ocserv: iOS Anyconnect unexpected POST URL /VPN?

sskaje sskaje at gmail.com
Sat Dec 5 21:34:08 PST 2015


I added


   LL("/VPN", get_auth_handler, post_auth_handler),

after #ifdef ANYCONNECT_CLIENT_COMPAT

  it works well both haproxy + socket and direct tcp access.



sskaje at gmail.com
https://sskaje.me/


On Sun, Dec 6, 2015 at 10:43 AM, sskaje <sskaje at gmail.com> wrote:
> rewriting /VPN to / works
>
> in haproxy:
>
>     acl is_vpn_prefix path_beg -i /VPN
>
>     #http-request set-path %[path] if is_vpn_prefix
>
>     reqirep POST\ /VPN POST\ / if is_vpn_prefix
>
>
>
>
> sskaje at gmail.com
> https://sskaje.me/
>
>
> On Sun, Dec 6, 2015 at 10:35 AM, sskaje <sskaje at gmail.com> wrote:
>> I sniffed full request using socat, seems to be a new URL
>>
>> POST /VPN HTTP/1.1
>> User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.12169
>> Host: XXX.sskaje.me
>> Accept: */*
>> Accept-Encoding: identity
>> X-Transcend-Version: 1
>> X-Transcend-Version: 1
>> X-AnyConnect-Identifier-ClientVersion: 3.0.12169
>> X-AnyConnect-Identifier-Platform: apple-ios
>> X-AnyConnect-Identifier-PlatformVersion: 9.1
>> X-AnyConnect-Identifier-DeviceType: iPhone6,2
>> X-AnyConnect-Identifier-Device-UniqueID: XXX
>> X-Aggregate-Auth: 1
>> Connection: close
>> Content-Length: 432
>> Content-Type: application/x-www-form-urlencoded
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init">
>> <device-id platform-version="9.1" device-type="iPhone6,2"
>> unique-id="XXXXXX">apple-ios</device-id>
>> <mac-address-list>
>> <mac-address>unknown</mac-address></mac-address-list>
>> <version who="vpn">3.0.12169</version>
>> <group-select>DEFAULT</group-select>
>> <group-access>https://XXX.sskaje.me:XXXX/VPN</group-access>
>> </config-auth>
>>
>>
>>
>> sskaje at gmail.com
>> https://sskaje.me/
>>
>>
>> On Sun, Dec 6, 2015 at 3:39 AM, Kevin Cernekee <cernekee at gmail.com> wrote:
>>> On Sat, Dec 5, 2015 at 11:29 AM, Nikos Mavrogiannopoulos
>>> <n.mavrogiannopoulos at gmail.com> wrote:
>>>> On Sat, 2015-12-05 at 22:42 +0800, sskaje wrote:
>>>>> I tried both haproxy + ocserv and ocserv, same error.
>>>>> Anyone else met this?
>>>>>
>>>>> iOS 9.1, AnyConnect 3.0.12169
>>>> [...]
>>>>> ocserv[22505]: worker: 1.1.1.1 HTTP POST /VPN
>>>>> ocserv[22505]: worker: 1.1.1.1 unexpected POST URL /VPN
>>>>
>>>> Hi,
>>>>  That URL is not something ocserv handles. They must have changed their
>>>> protocol.
>>>
>>> If I configure the client to connect to e.g. "https://10.0.0.1/VPN"
>>> instead of just "https://10.0.0.1", then it will POST the initial
>>> request to /VPN.  Maybe it is just a configuration issue?
>>>
>>> IIRC, the ASA lets you set up URL aliases that autoselect a specific
>>> authgroup, which is why the user is allowed to specify a full URL
>>> instead of just a hostname.



More information about the openconnect-devel mailing list