Support for Symantec VIP Access.
Daniel Lenski
dlenski at gmail.com
Tue Jan 19 13:58:00 EST 2021
On Tue, Jan 19, 2021 at 7:58 AM Fung Chai Lim
<fungchai.lim at kaisquare.com> wrote:
> sudo openconnect -v \
> -u USER-NAME \
> --protocol=anyconnect \
> --token-mode=totp \
> --token-secret=base32:SECRET-FROM-DOT-VIPACCESS \
> --csd-user=nobody \
> --csd-wrapper=/usr/lib/openconnect/csd-post.sh \
> --setuid=nobody \
> VPN-SERVER
No need for the `--csd-user` and --setuid` options here, since the
csd-post.sh script doesn't actually invoke the Trojan binary, but
that's fine.
> I think I need to add the --certificate and --sslkey flags. What are
> the syntax for them? I have managed to extract my personal credential
> from my Windows laptop. It is a pfx file. How do I extract the
> public and private keys for the -c and -k flags?
OpenConnect should be able to use .pfx files directly. The extension
.pfx is Microsoft's extension for the PKCS#12 certificate+key storage
format; it's equivalent to .p12.
The .pfx file will normally contain *both* the certificate *and* the
corresponding private key. (You only need the additional -k/--sslkey
option if the PK is in a separate file.)
Just add `-c /path/to/file.pfx` to the command line, per the manual:
https://www.infradead.org/openconnect/manual.html
-c,--certificate=CERT
Use SSL client certificate CERT which may be either a file name or,
if OpenConnect has been built with an appropriate version of GnuTLS, a
PKCS#11 URL.
> With the above command, I am able to access 2 or 3 of my company's
> portals with Microsoft Edge (Linux version). For the other portals, I
> get the error message "<server> refused to connect". Also, I am not
> able to log into my account with Microsoft Teams (Linux version). I
> think I need the public/private keys to authenticate myself for those
> portals.
Have you tried importing the certificate+key into the appropriate
browser or application? Many applications can consume PKCS12/.p12/.pfx
certs directly. If not, try converting the cert+PK to the PEM file
format, which is even more widely-accepted.
https://stackoverflow.com/questions/6819079/convert-pfx-format-to-p12
Dan
More information about the openconnect-devel
mailing list