From g.rod at me.com Wed Mar 5 20:46:21 2025 From: g.rod at me.com (=?utf-8?Q?Gerardo_Rodr=C3=ADguez_Guti=C3=A9rrez?=) Date: Wed, 5 Mar 2025 21:46:21 -0700 Subject: Anyconnect from FreeBSD 14.x Message-ID: <3FB58C3B-BCEE-42D9-A90E-B56DC83B26DE@me.com> Hi, Do you have an example on how to connect to anyconnect from a FreeBSD 14.x? I haven't found any example on Google. Thanks in advance From dwmw2 at infradead.org Thu Mar 6 00:50:13 2025 From: dwmw2 at infradead.org (David Woodhouse) Date: Thu, 06 Mar 2025 08:50:13 +0000 Subject: Anyconnect from FreeBSD 14.x In-Reply-To: <3FB58C3B-BCEE-42D9-A90E-B56DC83B26DE@me.com> References: <3FB58C3B-BCEE-42D9-A90E-B56DC83B26DE@me.com> Message-ID: <17bb0402a9a0e943efd41179a0fb52fda5d305d6.camel@infradead.org> On Wed, 2025-03-05 at 21:46 -0700, Gerardo Rodr?guez Guti?rrez wrote: > Hi, > > Do you have an example on how to connect to anyconnect from a FreeBSD > 14.x? As far as I'm aware, it should just work. There shouldn't be anything FreeBSD-specific about it. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5069 bytes Desc: not available URL: From nyeriah at outlook.de Tue Mar 18 06:38:59 2025 From: nyeriah at outlook.de (Maximilian Lennartz) Date: Tue, 18 Mar 2025 13:38:59 +0000 Subject: F5 OAUTH Message-ID: Dear All, First of all, thanks so much for your work on the OpenConnect project! I've got access (as a client) to an F5 VPN server with OAUTH. On your F5 SSL VPN page it says you're looking for someone who has access to such a server. Would you like to implement this function? If so, what information do you need from me? Best regards, Max From tdanhorn at fastmail.fm Wed Mar 19 20:14:07 2025 From: tdanhorn at fastmail.fm (Thomas Danhorn) Date: Wed, 19 Mar 2025 21:14:07 -0600 (MDT) Subject: New release? Message-ID: Hi guys, Thank you for making a great tool. I have been using it in conjunction with the NetworkManager plugin to connect to a Palo Alto Global Protect VPN for the last couple of years, and it worked great. For the last few months I have been using it with a YubiKey. Recently, it suddenly stopped working (512 server error after successful authentication), however, and through trying different gl-saml-gui version, I am pretty sure that the problem is that the SAML and cookie from the server response are now only in the comment inside the HTML page, and no longer in its header. If I read the commit messages correctly, that seems to have been fixed 18 months ago (in commit 8c5d65889b), but there has been no new version tag since 9.12 a few months earlier. Since Linux distros and packaging services (e.g. openSUSE build service) go by the tags (since they signal a stable version), there is no newer package than 9.12 available, and that does not have the fix for the SAML-in-comment problem. While I could probably compile the newest version from GitLab, it is obviously easier to use a package, and I am not the only one with this problem. I would therefore really appreciate it, if you could release 9.13 in the not-to-distant future. I'm getting by with gp-saml-gui, but it is not as well integrated with NetworkManager and I don't have the options that come with that, like routing only certain addresses through the VPN, so I'm looking forward to the next version of opemconnect. Thank you very much! Thomas From wade.cline at intel.com Thu Mar 20 09:14:04 2025 From: wade.cline at intel.com (Cline, Wade) Date: Thu, 20 Mar 2025 09:14:04 -0700 Subject: New release? In-Reply-To: References: Message-ID: On Wed, Mar 19, 2025 at 09:14:07PM -0600, Thomas Danhorn wrote: > Hi guys, > > Thank you for making a great tool. I have been using it in conjunction with > the NetworkManager plugin to connect to a Palo Alto Global Protect VPN for > the last couple of years, and it worked great. For the last few months I > have been using it with a YubiKey. Recently, it suddenly stopped working > (512 server error after successful authentication), however, and through > trying different gl-saml-gui version, I am pretty sure that the problem is > that the SAML and cookie from the server response are now only in the > comment inside the HTML page, and no longer in its header. Hi Thomas, Have you tried adding '/portal:prelogin-cookie' to the 'Gateway' URL as suggested in: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/130#note_2367443 Regards, Wade > If I read the commit messages correctly, that seems to have been fixed 18 > months ago (in commit 8c5d65889b), but there has been no new version tag > since 9.12 a few months earlier. Since Linux distros and packaging services > (e.g. openSUSE build service) go by the tags (since they signal a stable > version), there is no newer package than 9.12 available, and that does not > have the fix for the SAML-in-comment problem. > > While I could probably compile the newest version from GitLab, it is > obviously easier to use a package, and I am not the only one with this > problem. I would therefore really appreciate it, if you could release 9.13 > in the not-to-distant future. I'm getting by with gp-saml-gui, but it is > not as well integrated with NetworkManager and I don't have the options that > come with that, like routing only certain addresses through the VPN, so I'm > looking forward to the next version of opemconnect. > > Thank you very much! > > Thomas > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel at lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel From tdanhorn at fastmail.fm Thu Mar 20 23:10:33 2025 From: tdanhorn at fastmail.fm (Thomas Danhorn) Date: Fri, 21 Mar 2025 00:10:33 -0600 (MDT) Subject: New release? In-Reply-To: References: Message-ID: <8fa1898d-ae85-2d87-2ba3-c6b3ca7220f8@fastmail.fm> On Thu, 20 Mar 2025, Cline, Wade wrote: > On Wed, Mar 19, 2025 at 09:14:07PM -0600, Thomas Danhorn wrote: >> Hi guys, >> >> Thank you for making a great tool. I have been using it in conjunction with >> the NetworkManager plugin to connect to a Palo Alto Global Protect VPN for >> the last couple of years, and it worked great. For the last few months I >> have been using it with a YubiKey. Recently, it suddenly stopped working >> (512 server error after successful authentication), however, and through >> trying different gl-saml-gui version, I am pretty sure that the problem is >> that the SAML and cookie from the server response are now only in the >> comment inside the HTML page, and no longer in its header. > > Hi Thomas, > > Have you tried adding '/portal:prelogin-cookie' to the 'Gateway' URL as > suggested in: > > https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/130#note_2367443 > > Regards, > Wade Hi Wade, Thank you very much for the quick respose. I just tried with '/portal:prelogin-cookie', and the results are interesting. The university has two VPN servers for two campuses, and it works on one (at the end of the process it asks me to choose a gateway, although there is only one choice), but it still fails with the 512 error on the other (I used identical configurations, except for the server name). Unfortuntely, the one that fails is the one I really need. I have not looked at the SAML & cookie of the VPN server I can connect to, but I know that for the failing one those things are only in the comment (not the header). Thanks, Thomas > >> If I read the commit messages correctly, that seems to have been fixed 18 >> months ago (in commit 8c5d65889b), but there has been no new version tag >> since 9.12 a few months earlier. Since Linux distros and packaging services >> (e.g. openSUSE build service) go by the tags (since they signal a stable >> version), there is no newer package than 9.12 available, and that does not >> have the fix for the SAML-in-comment problem. >> >> While I could probably compile the newest version from GitLab, it is >> obviously easier to use a package, and I am not the only one with this >> problem. I would therefore really appreciate it, if you could release 9.13 >> in the not-to-distant future. I'm getting by with gp-saml-gui, but it is >> not as well integrated with NetworkManager and I don't have the options that >> come with that, like routing only certain addresses through the VPN, so I'm >> looking forward to the next version of opemconnect. >> >> Thank you very much! >> >> Thomas >> >> _______________________________________________ >> openconnect-devel mailing list >> openconnect-devel at lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/openconnect-devel > From kop at karlpinc.com Fri Mar 21 07:01:13 2025 From: kop at karlpinc.com (Karl O. Pinc) Date: Fri, 21 Mar 2025 09:01:13 -0500 Subject: New release? In-Reply-To: <8fa1898d-ae85-2d87-2ba3-c6b3ca7220f8@fastmail.fm> References: <8fa1898d-ae85-2d87-2ba3-c6b3ca7220f8@fastmail.fm> Message-ID: <20250321090113.088969a4@slate.karlpinc.com> Hi Thomas, On Fri, 21 Mar 2025 00:10:33 -0600 (MDT) Thomas Danhorn wrote: > On Thu, 20 Mar 2025, Cline, Wade wrote: > > > On Wed, Mar 19, 2025 at 09:14:07PM -0600, Thomas Danhorn wrote: > >> Hi guys, > >> > >> Thank you for making a great tool. I have been using it in > >> conjunction with the NetworkManager plugin to connect to a Palo > >> Alto Global Protect VPN for the last couple of years, and it > >> worked great. For the last few months I have been using it with a > >> YubiKey. Recently, it suddenly stopped working (512 server error > >> after successful authentication), however, and through trying > >> different gl-saml-gui version, I am pretty sure that the problem > >> is that the SAML and cookie from the server response are now only > >> in the comment inside the HTML page, and no longer in its header. > > Have you tried adding '/portal:prelogin-cookie' to the 'Gateway' > > URL as suggested in: > > > > https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/130#note_2367443 > Thank you very much for the quick respose. I just tried with > '/portal:prelogin-cookie', and the results are interesting. The > university has two VPN servers for two campuses, and it works on one > (at the end of the process it asks me to choose a gateway, although > there is only one choice), but it still fails with the 512 error on > the other (I used identical configurations, except for the server > name). Unfortuntely, the one that fails is the one I really need. I > have not looked at the SAML & cookie of the VPN server I can connect > to, but I know that for the failing one those things are only in the > comment (not the header). > >> If I read the commit messages correctly, that seems to have been > >> fixed 18 months ago (in commit 8c5d65889b), but there has been no > >> new version tag since 9.12 a few months earlier. Since Linux > >> distros and packaging services (e.g. openSUSE build service) go by > >> the tags (since they signal a stable version), there is no newer > >> package than 9.12 available, and that does not have the fix for > >> the SAML-in-comment problem. > >> > >> While I could probably compile the newest version from GitLab, it > >> is obviously easier to use a package, and I am not the only one > >> with this problem. I would therefore really appreciate it, if you > >> could release 9.13 in the not-to-distant future. I'm getting by > >> with gp-saml-gui, but it is not as well integrated with > >> NetworkManager and I don't have the options that come with that, > >> like routing only certain addresses through the VPN, so I'm > >> looking forward to the next version of opemconnect. As an FYI, while working on PR !564 I also saw SAML cookie information only as a HTML comment, and I also got a 512 error after successful portal authentication. This, from memory, is because the 2nd SAML auth failed at the gateway. Which suggests to me that _maybe_ your failed VPN connection is because your failed VPN connection is doing double SAML authentication. If this is the case then a new release, even if PR !564 is included, will likely _not_ leave you able to use either Network Manager or gp-saml-gui. Because, I suspect, both will need adjustments to handle double-SAML authentication. One way to tell is to compile a version with PR !564 incorporated and see if working from the command line will successfully connect. Another way is to use the arguments that show all the HTML and headers that go back and forth and look for a second SAML cookie, on the gateway, after the first authentication to the portal succeeds. (There might be a way to do this without working from the command line, but the command line seems easiest.) Someone here may be able to help interpret the HTML+headers if that's an issue for you. Good luck. Regards, Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein From connect.mahdi at proton.me Fri Mar 28 13:22:53 2025 From: connect.mahdi at proton.me (Connect by Mahdi) Date: Fri, 28 Mar 2025 20:22:53 +0000 Subject: Fw: VPN connection with Fortinet SSL VPN Protocol fails In-Reply-To: References: Message-ID: As per instructions given in https://www.infradead.org/openconnect/mail.html , I have forwarded my mail here. In hope for some help to resolve my issue I do apologize for any inconvenience to the people whom I wrote by mail directly below Thank you for any help, feedback or advice ------- Forwarded Message ------- De : Connect by Mahdi Date : vendredi 28 mars 2025 ? 6:15 PM Objet : VPN connection with Fortinet SSL VPN Protocol fails ? : dlenski at gmail.com , me at wzray.com > > > > VPN connection with Fortinet SSL VPN Protocol fails > > Hi, > > Thank you for your App which seems a great alternative to FORTINET's closed source one. > > I am not used to GiLab so I doubt, that I opened the issue at the right place. I hope this mail might help me resolve the issue. > > Open Issue created 3 days ago > by @connect.mahdi > > Using the App fetched from F-Droid: https://f-droid.org/repository/browse/?fdid=net.openconnect_vpn.android Android version 10/11 , it is EMUI 12 on Huawei mobile device App version: OpenConnect for Android v1.12 Native non rooted device. > > Protocol used: Fortinet SSL VPN > > All the parameters have been tested successfully under Linux with command line interface: $ sudo openconnect --protocol=fortinet --user="xxx" > > > But on Android the App fails to connect. Due to security reasons I don't know how and what to share from the App's log to help resolve the issue ? Obviously I won't share xxx, nor above. > > > I can't tell from the logs at which point the App's logs successfully and when it fails The App's Logs ends with: "ROUTE: split tunnel list is empty; check your VPN settings (1)" "Exception during establish(): At least one address must be specified" "VPN terminated with errors" > > (1) but no settings combination succeeds for split tunnel (Auto, VPN, uplink). > > On Linux I do not need to provide any split address; once the VPN is established, I can connect to which distinct from with a separate command. > > > On Android , the App almost instantly after login is in Disconnected state What am I missing ??? > > Should I write a mail with logs to an address mentioned in App > About OpenConnect ? What should be redacted from the logs ? > > > Thank you for your help !