From abecker at sigcorp.com Mon Aug 14 08:31:15 2023 From: abecker at sigcorp.com (Anthony Becker) Date: Mon, 14 Aug 2023 15:31:15 +0000 Subject: Unable to connect to GlobalProtect VPN Message-ID: I am unable to connect to a GlobalProtect VPN. I start with the command: eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto ) A web form requests my username and password and sends me a Duo push. The login succeeds and gives me a cookie to use when connecting. I then enter the command: echo $MYCOOKIE | sudo openconnect --protocol=gp --user=$MYUSERNAME --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu The login fails with: POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 6720 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (6720) Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD) Enter login credentials POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 11407 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (11407) Portal set HIP report interval to 60 minutes). 1 gateway servers available: OU_VPN_Gateway (grizzvpn.oakland.edu) Please select GlobalProtect gateway. GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse server response Response was: Error: Login fails (invalid session id) Failed to complete authentication Can you provide assistance, please? Thanks! Anthony Becker | Senior Consultant Strata Information Group M? 248.563.6987? O? 619.296.0170 sigcorp.com ?|? LinkedIn ?|? Twitter From dlenski at gmail.com Thu Aug 17 10:21:54 2023 From: dlenski at gmail.com (Daniel Lenski) Date: Thu, 17 Aug 2023 10:21:54 -0700 Subject: Unable to connect to GlobalProtect VPN In-Reply-To: References: Message-ID: On Mon, Aug 14, 2023 at 8:31?AM Anthony Becker wrote: > > > I am unable to connect to a GlobalProtect VPN. I start with the command: > > eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto ) > > A web form requests my username and password and sends me a Duo push. The login succeeds and gives me a cookie to use when connecting. I then enter the command: > > echo $MYCOOKIE | sudo openconnect --protocol=gp --user=$MYUSERNAME --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu Please show output of `openconnect --version`. > > The login fails with: > > POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux > Attempting to connect to server 141.210.72.2:443 > Connected to 141.210.72.2:443 > SSL negotiation with grizzvpn.oakland.edu > Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 6720 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (6720) > Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. > Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD) > Enter login credentials > POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 11407 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (11407) > Portal set HIP report interval to 60 minutes). > 1 gateway servers available: > OU_VPN_Gateway (grizzvpn.oakland.edu) > Please select GlobalProtect gateway. > GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway > POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: text/html; charset=UTF-8 > Content-Length: 69 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (69) > Failed to parse server response > Response was: > Error: Login fails (invalid session id) > > Failed to complete authentication > > Can you provide assistance, please? I have never seen this exact error message, but it appears to be in keeping with many other flavors of what I'd call "mindless state propagation" ? the GlobalProtect VPN servers expect the *client* to propagate a very large number of random bits of state that the *server* really should be keeping track of on its own (and some interesting security holes result from the server not doing so ?). Things to try: 1. Pretend to be running on Windows, rather than Linux. (`gp-saml-gui --clientos Windows` ? `openconnect --os=win`). 2. Try bypassing the "portal" interface and going straight to the "gateway" interface of the GP VPN server. (`openconnect --usergroup=gateway:prelogin-cookie`) From abecker at sigcorp.com Thu Aug 17 11:03:57 2023 From: abecker at sigcorp.com (Anthony Becker) Date: Thu, 17 Aug 2023 18:03:57 +0000 Subject: [EXT] Re: Unable to connect to GlobalProtect VPN In-Reply-To: References: Message-ID: Hi Daniel ? Here is the openconnect version output: sshuser at oakvpn:~$ openconnect --version OpenConnect version v8.20-1 Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script Neither ?--clientos=Windows? nor ?--usergroup=gateway:prelogin-cookie? worked for me ? I received the same error messages as before. Anthony Becker Senior Consultant Strata Information Group M? 248.563.6987? O? 619.296.0170 From: Daniel Lenski Sent: Thursday, August 17, 2023 13:21 To: Anthony Becker Cc: openconnect-devel at lists.infradead.org Subject: [EXT] Re: Unable to connect to GlobalProtect VPN ? CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders. [EXT-STAMP-ADDED] On Mon, Aug 14, 2023 at 8:31?AM Anthony Becker wrote: > > > I am unable to connect to a GlobalProtect VPN.? I start with the command: > > eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto ) > > A web form requests my username and password and sends me a Duo push.? The login succeeds and gives me a cookie to use when connecting.? I then enter the command: > > echo $MYCOOKIE |? sudo openconnect --protocol=gp --user=$MYUSERNAME --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu Please show output of? `openconnect --version`. > > The login fails with: > > POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux > Attempting to connect to server 141.210.72.2:443 > Connected to 141.210.72.2:443 > SSL negotiation with grizzvpn.oakland.edu > Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 6720 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length:? (6720) > Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. > Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD) > Enter login credentials > POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 11407 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length:? (11407) > Portal set HIP report interval to 60 minutes). > 1 gateway servers available: >?? OU_VPN_Gateway (grizzvpn.oakland.edu) > Please select GlobalProtect gateway. > GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway > POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: text/html; charset=UTF-8 > Content-Length: 69 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length:? (69) > Failed to parse server response > Response was: >?? Error: Login fails (invalid session id) > > Failed to complete authentication > > Can you provide assistance, please? I have never seen this exact error message, but it appears to be in keeping with many other flavors of what I'd call "mindless state propagation" ? the GlobalProtect VPN servers expect the *client* to propagate a very large number of random bits of state that the *server* really should be keeping track of on its own (and some interesting security holes result from the server not doing so ?). Things to try: 1. Pretend to be running on Windows, rather than Linux. (`gp-saml-gui --clientos Windows` ? `openconnect --os=win`). 2. Try bypassing the "portal" interface and going straight to the "gateway" interface of the GP VPN server. (`openconnect --usergroup=gateway:prelogin-cookie`) From dlenski at gmail.com Mon Aug 21 14:19:48 2023 From: dlenski at gmail.com (Daniel Lenski) Date: Mon, 21 Aug 2023 14:19:48 -0700 Subject: [EXT] Re: Unable to connect to GlobalProtect VPN In-Reply-To: References: Message-ID: On Thu, Aug 17, 2023 at 11:04?AM Anthony Becker wrote: > Hi Daniel ? > > Here is the openconnect version output: > > sshuser at oakvpn:~$ openconnect --version > OpenConnect version v8.20-1 > Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array > Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script > > Neither ?--clientos=Windows? nor ?--usergroup=gateway:prelogin-cookie? worked for me ? I received the same error messages as before. Got it. Subsequent to the v8.20 release, we've made several small improvements to the GlobalProtect authentication-handling code. In particular, https://gitlab.com/openconnect/openconnect/-/commit/51586b29. 14:15 $ git log --decorate=no --oneline v8.20..v9.12 auth-globalprotect.c https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6 Ignore blank labels sent in GlobalProtect prelogin https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea Save GlobalProtect version reported by portal and parrot it back as client version https://gitlab.com/openconnect/openconnect/-/commit/27284f83 Prevent crash on unexpected response for GlobalProtect portal prelogin XML https://gitlab.com/openconnect/openconnect/-/commit/ce214b87 Expand comment about potentially-useful information in GP portal configuration https://gitlab.com/openconnect/openconnect/-/commit/9164e21e Clearer error message when GlobalProtect portal configuration contains no gateways at all https://gitlab.com/openconnect/openconnect/-/commit/51586b29 GP: add 'internal=no' flag to the login and configuration requests https://gitlab.com/openconnect/openconnect/-/commit/07386df8 No embedded URLs in translatable strings https://gitlab.com/openconnect/openconnect/-/commit/c58464a8 Declare C string constants using array syntax https://gitlab.com/openconnect/openconnect/-/commit/ff13a983 GP SAML: support legacy workflow https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247 GP SAML: handle redirect case https://gitlab.com/openconnect/openconnect/-/commit/a287bc00 GP SAML: fix some memory handling https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec start adding GP SSO support There's no guarantee that any of this will make a difference for your issue (as I said before, I haven't seen that exactly error message), but I would still recommend building and testing OpenConnect v9.12. Please let us know if you get same/different results with v9.12. Daniel From dave at collaboration.cafe Tue Aug 22 07:14:58 2023 From: dave at collaboration.cafe (David Nelson) Date: Tue, 22 Aug 2023 17:14:58 +0300 Subject: How to disconnect from OpenConnect VPN Message-ID: <47a2289ecd8f0d33b590a039bfe4760c@collaboration.cafe> Hello, First of all, thank you for your work on OpenConnect VPN. I can successfully connect to my OpenConnect server using the openconnect client on Ubuntu 22.04. But how can I disconnect? I don't see anything in the help obtained via openconnect --help Googling only informed me that I could simply kill the openconnect client process. Is there a more-civilized way of doing it from the command line, please? -- With all best wishes, Dave From abecker at sigcorp.com Tue Aug 22 07:41:20 2023 From: abecker at sigcorp.com (Anthony Becker) Date: Tue, 22 Aug 2023 14:41:20 +0000 Subject: [EXT] Re: Unable to connect to GlobalProtect VPN In-Reply-To: References:

Message-ID: <29E138C9-DB51-4158-8D47-97EB56C6FF2D@sigcorp.com> Hi Daniel - Thank you for the follow up. My most recent attempt to connect to this VPN was NOT successful. I've included more verbose output in case it will help. I've hidden my cookie and userid values. First, I downloaded and built the most recent version of openconnect: sshuser at oakvpn:~$ /vpn/openconnect-master/openconnect --version OpenConnect version v9.12-unknown Using GnuTLS 3.7.3. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script Next, I ran gp-saml-gui to collect my credentials. Since I am connecting to a gateway, I tried the gateway option first: sshuser at oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --gateway --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu ) Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp... usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Windows,Linux}] [-f EXTRA] [--allow-insecure-crypto] [--user-agent USER_AGENT] server [openconnect_extra ...] gp-saml-gui: error: Gateway prelogin response does not contain SAML tags ( or missing) Things to try: 1) Spoof an officially supported OS (e.g. --clientos=Windows or --clientos=Mac) 2) Check in browser: https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Windows That did not work. Here is what the browser returned from that URL: Success false yes

Enter login credentials

Username

Password

yes

US Then I switched to the portal option: sshuser at oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --portal --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu ) Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/global-protect/prelogin.esp... Got SAML POST, opening browser... [REQUEST] Request for resource about:blank Traceback (most recent call last): File "/home/sshuser/.local/lib/python3.10/site-packages/gp_saml_gui.py", line 127, in on_load_changed ct = h.get_content_type() AttributeError: 'NoneType' object has no attribute 'get_content_type' [REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO [REQUEST] GET for resource https://sso.oakland.edu/idp/css/main.css [REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js [REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js [REQUEST] GET for resource https://sso.oakland.edu/idp/images/oulogo.png [PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [SAML ] No headers in response, searching body for xml comments [SAML ] Found comment in response body: ' end container div ' [SAML ] Found comment in response body: ' end cas-header header ' [SAML ] Found comment in response body: ' Login form ' [SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/css/v3/base.css?v=39c22 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.css?v=01376 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-prologue.js?v=400dc [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery.min.js?v=ff152 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/lib/jquery-postmessage.min.js?v=98c73 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.js?v=6a394 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/page/preauth.js?v=154e6 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-epilogue.js?v=c4ac5 [PAGE ] Finished loading page https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [SAML ] No headers in response, searching body for xml comments [SAML ] Found comment in response body: ' CSS ' [SAML ] Found comment in response body: ' Javascript ' [SAML ] Finished parsing response body for https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [REQUEST] POST for resource https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1 [SAML ] No headers in response, searching body for xml comments [SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1 [REQUEST] POST for resource https://grizzvpn.oakland.edu/SAML20/SP/ACS [PAGE ] Finished loading page https://grizzvpn.oakland.edu/SAML20/SP/ACS [SAML ] Got SAML result headers: {'prelogin-cookie': $COOKIE', 'saml-auth-status': '1', 'saml-slo': 'yes', 'saml-username': '$USER'} [SAML ] Got all required SAML headers, done. IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both. SAML response converted to OpenConnect command line invocation: echo $COOKIE | sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu SAML response converted to test-globalprotect-login.py invocation: test-globalprotect-login.py --user=$USER --clientos=Windows -p '' \ https://grizzvpn.oakland.edu/global-protect/getconfig.esp prelogin-cookie=$COOKIE The message about the cookie being for the gateway interface was interesting. I went ahead with portal invocation: sshuser at oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 6720 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=f651bcbf-da14-4fb3-abc5-6a5b490d376f; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (6720) Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. Enter login credentials POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 11408 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (11408) Portal reports GlobalProtect version 6.1.1-5; we will report the same client version. Portal set HIP report interval to 60 minutes). 1 gateway servers available: OU_VPN_Gateway (grizzvpn.oakland.edu) Please select GlobalProtect gateway. GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse non-XML server response Response was: Error: Login fails (invalid session id) Failed to complete authentication OK, that didn't work. Since the cookie is no good any more, I ran gp-saml-gui again with the portal option to get a new cookie, and then tried openconnect again with the gateway invocation: sshuser at oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu POST https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:21:35 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 497 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (497) Enter login credentials POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:21:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse non-XML server response Response was: Error: Login fails (invalid session id) Failed to complete authentication I hope that's helpful. Please let me know if you need additional information. Thanks! Anthony ?On 8/21/23, 5:20 PM, "Daniel Lenski" > wrote: CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders. On Thu, Aug 17, 2023 at 11:04 AM Anthony Becker > wrote: > Hi Daniel ? > > Here is the openconnect version output: > > sshuser at oakvpn:~$ openconnect --version > OpenConnect version v8.20-1 > Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array > Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script > > Neither ?--clientos=Windows? nor ?--usergroup=gateway:prelogin-cookie? worked for me ? I received the same error messages as before. Got it. Subsequent to the v8.20 release, we've made several small improvements to the GlobalProtect authentication-handling code. In particular, https://gitlab.com/openconnect/openconnect/-/commit/51586b29 . 14:15 $ git log --decorate=no --oneline v8.20..v9.12 auth-globalprotect.c https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6 Ignore blank labels sent in GlobalProtect prelogin https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea Save GlobalProtect version reported by portal and parrot it back as client version https://gitlab.com/openconnect/openconnect/-/commit/27284f83 Prevent crash on unexpected response for GlobalProtect portal prelogin XML https://gitlab.com/openconnect/openconnect/-/commit/ce214b87 Expand comment about potentially-useful information in GP portal configuration https://gitlab.com/openconnect/openconnect/-/commit/9164e21e Clearer error message when GlobalProtect portal configuration contains no gateways at all https://gitlab.com/openconnect/openconnect/-/commit/51586b29 GP: add 'internal=no' flag to the login and configuration requests https://gitlab.com/openconnect/openconnect/-/commit/07386df8 No embedded URLs in translatable strings https://gitlab.com/openconnect/openconnect/-/commit/c58464a8 Declare C string constants using array syntax https://gitlab.com/openconnect/openconnect/-/commit/ff13a983 GP SAML: support legacy workflow https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247 GP SAML: handle redirect case https://gitlab.com/openconnect/openconnect/-/commit/a287bc00 GP SAML: fix some memory handling https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec start adding GP SSO support There's no guarantee that any of this will make a difference for your issue (as I said before, I haven't seen that exactly error message), but I would still recommend building and testing OpenConnect v9.12. Please let us know if you get same/different results with v9.12. Daniel From floppymaster at gmail.com Tue Aug 22 13:11:01 2023 From: floppymaster at gmail.com (Mike Gilbert) Date: Tue, 22 Aug 2023 16:11:01 -0400 Subject: How to disconnect from OpenConnect VPN In-Reply-To: <47a2289ecd8f0d33b590a039bfe4760c@collaboration.cafe> References: <47a2289ecd8f0d33b590a039bfe4760c@collaboration.cafe> Message-ID: On Tue, Aug 22, 2023 at 10:20?AM David Nelson wrote: > > Hello, > > First of all, thank you for your work on OpenConnect VPN. > > I can successfully connect to my OpenConnect server using the > openconnect client on Ubuntu 22.04. > > But how can I disconnect? I don't see anything in the help obtained via > openconnect --help > > Googling only informed me that I could simply kill the openconnect > client process. > > Is there a more-civilized way of doing it from the command line, please? openconnect shuts down gracefully when it receives SIGINT or SIGTERM. This is documented in the openconnect.8 man page. SIGNALS In the data phase of the connection, the following signals are handled: SIGINT / SIGTERM performs a clean shutdown by logging the session off, discon? necting from the gateway, and running the vpnc-script to restore the network configuration. SIGHUP disconnects from the gateway and runs the vpnc-script, but does not log the session off; this allows for reconnection later us? ing --cookie. SIGUSR1 writes progress message with detailed connection information and statistics. SIGUSR2 forces an immediate disconnection and reconnection; this can be used to quickly recover from LAN IP address changes.