Connecting with Linux when the CSD is available

Kevin Cernekee cernekee at gmail.com
Sun Dec 6 19:50:37 PST 2015


On Sun, Dec 6, 2015 at 6:52 PM, Andrew Falk <falk0069 at gmail.com> wrote:
> Hopefully, no matter what the admins configure, as long as you can get one OS to connect you can get another OS to connect by just mimicking the valid one.  The hard part is capturing the encrypted data so you can mimic it.

Yeah, this was a pain for me too.  I wound up using a combination of
stunnel 3, tcpflow, and fake DNS entries a few years ago.  There are
probably better ways.

I also noticed that if you tried to trick Windows AnyConnect into
using another IP by modifying your HOSTS file, it would quietly revert
your changes.

I wonder if it might be easier to use a modified version of ocserv
(possibly even setting up a permanent public host that anyone can use)
than to try to MITM the session between AnyConnect and your company's
VPN.  It could issue the CSD challenge and then spit out a ready-made
wrapper script matching your configuration on a web page.

FWIW, a while back somebody had success using a tweaked version of the
OpenSSL library to log AnyConnect's traffic.  This was on Linux,
though.  It might be documented in the list archives.



More information about the openconnect-devel mailing list