Juniper VPN issues
O'Connor, Daniel
darius at dons.net.au
Mon May 9 06:17:04 PDT 2016
> On 9 May 2016, at 18:05, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Mon, 2016-05-09 at 17:57 +0930, O'Connor, Daniel wrote:
>>
>> The default route is definitely set to the VPN, and I do see traffic
>> flowing over to it but no reply.
>
> What services? Do you even get a SYNACK in response to outgoing SYN
> packets? If so, and it's just *data* that fails, try reducing the MTU
> on the 'tun0' interface?
No, no ACK :(
> It sounds like a firewall or something is preventing your traffic. Are
> you connecting to the *same* services that work with the NC client?
I have a link in my Lotus Notes client (seriously...) that goes to the same URL I put into open connect.
> Do you definitely end up with actual IP routing? Can you do a similar
> capture with that client and see what's different?
>
> Or are you perhaps using it in its application proxy mode, when you do
> it through the web browser?
I definitely have IP access, I can browse shares and SSH to a box inside the network.
After connection I end up at..
https://vpnhost/dana/home/sessions.cgi
The 'network connect' button goes to this URL
https://vpnhost/dana/nc/ncrun.cgi?launch_nc=1
It does run a rat ware program when using IE (via ActiveX I assume). If I try Chrome it wants to install Java and I haven't tried that yet.
If I connect with Openconnect and then use Safari it dumps me out to the login page, some viewing of the page source shows that it blocks Macs on purpose (probably a mod by the IT dept..?).
Even using IE (in a VM on OSX) gets booted back to the login page so I wondered if it needed the DSID cookie set. I had a quick go with py-mechanize and I could fetch the Network Connect page after setting DSID, DSASSERTREF and DSFirstAccess (cribbed from OC debug output).
I've run out of time to do more on it tonight - I'll have to try again later.
Thanks for the help so far :)
--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
More information about the openconnect-devel
mailing list