SSL huawei AR150 Series Enterprise Routers

Alfredo Tomasini alto.tom at e-td55.com
Mon Apr 15 10:35:40 PDT 2024


OOPS That was a typo , yes PARTNER.

Note: the router is not a cisco but huawei AR150, in spite most likely 
they use the same protocol, maybe!

tried

/usr/sbin/openconnect --useragent="AnyConnect" ....

XML response has no "auth" node
Failed to complete authentication

did not work

Also, tried all the following

--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well 
as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL 
VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
--protocol=f5 Compatible with F5 BIG-IP SSL VPN
--protocol=fortinet Compatible with FortiGate SSL VPN
--protocol=array Compatible with Array Networks SSL VPN

No success

In case you have time and interest, this is the server 58.246.39.91:8899
(better not to post this, I guess)

The only protocol that get me to login and password is

--protocol=fortinet

then it fails with

POST https://58.246.39.91:8899/remote/logincheck
Got HTTP response: HTTP/1.1 404 Not Found
Unexpected 404 result from server

I did try to change vpninfo inside fortinet.c

from

vpninfo->urlpath = strdup("remote/logincheck")

to

vpninfo->urlpath = strdup("logincheck")

vpninfo->urlpath = strdup("login")

and some other combination, no luck. I used --dump-http-traffic but too 
much
stuff is coming back for a non java savvy person to find out whether the 
information
I am looking for is there of not.

I do not know if this help:

The official tools is call

UNIVPN CLIENT

http://www.leagsoft.com/doc/article/103107.html

(used S3.translator to see the info)

They have a version for linux but it does not work on my slackware 14.2 
because of libraries issue.
It does work on slackware 15.0 but, other SW do not work (cad stuff), I 
cannot do the migration right now.


---
Alfredo Tomasini
www.e-td55.com/company
(408) 886 1666

On 2024-04-14 16:02, Daniel Lenski wrote:

> On Fri, Apr 12, 2024 at 4:29 PM Alfredo Tomasini <alto.tom at e-td55.com> 
> wrote:
> 
>> I am trying to get a vpn connection to our pattern in China
> 
> What does this mean? (Maybe your meant PARTNER in China... maybe not?)
> 
>> by using
>> openconnect
> 
> Specifically, you're using OpenConnect v9.01 according to your logs.
> Released just about 2 years ago, and bundled with many Linux
> distributions.
> 
>> this is error
>> 
>> XML response has no "auth" node
>> 
>> Failed to complete authentication
>> 
>> never get to login and password
>> 
>> The server is not configure to use certificates
>> 
>> I am not an expert on this subject, but by looking at the header of 
>> the
>> dump
>> it seems the connection happen, but something is not interpreted
>> properly.
> 
> It appears very likely that this is
> https://gitlab.com/openconnect/openconnect/-/issues/665.
> 
> Try adding `--user-agent="AnyConnect"` to the command-line.
> 
> If that makes it work, then yes it is this frustrating issue caused by
> Cisco changing their servers' authentication process in a
> backwards-incompatible way... not just incompatible with all previous
> versions of OpenConnect, but also with very old versions of their
> *own* software. This is fixed in the master branch as of
> https://gitlab.com/openconnect/openconnect/-/merge_requests/497, but
> not yet in any released version of OpenConnect.



More information about the openconnect-devel mailing list