Connecting to anyconnect vpn - system verification

Zbyněk Kačer zbynek.kacer at pitris.info
Sat Jan 28 08:57:14 PST 2023


Daniel Lenski wrote:
> On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer <zbynek.kacer at pitris.info> wrote:
>> So I tried openconnect
> openconnect --version?
>
>> So I tried
>> openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh
>> gateway.host.some.server.com
>>
>> but the csd-post script seems never be called (I've inserted some echos
>> at the beginning).
> Are you 100% sure the `csd-post.sh` is an executable shell script, and
> that you're not missing an error about it being non-executable, or
> otherwise failing? Until we made improvements in recent releases
> (https://gitlab.com/openconnect/openconnect/-/commits/7083a0ac52a95e02b2c75180888bc29bcc9f3bae/auth.c),
> these errors were very easy to miss.
>
> Assuming the script is indeed executable, it's possible that your
> server detects that you're using a non-Cisco client, or running a
> not-supported OS, and simply skips over CSD and goes straight to the
> "limited access" mode.
>
> Try adding combinations of the following to the command line and see
> if they make any difference…
>
> --useragent 'AnyConnect Windows 4.10.05095'
> --os=win
> --local-hostname=HOSTNAME_OF_YOUR_OFFICIALLY_SUPPORTED_WINDOWS_LAPTOP
>
> Rinse/repeat/experiment until you hopefully find the magical
> combination of options/versions/identifiers (refer to
> https://www.infradead.org/openconnect/manual.html).
>
>> Do I have to force openconnect to post the "scan" result to the gateway
>> somehow?
> No.
> As far as we know, the Cisco servers either (a) require that you
> complete CSD before authentication will complete and you'll be able to
> connect the VPN tunnel, or (b) skip it.
>
> Dan
>
It's debian's v9.01-2.
Yes, it's executable, I can run it from a terminal.
The parameters do not help, it's the same. I'll try to play with this a 
little more. Is there any way how to debug it?

Thanks.



More information about the openconnect-devel mailing list