Getting started

Paul Floyd paulf at
Thu Dec 10 16:19:12 EST 2009

David Woodhouse wrote:
> On Thu, 2009-12-10 at 09:45 +0100, Paul Floyd wrote:
>>On Windows, as far as I can tell, it's a certificate plus the AnyConnect client
>>asks for a password. I'm not sure that I can count on much help from my
>>employer, as only AnuConnect on Windows and RHEL are officially supported.
>>[getting certificate]
> How do you go about getting a cert for RHEL? That's probably easier to
> deal with. I believe that the official AnyConnect client on Linux
> doesn't cope with any form of certificate storage other than
> _unencrypted_ in the user's firefox certificate store -- and you can
> just export it from there.


I haven't gotten that far yet (I have Fedora 11 on the same PC, which 
ought to work).

In any case, I've figured out the jailbreak issue [I had run the mmc 
plugin rather than the jailbreak exe which should run the plugin], and 
so have managed to progress a bit.

Now I get this

Attempting to connect to [vpn gateway]
Enter PKCS#12 pass phrase:
SSL negotiation with [vpn gateway]
Connected to HTTPS on [vpn gateway]
GET [vpn gateway]/
Attempting to connect to [vpn gateway]
SSL negotiation with [vpn gateway]
Connected to HTTPS on [vpn gateway]
GET [vpn gateway]/+webvpn+/index.html
GET [vpn gateway]/CACHE/sdesktop/install/binaries/sfinst
Trying to run Linux CSD trojan script.GET [vpn gateway]/+CSCOE+/sde
/tmp/csdaMaWRb: syntax error at line 3: `MARKER=$' unexpected
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET [vpn gateway]/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
[many repeates]
Error fetching HTTPS response

Here's the start of /tmp/csdaMaWRb

MARKER=$((`grep -an "[B]EGIN\ ARCHIVE" $0 | cut -d ":" -f 1` + 1))

Is that some broken shell script that my company's vpn server is trying 
to run on my machine? Assuming it is, then it seems to be trying to 
extract a Linux or Darwin binary (only). Ho hum. I would have preferred 
to use (Open)Solaris, but there's not a snowball's chance in hell that 
out IT dept will bother to support it.

Now on to the Mac version. Seems to get even further, asking me for my 

CSTP connected. DPD 10, Keepalive 300
open tun: No such file or directory

Next, I installed TunTap. Now I can connect. I get this message

add net xxx: gateway ggg [x several]
SSL_set_session() failed with old protocol version 0x100
Your OpenSSL may lack Cisco compatibility support
Use the --no-dtls command line option to avoid this message
Set up DTLS failed; using SSL instead

I suppose that isn't too serious?

Though nslookup works but if I run vpnclient with a hostname I get

  main:        unable to resolve host by name: No such file or directory (2)

When I'm not connected, my /etc/resolv.conf contains


and this remains, but with my employer's domain added to the line. That 
doesn't seem right to me (though perhaps harmless).

And when I disconnect
^CSend BYE packet: Client received SIGINT
route: writing to routing socket: No such process
delete net default: not in table

Thanks for the quick help so far.


Paul Floyd       

More information about the openconnect-devel mailing list