Connecting to anyconnect vpn - system verification
Zbyněk Kačer
zbynek.kacer at pitris.info
Tue Jan 31 05:12:36 PST 2023
Zbyněk Kačer wrote:
> Daniel Lenski wrote:
>> On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer
>> <zbynek.kacer at pitris.info> wrote:
>>> So I tried openconnect
>> openconnect --version?
>>
>>> So I tried
>>> openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh
>>> gateway.host.some.server.com
>>>
>>> but the csd-post script seems never be called (I've inserted some echos
>>> at the beginning).
>> Are you 100% sure the `csd-post.sh` is an executable shell script, and
>> that you're not missing an error about it being non-executable, or
>> otherwise failing? Until we made improvements in recent releases
>> (https://gitlab.com/openconnect/openconnect/-/commits/7083a0ac52a95e02b2c75180888bc29bcc9f3bae/auth.c),
>>
>> these errors were very easy to miss.
>>
>> Assuming the script is indeed executable, it's possible that your
>> server detects that you're using a non-Cisco client, or running a
>> not-supported OS, and simply skips over CSD and goes straight to the
>> "limited access" mode.
>>
>> Try adding combinations of the following to the command line and see
>> if they make any difference…
>>
>> --useragent 'AnyConnect Windows 4.10.05095'
>> --os=win
>> --local-hostname=HOSTNAME_OF_YOUR_OFFICIALLY_SUPPORTED_WINDOWS_LAPTOP
>>
>> Rinse/repeat/experiment until you hopefully find the magical
>> combination of options/versions/identifiers (refer to
>> https://www.infradead.org/openconnect/manual.html).
>>
>>> Do I have to force openconnect to post the "scan" result to the gateway
>>> somehow?
>> No.
>> As far as we know, the Cisco servers either (a) require that you
>> complete CSD before authentication will complete and you'll be able to
>> connect the VPN tunnel, or (b) skip it.
>>
>> Dan
>>
> It's debian's v9.01-2.
> Yes, it's executable, I can run it from a terminal.
> The parameters do not help, it's the same. I'll try to play with this
> a little more. Is there any way how to debug it?
>
> Thanks.
I'm afraid tuning parameters does not help at all. I unsuccessfully
tried various combinantions.
Then I dumped the /opt/cisco/anyconnect/bin/vpnui traffic, tried what
the official client sends and still no success.
What can I do more? What to dump?
I'm able to dump (SSLKEYLOGFILE) ui's traffic and partly also the
vpnagentd's traffic but there are still some tls streams unreadable.
Thanks.
More information about the openconnect-devel
mailing list