Connecting with Linux when the CSD is available

Antonio Borneo borneo.antonio at gmail.com
Sun Dec 6 00:08:27 PST 2015


On Sat, Dec 5, 2015 at 10:24 AM, Andrew Falk <falk0069 at gmail.com> wrote:
> Hello openconnect team,
>
> Here is a quick summary of what I've sent previously:
>
> My company doesn't official support Linux when connecting to a Cisco
> Anywhere VPN.  I'm told if I can get it to work, it is fine, but they are
> not going to support me.  So, what I've done is I referenced this thread
> between David and Fromzy:
> (switch to http)
> hxxp://openconnect-devel.infradead.narkive.com/HaRKFi2f/csd-use-and-impossib
> le-to-connect-linux
>
> The problem I was having is openconnect would fail to continue if the CSD
> could not be downloaded.  This is what the log showed:
> GET hxxps://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
> Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
> X-Transcend-Version: 1
> HTTP body http 1.0 (-1)
> Cannot receive HTTP 1.0 body without closing connection Failed to obtain
> WebVPN cookie
>

Hi Andy,

I think there is a misconfiguration on server side.
Server reports that it supports Linux and that the relevant trojan is
at the URI above.
But then the trojan has not been installed on the server and
openconnect fails to retrieve it.
This is a quite common misconfiguration. Lazy admins simply remove the
binary to prevent login from unsupported OS, skipping the "hard work"
of editing the configuration.

If you can send me the server name or, if you prefer hiding the server
name, the complete log before the error then I could check if I'm
right.

> I original directly modified the code to skip the download but later found
> out that I could simply use "os=android" on the command line.  Once I got

As side effect of using --os=android you force openconnect to NOT
retrieve the (missing) trojan so you get it working.

> past that I ended up using sslsplit and capturing a windows session
> connecting.  I then basically ran Curl in the wrapper script using these
> post values:
>
> run_curl --data-ascii @-
> "https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1" <<-END
> endpoint.policy.location="Default";
> endpoint.enforce="success";
> endpoint.fw["MSWindowsFW"]={};
> endpoint.fw["MSWindowsFW"].exists="true";
> endpoint.fw["MSWindowsFW"].enabled="ok";
> endpoint.as["MicrosoftAS"]={};
> endpoint.as["MicrosoftAS"].exists="true";
> endpoint.as["MicrosoftAS"].activescan="ok";
> endpoint.av["MicrosoftAV"]={};
> endpoint.av["MicrosoftAV"].exists="true";
> endpoint.av["MicrosoftAV"].activescan="ok";
> END
>
> I got two other co-workers hook up this way as well and we are all
> successfully able to connect now.  I'm having my co-workers use the
> "--os-android" flag, but I question if this isn't going to lead to other
> issues in the future.  All, I want to do is continue if the CSD failed to
> download or skip it altogether.
>
> What I'd like to eventually do is put together a tutorial for other Linux
> users who are stuck.  I spent a long time getting this to work and I think
> others might find it useful.
>
> My next goal is to get this to work with network-manager but I'm still stuck
> on how to correctly update the version of openconnect it uses and how to
> pass in optional commandline arguments.
>
> For now do you think it would make sense to add in a new commandline
> argument?  Maybe something like "--csd-skip-download"?  I'm fine continuing
> to use "--os=android", but it seems a bit odd.

Agree with you!
A command line flag e.g. "--csd-skip-download" will clearly work in
case of misconfigured server, like your case.
The same flag will be useful with CSD wrappers that don't use the
binary trojan, that I think is the majority of use cases; skip
downloading the trojan will speedup the login process on slow
connections.

Today the wrapper receives the trojan binary as first command line
argument. With "--csd-skip-download" we should replace this first
argument with the trojan URI, so wrapper can decide what to do with
it.

I'm going to send a patch series for this. If you can test them, I
would be glad to have your commens.

The above patches keeps backward compatibility with current openconnect.
If we want to make it simpler, we can break the backward compatibility
and automatically skip the trojan download when a wrapper is used. No
"--csd-skip-download" is needed. The wrapper will always receive the
trojan URI so it can download the trojan if it needs. Don't know if it
would be acceptable.

Best Regards,
Antonio



More information about the openconnect-devel mailing list