318 at CORP --os=windows
--passwd-on-stdin -vvv --verbose fr.ras.biomerieux.com
||myPassword||
POST https://fr.ras.biomerieux.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 193.240.245.231:443
Connected to 193.240.245.231:443
SSL negotiation with fr.ras.biomerieux.com
Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 21:09:35 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1898
Connection: keep-alive
ETag: "174a5f6b6d78"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Wed, 15-Dec-2021
21:09:35 GMT; path=/
Set-Cookie: PHPSESSID=0880871e81c6441ef81e572003f3ea5f; secure; HttpOnly
||several other similar lines||
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (1898)
SAML REDIRECT authentication is required via
https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFBT8MwDIX%2FSpX7mibtGLPWSmU7MGmIai0cuKAsyVikNhlxivbz6TYQg8Mkjpafn58%2Fz1B07R7KPuzsWr%2F3GkN06FqLcGrkpPcWnECDYEWnEYKEunxYAY8T2HsXnHQtiUpE7YNxdu4s9p32tfYfRuqn9SonuxD2CJRufewFxhvjBoHR%2FSGWroMsS%2BnRkSe0rmg5r0m0GFIYK45%2BP9NiiPhnlgq1RdoiJdFykZNXxcVGZVLcbseKT3Si5YTJKVPpDctSriaDDLHXS4tB2JATnnA2YnzEsoYzSKaQjl9IVH1ddWesMvbtOoLNWYRw3zTVqHqsGxI9a4%2Bn6IOAFLMjSDgt9hdor9uKb56k%2BAe9Gb3YVZyr378tPgE%3D&RelayState=cRRlABd8MWAwODgwODcxZTgxYzY0NDFlZjgxZTU3MjAwM2YzZWE1Zg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=n6V76Z64gATvQVZZxV%2F0NERv488lrth7AKv7S3j8Pv4K8SVn3rEch5ScYG3sVjfB8FGrIEFlB2QPjNuU9KJ3Xs4MPOgAW3pU8b11xulAUgMyNZ4n4M3GY5b%2BvBGPesNYiDU57sgO5oC0aDNxWnEYg9KT3ocGRr0EURbIv%2BcxFWi6J%2FGca3CM1%2F7jwWTd4%2FLLvxYDjj0tXYnLJD9ysxphKCp0swBibwchUinnHtqTtFskdPnaHRyMBHeAovypgYpKOGars8ZK6pruaCS8ZpWQyF1S2TLh8usimgF2BebFRkqHaSfZ0ct8mqH39BgRtvxBsdPJpwIbO9tbF7HcUXu0Sg%3D%3D
When SAML authentication is complete, specify destination form field
by appending :field_name to login URL.
Failed to complete authentication

then
C:\Program Files\OpenConnect>openconnect --protocol=gp
--usergroup=gateway:prelogin-cookie --user=91000318 at CORP --os=windows
--passwd-on-stdin --cookie-on-stdin -vvv --verbose
fr.ras.biomerieux.com
||myPassword||
hFhPAtkWmmGu8YSvsQnhAxTK40U+GlqcfpYpc5tO+ZyHI44JyQXwIgn4/IANiHiy
POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp
Attempting to connect to server 193.240.245.231:443
Connected to 193.240.245.231:443
SSL negotiation with fr.ras.biomerieux.com
Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 21:12:06 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 29
Connection: keep-alive
ETag: "1f35f6b6d78"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e054287b91c458b54033807b5fc44177; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (29)
Failed to parse server response
Response was: errors getting SSL/VPN config
Creating SSL connection failed
Cookie was rejected by server; exiting.

=============================================__________________=_____________________=============================================

I'm once again stuck without any lead to move forward. Discussions
seen on forums does seem to help parsing the server response.

Any help or suggestion you may have ?

Thanks !

More information about the openconnect-devel mailing list