Support for Symantec VIP Access.

Daniel Lenski dlenski at gmail.com
Thu Jan 14 13:48:08 EST 2021 

On Thu, Jan 14, 2021 at 12:23 AM Fung Chai Lim
<fungchai.lim at kaisquare.com> wrote:
> I run the following on a host running RebornOS (archlinux):
>
> echo MY-SECRET-PASSWD | sudo openconnect -v \
>     -u USER-NAME \
>     --protocol=anyconnect \
>     --passwd-on-stdin \
>     --token-mode=totp \
>     --token-secret=abcdefgh,302425 \
>     VPN-SERVER
>
> My VIP Access app has Credential ID of "SYMC abcd efgh".  When I ran
> the above command, the app was showing 302425.  Not sure if I have
> correctly entered the token-secret.

Thanks, this is clarifying.

The --token-secret is neither the credential ID, nor the number shown
in the app. From the manual
(https://www.infradead.org/openconnect/manual.html):

       --token-secret={ SECRET[,COUNTER] | @FILENAME }
              The secret to use when generating  one-time  passwords/verifica‐
              tion  codes.   Base  32-encoded TOTP/HOTP secrets can be used by
              specifying "base32:" at the beginning of  the  secret,  and  for
              HOTP  secrets  the  token  counter  can be specified following a
              comma.

Unless you have used python-vipaccess
(https://github.com/dlenski/python-vipaccess) to provision your token,
you do not have access to the secret.

You'll need to enter your password and token interactively:

    sudo openconnect -v -u USER-NAME --protocol=anyconnect VPN-SERVER

> Where can I get the CSD hostscan application?

Looks like you found csd-wrapper.sh. You almost certainly DON'T want
to run this. This will cause your Linux box to download a black-box
binary Trojan. In addition to being insecure, the Linux versions of
the Trojan are broken messes. It appears that's what you ran into.

You should try csd-post.sh, which *emulates* the behavior of the
Trojan, and is part of the OpenConnect distribution in all modern
versions. More info: https://www.infradead.org/openconnect/csd.html

Add `--csd-wrapper /path/to/csd-post.sh` to the command line.

> BTW, I ran credmgr.msc on my Windows laptop and found that my private
> key is non-exportable.  Will this be a problem?  Do I need the private
> key in order to use openconnect to log into my vpn server?

I don't think you've gotten far enough in the authentication process
to tell if the server will reject your authentication due to missing
certificate… but yeah, it'll probably be necessary.

There are a few tools to export "non-exportable" cert+PK on Windows.
See my answer at https://stackoverflow.com/a/3973637/20789

-Dan

More information about the openconnect-devel mailing list