OpenConnect on a Windows11-ARM VM

Tue Dec 14 22:08:00 PST 2021

On Tue, Dec 14, 2021 at 1:47 PM Dev Faye <dev.laminefaye at gmail.com> wrote:
> I'm not a programmer at all? Though, it's been nearly 1 week I'm going
> back and forth, trying to get at least one VPN client working on my
> virtual machine. I've tried built-in VPN, CheckPointCapsule,
> GlobalProtectUWP, GlobalProtect MacOS client, no success. Plus, I
> didn't succeed deploying gp-saml-gui, due to repetitive python
> dependencies I couldn't solve :(

I assume you're the same person who started this thread, asking for
help getting gp-saml-gui working?
https://gitlab.com/openconnect/openconnect/-/issues/53#note_766233185

> Now back to OpenConnect.

Exactly what are you trying to do or illustrate here? I *think* that
what you are doing is trying to "manually" follow the SAML login
behavior since you can't use gp-saml-gui to automate it…

1. Use `openconnect` to fetch the SAML login URL
2. Open that URL in a browser
3. Follow the auth forms, and inspect their source, until you get
either a 'prelogin-cookie' or a 'portal-userauthcookie'
(https://github.com/dlenski/gp-saml-gui/blob/master/gp_saml_gui.py#L131)
from the server
4. Plug that cookie back into OpenConnect to finish the login

So… *is* that what you're trying to do? I can't be sure.

Assuming that *is* what you're trying to do, your last command is the
most close-to-correct one. You can tell that because it gets further
than all the preceding ones. It's the only one that doesn't "fail to
complete authentication." Instead it fails like this:

    > C:\Program Files\OpenConnect>openconnect --protocol=gp
    --usergroup=gateway:prelogin-cookie --user=91000318 at CORP --os=windows
    --passwd-on-stdin --cookie-on-stdin -vvv --verbose
    …
    POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp
    …
    Response was: errors getting SSL/VPN config

The reason this one is failing is because it doesn't like something
about the client parameters. Usually, specifying the wrong OS is the
culprit. GlobalProtect servers are maddeningly stupid, inconsistent,
and vague about reporting this
(https://gitlab.com/openconnect/openconnect/-/commit/e2f574a5f5f06a2364ff65f7a13721f79bf4beef
for more examples), so it's very hard to give an error message that
clearly identifies the root cause.

What you've specified, `--os=windows`, is not a value that OpenConnect
understands; per the manual,
(https://www.infradead.org/openconnect/manual.html), `--os=win` is the
legal value. Does that work?

We should improve OpenConnect by giving the user an error message if
an illegal value is specified for `--os=...`, to make it easier to
detect this problem. Changes to do this:
https://gitlab.com/openconnect/openconnect/-/merge_requests/310

-Dan

>
> Now back to OpenConnect.
>
> Platform : Windows11 on ARM, hosted on a ParallelsDesktop17 VM
> installed on MacOS 12.1 on ARM
> OpenConnect version v8.10-727-gbd6a7e71
> My company authentication requires SAML with 2FA.
>
> =============================================__________________=_____________________=============================================
> first
> C:\Program Files\OpenConnect>openconnect --protocol=gp
> --usergroup=portal --user=91000318 at CORP --os=windows --passwd-on-stdin
> portal.ras.biomerieux.com
> ||myPassword||
> POST https://portal.ras.biomerieux.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
> Connected to 193.240.245.231:443
> SSL negotiation with portal.ras.biomerieux.com
> Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite
> (TLS1.2)-(RSA)-(AES-256-GCM)
> SAML REDIRECT authentication is required via
> https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFPT8MwDMW%2FSpX7mjRtmbDWSmU7MGmIai0cuKCsNSxSm5Q4Rfv4dBuIP4dJHC0%2FPz%2F%2FvCDVdwMUo9%2BbLb6NSD449J0hODUyNjoDVpEmMKpHAt9AVdxtQIYCBme9bWzHgoIIndfWLK2hsUdXoXvXDT5sNxnbez8QcD5Y51UXOkXhTttJpHE8hI3tIUlifnSVglclL5YVC1ZTEm3U0fPbQU0x%2F8xy1b4Q74izYL3K2HNyJVGKWCQtYpymSmEaqyaOcNe08%2FhaTjKiEdeGvDI%2BY1LIaBbJWZTUUkAyB5E%2BsaD8vOxGm1ab18sYdmcRwW1dl7PyvqpZ8IiOTtEnAcsXR5hwWux%2B4L1sq76YsvyfBBf8x778XP3%2Bcf4B&RelayState=dBNlABd8MWBhYWNjYWQxMDNkZDA5MDFlOTc0NjE5NDQ1NGM0NmIwNg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Tie5OOdnOBxSW5ROLcA0hoxrjDf2%2FPYMgFiuTP1cGZWrCistZ9LiuJsmjIWZmv74VF%2F38wJN7Z8q6JO3GMP%2Fpu4lR360HQMh6liR06mepWvWacktgtbEiDF5F6OlE7icedJDdgemJ1LuuAS7pxSS1oHz1dXS6tI%2B4EAb0Bc24iyCZRIbse5jwmljZcp9MnDzJv86ibtI%2FSl%2B7bYaG94Vc53syLsexQj%2FDZ%2F9tV8ZFJz5j1gleVQlsHUm2YwKF3Nxkfv%2BCLrn128nQC%2B17WBloQmEcftY3szjbCEVv5z9qFwQhrHT6hB7d4Y%2Fu5fq9G4VMKSuDV0AJHC%2B5aAJmGvg2A%3D%3D
> When SAML authentication is complete, specify destination form field
> by appending :field_name to login URL.
> Failed to complete authentication
>
> then
> C:\Program Files\OpenConnect>openconnect --protocol=gp
> --usergroup=portal:prelogin-cookie --user=91000318 at CORP --os=windows
> --passwd-on-stdin --cookie-on-stdin portal.ras.biomerieux.com
> ||myPassword||
> uRCVTTz/E/kAGrw9y+PGRapC0o0RvSww2n957aU8ysipJ1JasFhJ2CChMlupz/u/
> POST https://portal.ras.biomerieux.com/ssl-vpn/getconfig.esp
> Connected to 193.240.245.231:443
> SSL negotiation with portal.ras.biomerieux.com
> Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite
> (TLS1.2)-(RSA)-(AES-256-GCM)
> Failed to parse server response
> Creating SSL connection failed
> Cookie was rejected by server; exiting.
>
>
> =============================================__________________=_____________________=============================================
>
> Now trying directly with gateway, as supposed after reading this
> exchange : https://github.com/dlenski/openconnect/issues/109 and
> https://githubmemory.com/repo/dlenski/gp-saml-gui/issues/6?page=2
>
> C:\Program Files\OpenConnect>openconnect --protocol=gp
> --usergroup=gateway --user=91000318 at CORP --os=windows
> --passwd-on-stdin -vvv --verbose fr.ras.biomerieux.com
> ||myPassword||
> POST https://fr.ras.biomerieux.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
> Attempting to connect to server 193.240.245.231:443
> Connected to 193.240.245.231:443
> SSL negotiation with fr.ras.biomerieux.com
> Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
> (TLS1.2)-(RSA)-(AES-256-GCM)
> Got HTTP response: HTTP/1.1 200 OK
> Date: Tue, 14 Dec 2021 21:09:35 GMT
> Content-Type: application/xml; charset=UTF-8
> Content-Length: 1898
> Connection: keep-alive
> ETag: "174a5f6b6d78"
> Pragma: no-cache
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> X-FRAME-OPTIONS: DENY
> Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Wed, 15-Dec-2021
> 21:09:35 GMT; path=/
> Set-Cookie: PHPSESSID=0880871e81c6441ef81e572003f3ea5f; secure; HttpOnly
> ||several other similar lines||
> Strict-Transport-Security: max-age=31536000;
> X-XSS-Protection: 1; mode=block;
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; script-src 'self'
> 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
> HTTP body length:  (1898)
> SAML REDIRECT authentication is required via
> https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFBT8MwDIX%2FSpX7mibtGLPWSmU7MGmIai0cuKAsyVikNhlxivbz6TYQg8Mkjpafn58%2Fz1B07R7KPuzsWr%2F3GkN06FqLcGrkpPcWnECDYEWnEYKEunxYAY8T2HsXnHQtiUpE7YNxdu4s9p32tfYfRuqn9SonuxD2CJRufewFxhvjBoHR%2FSGWroMsS%2BnRkSe0rmg5r0m0GFIYK45%2BP9NiiPhnlgq1RdoiJdFykZNXxcVGZVLcbseKT3Si5YTJKVPpDctSriaDDLHXS4tB2JATnnA2YnzEsoYzSKaQjl9IVH1ddWesMvbtOoLNWYRw3zTVqHqsGxI9a4%2Bn6IOAFLMjSDgt9hdor9uKb56k%2BAe9Gb3YVZyr378tPgE%3D&RelayState=cRRlABd8MWAwODgwODcxZTgxYzY0NDFlZjgxZTU3MjAwM2YzZWE1Zg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=n6V76Z64gATvQVZZxV%2F0NERv488lrth7AKv7S3j8Pv4K8SVn3rEch5ScYG3sVjfB8FGrIEFlB2QPjNuU9KJ3Xs4MPOgAW3pU8b11xulAUgMyNZ4n4M3GY5b%2BvBGPesNYiDU57sgO5oC0aDNxWnEYg9KT3ocGRr0EURbIv%2BcxFWi6J%2FGca3CM1%2F7jwWTd4%2FLLvxYDjj0tXYnLJD9ysxphKCp0swBibwchUinnHtqTtFskdPnaHRyMBHeAovypgYpKOGars8ZK6pruaCS8ZpWQyF1S2TLh8usimgF2BebFRkqHaSfZ0ct8mqH39BgRtvxBsdPJpwIbO9tbF7HcUXu0Sg%3D%3D
> When SAML authentication is complete, specify destination form field
> by appending :field_name to login URL.
> Failed to complete authentication
>
> then
> C:\Program Files\OpenConnect>openconnect --protocol=gp
> --usergroup=gateway:prelogin-cookie --user=91000318 at CORP --os=windows
> --passwd-on-stdin --cookie-on-stdin -vvv --verbose
> fr.ras.biomerieux.com
> ||myPassword||
> hFhPAtkWmmGu8YSvsQnhAxTK40U+GlqcfpYpc5tO+ZyHI44JyQXwIgn4/IANiHiy
> POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp
> Attempting to connect to server 193.240.245.231:443
> Connected to 193.240.245.231:443
> SSL negotiation with fr.ras.biomerieux.com
> Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
> (TLS1.2)-(RSA)-(AES-256-GCM)
> Got HTTP response: HTTP/1.1 200 OK
> Date: Tue, 14 Dec 2021 21:12:06 GMT
> Content-Type: application/xml; charset=UTF-8
> Content-Length: 29
> Connection: keep-alive
> ETag: "1f35f6b6d78"
> Pragma: no-cache
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> X-FRAME-OPTIONS: DENY
> Set-Cookie: PHPSESSID=e054287b91c458b54033807b5fc44177; secure; HttpOnly
> Strict-Transport-Security: max-age=31536000;
> X-XSS-Protection: 1; mode=block;
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; script-src 'self'
> 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
> HTTP body length:  (29)
> Failed to parse server response
> Response was: errors getting SSL/VPN config
> Creating SSL connection failed
> Cookie was rejected by server; exiting.
>
> =============================================__________________=_____________________=============================================
>
> I'm once again stuck without any lead to move forward. Discussions
> seen on forums does seem to help parsing the server response.
>
> Any help or suggestion you may have ?
>
> Thanks !
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel