ocserv HEAD with iOS 6.1.2 fails after successful cert auth

Jason Cooper jason at lakedaemon.net
Thu Feb 28 07:46:17 EST 2013

On Thu, Feb 28, 2013 at 08:44:27AM +0100, Nikos Mavrogiannopoulos wrote:
> On 02/27/2013 08:47 PM, Jason Cooper wrote:
> >> I don't think you're missing anything. This server was designed to
> >> provide whatever openconnect was using. It could be that the anyconnect
> >> client is more picky. Does this client have a debug mode, or does it
> >> output anything helpful?
> > I get "Banner Success", then a split second later, "The VPN client failed
> > to establish a connection."  No debug mode, sorry.
> I've tried with the android client and I have the same issue. The debug
> log prints these messages:
> * TUN fd was invalid returning not handled
> * tunnel was not in connected state at the end if initiateTunnel(),
> ignoring (handled elsewhere)

Well, it's good to know I'm not doing anything wrong.  I'll see if I can
get a working setup with the openconnect client today.

> That don't make sense to me. Anyway making it compatible with the cisco
> anyconnect servers is something beyond my reach. I think it makes more
> sense to port the openconnect client to android (and iphone for that
> matter)...

I agree, but for that I believe we would have to convince David (and
contributors) to dual license openconnect.  My current understanding of
the iOS app development is that it is hostile to anything with "GPL" in
it.  I have seen several open source apps in the app store that are
BSD/MIT/etc, though.  Definitely worth pursuing purely from a security
pov.  I'd much prefer to use openconnect over anyconnect.

A good person to ask may be Chris Ballinger, author of ChatSecure [1].
His code on github [2] is GPLv3+, but he mentions in his readme [3]
relicensing it for the app store.

fwiw, I've been using the iOS configuration utility to configure my vpn
and other options.  It has a VPN type "Other SSL" which lets you
reference a separate app, and pass it the needed config items.  It also
has options for certs and the critical piece for me, On-Demand.  The end
result is an XML (ugh) file you load on your device.



[1] https://chatsecure.org/
[2] https://github.com/chrisballinger/Off-the-Record-iOS
[3] https://github.com/chrisballinger/Off-the-Record-iOS/blob/master/README.md

More information about the openconnect-devel mailing list