Can not establish a connection.
Jeremy Hou
jeremy.hou at me.com
Thu Mar 20 01:56:29 EDT 2014
Hi,
I just installed ocserv, I modified the sample.config and generated the cert through the manual.
I use Anyconnect.app on my iPhone to connect to the server, but the connection could not be established successfully, it seems the connection was lost right after the IP was assigned.
Here is the log on my server:
rankjie at rankjie:/etc/ocserv$ sudo ocserv -fdc sample.config
Skipping unknown option 'mobile-dpd'
listening (TCP) on 0.0.0.0:443...
listening (UDP) on 0.0.0.0:443...
ocserv[22445]: [main] initialized ocserv 0.3.1
ocserv[22446]: sec-mod initialized (socket: /var/run/ocserv-socket.22445)
ocserv[22447]: 114.242.249.148:30337 accepted connection
ocserv[22447]: GnuTLS error (at worker-vpn.c:699): A TLS fatal alert has been received.: Unknown certificate
ocserv[22445]: 114.242.249.148:30337 main-misc.c:469: command socket closed
ocserv[22452]: 114.242.249.148:30338 accepted connection
ocserv[22446]: sec-mod received request from pid 22452 and uid 65534
ocserv[22452]: 114.242.249.148:30338 sending message 'resume data store request' to main
ocserv[22445]: 114.242.249.148:30338 main received message 'resume data store request' of 258 bytes
ocserv[22445]: 114.242.249.148:30338 TLS session DB storing 2e3818a32644a7828d542dfa1a35272095342fe631654a3baf327917dc4d77bc
ocserv[22452]: 114.242.249.148:30338 TLS handshake completed
ocserv[22452]: 114.242.249.148:30338 cannot find username in client XML message
ocserv[22452]: 114.242.249.148:30338 failed reading username
ocserv[22452]: 114.242.249.148:30338 sent sid: FWAAVg0tAFTAUqfN
ocserv[22452]: 114.242.249.148:30338 received sid: FWAAVg0tAFTAUqfN
ocserv[22452]: 114.242.249.148:30338 updating SID
ocserv[22452]: 114.242.249.148:30338 sending message 'auth init' to main
ocserv[22445]: 114.242.249.148:30338 main received message 'auth init' of 29 bytes
ocserv[22445]: 114.242.249.148:30338 auth init set SID to FWAAVg0tAFTAUqfN
ocserv[22445]: 114.242.249.148:30338 auth init for user 'rankjie' from '114.242.249.148:30338'
ocserv[22445]: 114.242.249.148:30338 sending message 'auth reply' to worker
ocserv[22452]: 114.242.249.148:30338 received auth reply message (value: 2)
ocserv[22452]: 114.242.249.148:30338 continuing authentication for ''
ocserv[22452]: 114.242.249.148:30338 received sid: FWAAVg0tAFTAUqfN
ocserv[22452]: 114.242.249.148:30338 sending message 'auth request' to main
ocserv[22445]: 114.242.249.148:30338 main received message 'auth request' of 10 bytes
ocserv[22445]: 114.242.249.148:30338 auth req for user 'rankjie'
ocserv[22445]: 114.242.249.148:30338 accepting user 'rankjie'
ocserv[22445]: 114.242.249.148:30338 auth deinit for user 'rankjie'
ocserv[22445]: 114.242.249.148:30338 No user configuration for 'rankjie'
ocserv[22445]: 114.242.249.148:30338 selected IP for 'rankjie': 192.168.1.144
ocserv[22445]: 114.242.249.148:30338 selected IP for 'rankjie': fe80::94:1634:9100%2696246856
ocserv[22445]: 114.242.249.148:30338 assigned IPv4 to 'rankjie': 192.168.1.145
ocserv[22445]: 114.242.249.148:30338 assigned IPv6 to 'rankjie': fe80::94:1634:9101%2696246856
ocserv[22445]: 114.242.249.148:30338 assigning tun device vpns0
ocserv[22445]: 114.242.249.148:30338 user 'rankjie' of group '[unknown]' authenticated
ocserv[22445]: 114.242.249.148:30338 sending (socket) message 2 to worker
ocserv[22452]: 114.242.249.148:30338 received auth reply message (value: 1)
ocserv[22452]: 114.242.249.148:30338 user 'rankjie' logged in
ocserv[22463]: 114.242.249.148:30340 accepted connection
ocserv[22446]: sec-mod received request from pid 22463 and uid 65534
ocserv[22463]: 114.242.249.148:30340 sending message 'resume data store request' to main
ocserv[22445]: 114.242.249.148:30340 main received message 'resume data store request' of 278 bytes
ocserv[22445]: 114.242.249.148:30340 TLS session DB storing 6a583b86b2ce2db23094ab02b4fdc93dfd12b7d9857c5ee4c631b3bb03a6858b
ocserv[22463]: 114.242.249.148:30340 TLS handshake completed
ocserv[22463]: 114.242.249.148:30340 unexpected URL /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect
ocserv[22445]: 114.242.249.148:30340 main-misc.c:469: command socket closed
ocserv[22464]: 114.242.249.148:30341 accepted connection
ocserv[22446]: sec-mod received request from pid 22464 and uid 65534
ocserv[22464]: GnuTLS error (at worker-vpn.c:699): Error in the pull function.
ocserv[22445]: 114.242.249.148:30341 main-misc.c:469: command socket closed
ocserv[22465]: 114.242.249.148:30342 accepted connection
ocserv[22446]: sec-mod received request from pid 22465 and uid 65534
ocserv[22465]: 114.242.249.148:30342 sending message 'resume data store request' to main
ocserv[22445]: 114.242.249.148:30342 main received message 'resume data store request' of 258 bytes
ocserv[22445]: 114.242.249.148:30342 TLS session DB storing f18cd4253f670e6f001df4cbf961a7edd1b17125dca1d52c71f7f29c46157c3f
ocserv[22465]: 114.242.249.148:30342 TLS handshake completed
ocserv[22465]: 114.242.249.148:30342 sending message 'auth cookie request' to main
ocserv[22445]: 114.242.249.148:30342 main received message 'auth cookie request' of 261 bytes
ocserv[22445]: 114.242.249.148:30342 accepting user 'rankjie'
ocserv[22445]: 114.242.249.148:30342 auth deinit for user 'rankjie'
ocserv[22445]: 114.242.249.148:30338 disconnecting 'rankjie' due to new cookie connection
ocserv[22445]: 114.242.249.148:30342 No user configuration for 'rankjie'
ocserv[22445]: 114.242.249.148:30342 assigned IPv4 to 'rankjie': 192.168.1.145
ocserv[22445]: 114.242.249.148:30342 assigned IPv6 to 'rankjie': fe80::94:1634:9101%2696246856
ocserv[22445]: 114.242.249.148:30342 assigning tun device vpns1
ocserv[22445]: 114.242.249.148:30342 user 'rankjie' of group '[unknown]' re-authenticated (using cookie)
ocserv[22445]: 114.242.249.148:30342 sending (socket) message 2 to worker
ocserv[22465]: 114.242.249.148:30342 received auth reply message (value: 1)
ocserv[22465]: 114.242.249.148:30342 sending IPv4 192.168.1.145
ocserv[22465]: 114.242.249.148:30342 sending IPv6 fe80::94:1634:9101%2696246856
ocserv[22465]: 114.242.249.148:30342 adding split DNS example.com
ocserv[22465]: 114.242.249.148:30342 adding route 192.168.1.0/255.255.255.0
ocserv[22465]: 114.242.249.148:30342 peer's CSTP MTU is 1356 (ignored)
ocserv[22465]: 114.242.249.148:30342 TCP MSS is 1385
ocserv[22465]: 114.242.249.148:30342 reducing MTU due to TCP MSS to 1377
ocserv[22465]: 114.242.249.148:30342 DTLS ciphersuite: AES128-SHA
ocserv[22465]: 114.242.249.148:30342 peer's DTLS MTU is 1356 (overhead: 95)
ocserv[22465]: 114.242.249.148:30342 suggesting DTLS MTU 1311
ocserv[22465]: 114.242.249.148:30342 suggesting CSTP MTU 1311
ocserv[22465]: 114.242.249.148:30342 plaintext MTU is 1376
ocserv[22465]: 114.242.249.148:30342 sending message 'tun mtu change' to main
ocserv[22465]: 114.242.249.148:30342 setting MTU to 1376
ocserv[22445]: 114.242.249.148:30342 main received message 'tun mtu change' of 3 bytes
ocserv[22445]: 114.242.249.148:30342 setting vpns1 MTU to 1376
ocserv[22465]: 114.242.249.148:30342 sending message 'session info' to main
ocserv[22465]: 114.242.249.148:30342 reducing MTU due to TCP MSS to 1356
ocserv[22445]: 114.242.249.148:30342 main received message 'session info' of 51 bytes
ocserv[22465]: 114.242.249.148:30342 sending message 'tun mtu change' to main
ocserv[22465]: 114.242.249.148:30342 setting MTU to 1355
ocserv[22445]: 114.242.249.148:30342 main received message 'tun mtu change' of 3 bytes
ocserv[22445]: 114.242.249.148:30342 setting vpns1 MTU to 1355
ocserv[22465]: 114.242.249.148:30342 sending 48 byte(s)
ocserv[22465]: 114.242.249.148:30342 sending 76 byte(s)
ocserv[22465]: 114.242.249.148:30342 received 120 byte(s) (TLS)
ocserv[22465]: 114.242.249.148:30342 received BYE packet; exiting
ocserv[22445]: 114.242.249.148:30342 main-misc.c:469: command socket closed
ocserv[22445]: 114.242.249.148:30338 main-misc.c:469: command socket closed
======================================
And here is my sample.config:
#mtu = 1356
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[/etc/ocpwd]"
#auth = "pam"
# A banner to be displayed on clients
#banner = "Welcome"
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 0
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 0
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds
dpd = 440
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = true
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 86400
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
use-dbus = true
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
# Network settings
device = vpns
# The default domain to be advertised
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# dns = 192.168.2.1
dns = 8.8.8.8
dns = fe80::1
# The NBNS server (if any)
#nbns = 192.168.2.3
# The IPv6 subnet prefix
ipv6-network = fe80::
ipv6-prefix = 16
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40960
#tx-data-per-sec = 40960
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
output-buffer = 10
route = 192.168.1.0/255.255.255.0
#route = 116.251.0.0/255.255.0.0
#route = 192.168.5.0/255.255.255.0
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv?-netmask, ipv6-prefix, rx/tx-per-sec, iroute and route.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
config-per-user = /etc/ocserv/config-per-user/
config-per-group = /etc/ocserv/config-per-group/
# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24 (so iroute in this system has different syntax than route)
route-add-cmd = "ip route add %R dev %D"
route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
cisco-client-compat = true
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there”
==================================
Any help will be appreciated!
More information about the openconnect-devel
mailing list