Connecting with Linux when the CSD is available

Andrew Falk falk0069 at gmail.com
Sun Dec 6 18:15:52 PST 2015 

Antonio,

I completely buy that the admins got lazy and just removed the binary.  Here is the complete output with the company name scrubbed:

falkand at lubuntu1510:~$ openconnect --csd-user=$USER  -v --no-cert-check --no-xmlpost --csd-wrapper=/etc/csd-wrapper.sh vpn.company.com/trusted
GET https://vpn.company.com/trusted
Attempting to connect to server 208.72.8.10:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0trusted; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 07 Dec 2015 01:54:25 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://vpn.company.com/+webvpn+/index.html
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
GET https://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
X-Transcend-Version: 1
HTTP body http 1.0 (-1)
Cannot receive HTTP 1.0 body without closing connection
Failed to obtain WebVPN cookie

I can provide the full URL to you directly via email if you want but I'd rather it not be saved in the archives via this distro list.

I'll give your patches a shot and see how they work for me.  Thanks for putting them together.

As for the breaking backwards compatibility, that probably isn't a good idea; however, I self-fishily would love it.  The reason being because I have not figured out a way to force NetworkManager to pass custom command line arguments.  So if I try setting up the GUI interface, it dies at the CSD download every time.   Perhaps as a compromise, could openconnect log the error and continue even though it failed to download it?

Thanks

--Andy

-----Original Message-----
From: Antonio Borneo [mailto:borneo.antonio at gmail.com] 
Sent: Sunday, December 6, 2015 2:08 AM
To: Andrew Falk
Cc: David Woodhouse; OpenConnect devel
Subject: Re: Connecting with Linux when the CSD is available

On Sat, Dec 5, 2015 at 10:24 AM, Andrew Falk <falk0069 at gmail.com> wrote:
> Hello openconnect team,
>
> Here is a quick summary of what I've sent previously:
>
> My company doesn't official support Linux when connecting to a Cisco 
> Anywhere VPN.  I'm told if I can get it to work, it is fine, but they 
> are not going to support me.  So, what I've done is I referenced this 
> thread between David and Fromzy:
> (switch to http)
> hxxp://openconnect-devel.infradead.narkive.com/HaRKFi2f/csd-use-and-im
> possib
> le-to-connect-linux
>
> The problem I was having is openconnect would fail to continue if the 
> CSD could not be downloaded.  This is what the log showed:
> GET hxxps://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
> Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
> X-Transcend-Version: 1
> HTTP body http 1.0 (-1)
> Cannot receive HTTP 1.0 body without closing connection Failed to 
> obtain WebVPN cookie
>

Hi Andy,

I think there is a misconfiguration on server side.
Server reports that it supports Linux and that the relevant trojan is at the URI above.
But then the trojan has not been installed on the server and openconnect fails to retrieve it.
This is a quite common misconfiguration. Lazy admins simply remove the binary to prevent login from unsupported OS, skipping the "hard work"
of editing the configuration.

If you can send me the server name or, if you prefer hiding the server name, the complete log before the error then I could check if I'm right.

> I original directly modified the code to skip the download but later 
> found out that I could simply use "os=android" on the command line.  
> Once I got

As side effect of using --os=android you force openconnect to NOT retrieve the (missing) trojan so you get it working.

> past that I ended up using sslsplit and capturing a windows session 
> connecting.  I then basically ran Curl in the wrapper script using 
> these post values:
>
> run_curl --data-ascii @-
> "https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1" 
> <<-END endpoint.policy.location="Default";
> endpoint.enforce="success";
> endpoint.fw["MSWindowsFW"]={};
> endpoint.fw["MSWindowsFW"].exists="true";
> endpoint.fw["MSWindowsFW"].enabled="ok";
> endpoint.as["MicrosoftAS"]={};
> endpoint.as["MicrosoftAS"].exists="true";
> endpoint.as["MicrosoftAS"].activescan="ok";
> endpoint.av["MicrosoftAV"]={};
> endpoint.av["MicrosoftAV"].exists="true";
> endpoint.av["MicrosoftAV"].activescan="ok";
> END
>
> I got two other co-workers hook up this way as well and we are all 
> successfully able to connect now.  I'm having my co-workers use the 
> "--os-android" flag, but I question if this isn't going to lead to 
> other issues in the future.  All, I want to do is continue if the CSD 
> failed to download or skip it altogether.
>
> What I'd like to eventually do is put together a tutorial for other 
> Linux users who are stuck.  I spent a long time getting this to work 
> and I think others might find it useful.
>
> My next goal is to get this to work with network-manager but I'm still 
> stuck on how to correctly update the version of openconnect it uses 
> and how to pass in optional commandline arguments.
>
> For now do you think it would make sense to add in a new commandline 
> argument?  Maybe something like "--csd-skip-download"?  I'm fine 
> continuing to use "--os=android", but it seems a bit odd.

Agree with you!
A command line flag e.g. "--csd-skip-download" will clearly work in case of misconfigured server, like your case.
The same flag will be useful with CSD wrappers that don't use the binary trojan, that I think is the majority of use cases; skip downloading the trojan will speedup the login process on slow connections.

Today the wrapper receives the trojan binary as first command line argument. With "--csd-skip-download" we should replace this first argument with the trojan URI, so wrapper can decide what to do with it.

I'm going to send a patch series for this. If you can test them, I would be glad to have your commens.

The above patches keeps backward compatibility with current openconnect.
If we want to make it simpler, we can break the backward compatibility and automatically skip the trojan download when a wrapper is used. No "--csd-skip-download" is needed. The wrapper will always receive the trojan URI so it can download the trojan if it needs. Don't know if it would be acceptable.

Best Regards,
Antonio

More information about the openconnect-devel mailing list