Getting started

David Woodhouse dwmw2 at infradead.org
Thu Dec 10 16:39:01 EST 2009 

On Thu, 2009-12-10 at 22:19 +0100, Paul Floyd wrote:
> David Woodhouse wrote:
> > On Thu, 2009-12-10 at 09:45 +0100, Paul Floyd wrote:
> > 
> >>On Windows, as far as I can tell, it's a certificate plus the AnyConnect client
> >>asks for a password. I'm not sure that I can count on much help from my
> >>employer, as only AnuConnect on Windows and RHEL are officially supported.
> >>
> >>[getting certificate]
> > 
> > 
> > How do you go about getting a cert for RHEL? That's probably easier to
> > deal with. I believe that the official AnyConnect client on Linux
> > doesn't cope with any form of certificate storage other than
> > _unencrypted_ in the user's firefox certificate store -- and you can
> > just export it from there.
> 
> Hi
> 
> I haven't gotten that far yet (I have Fedora 11 on the same PC, which 
> ought to work).
> 
> In any case, I've figured out the jailbreak issue [I had run the mmc 
> plugin rather than the jailbreak exe which should run the plugin], and 
> so have managed to progress a bit.
> 
> Now I get this
> 
> Attempting to connect to [vpn gateway]
> Enter PKCS#12 pass phrase:
> SSL negotiation with [vpn gateway]
> Connected to HTTPS on [vpn gateway]
> GET [vpn gateway]/
> Attempting to connect to [vpn gateway]
> SSL negotiation with [vpn gateway]
> Connected to HTTPS on [vpn gateway]
> GET [vpn gateway]/+webvpn+/index.html
> GET [vpn gateway]/CACHE/sdesktop/install/binaries/sfinst
> Trying to run Linux CSD trojan script.GET [vpn gateway]/+CSCOE+/sde
> ait.html
> /tmp/csdaMaWRb: syntax error at line 3: `MARKER=$' unexpected
> Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> GET [vpn gateway]/+CSCOE+/sdesktop/wait.html
> Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> [many repeates]
> Error fetching HTTPS response
> 
> Here's the start of /tmp/csdaMaWRb
> 
> #!/bin/sh
> #
> MARKER=$((`grep -an "[B]EGIN\ ARCHIVE" $0 | cut -d ":" -f 1` + 1))
> 
> Is that some broken shell script that my company's vpn server is trying 
> to run on my machine? Assuming it is, then it seems to be trying to 
> extract a Linux or Darwin binary (only). Ho hum. I would have preferred 
> to use (Open)Solaris, but there's not a snowball's chance in hell that 
> out IT dept will bother to support it.

Can't you run Linux binaries on Solaris? Other people have been looking
into what that shell script is actually doing, and it should be fairly
simple to just make something that posts an 'Accepted' or 'OK' response
to let you login proceed.

> Now on to the Mac version. Seems to get even further, asking me for my 
> group/user/password.
> 
> Then
> CSTP connected. DPD 10, Keepalive 300
> open tun: No such file or directory
> 
> Next, I installed TunTap. Now I can connect. I get this message
> 
> add net xxx: gateway ggg [x several]
> SSL_set_session() failed with old protocol version 0x100
> Your OpenSSL may lack Cisco compatibility support
> See http://rt.openssl.org/Ticket/Display.html?id=1751
> Use the --no-dtls command line option to avoid this message
> Set up DTLS failed; using SSL instead
> 
> I suppose that isn't too serious?

No, it should work without; just less efficiently. The openconnect web
page has a link to an explanation of why TCP over TCP is bad.

> Though nslookup works but if I run vpnclient with a hostname I get
> 
>   main:        unable to resolve host by name: No such file or directory (2)
> 
> When I'm not connected, my /etc/resolv.conf contains
> 
> search orange.fr
> 
> and this remains, but with my employer's domain added to the line. That 
> doesn't seem right to me (though perhaps harmless).

Harmless. Do you have nameservers listed in the file?

By default, openconnect won't do any routing setup. It expects you to
use a script for that, and it's compatible with the one from vpnc. Did
you use that?

> And when I disconnect
> ^CSend BYE packet: Client received SIGINT
> route: writing to routing socket: No such process
> delete net default: not in table

Does look like you're using some kind of routing script.

So what does the routing look like when you're connected? Can you try
basic IP connectivity first, and then debug DNS once you've sure that's
working?

-- 
dwmw2

More information about the openconnect-devel mailing list