From mail at dheidemann.de  Fri Jun  6 01:10:42 2025
From: mail at dheidemann.de (Daniel Heidemann)
Date: Fri, 6 Jun 2025 10:10:42 +0200
Subject: Report: priority string override at vpn-ac.urz.uni-heidelberg.de
Message-ID: <f57420f4-f438-4704-a93f-0343c4094c9b@dheidemann.de>

Hello,

at my university the following override is necessary:

--gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1"

Thanks for caring!

BR, Daniel



From pauly at hrz.uni-marburg.de  Wed Jun 11 07:05:36 2025
From: pauly at hrz.uni-marburg.de (Martin Pauly)
Date: Wed, 11 Jun 2025 16:05:36 +0200
Subject: openconnect (-gui?) on Windows CLI?
Message-ID: <ded7718d-ae4a-4044-85d1-09849f2592ea@hrz.uni-marburg.de>

Hi,

first of all, many thanks for the wonderful openconnect software family.
is there currently some pre-compiled release available for the Windows CLI?
https://gitlab.com/openconnect/openconnect/-/jobs/artifacts/master/raw/openconnect-installer-MinGW64-GnuTLS.exe?job=MinGW64/GnuTLS
(as shown on https://www.infradead.org/openconnect/packages.html and https://gitlab.com/openconnect/openconnect)
gives me HTTP 404 not found.

I tried to go with openconnect-gui 1.6.2, but ran into other issues:
When I try to connect to our new Cisco ASA (Firepower Hardware, running ASA OS 9.23.1.3)
the ASA complains about openconnect being an
Unknown client <AnyConnect-compatible OpenConnect GUI VPN Agent v9.12>
which results in a HTTP 401 unauthorized.

The reason I would like CLI on Windows may sound a bit strange:
I am currently trying to track down an issue with Cisco's "Start Before Logon" feature.
It is hard to obtain _any_ information on a non-yet-logged-on Windows machine. Years ago, I learned to get a CLI by SSHing
into the Windows Machine "sideways" by using the then all-new OpenSSH Service. That helped to reveal a hidden routing
bug in the setup. This time, I would like to replace the whole Pre-Login VPN connection with an openconnect one.
I think I read about an openconnect-gui option  -s <profile> a while ago, but cannot find that doc any more.

Sorry if I missed some trivial docs.

Thanks, Martin

--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4478 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20250611/0c46d1b6/attachment.p7s>

From kop at karlpinc.com  Wed Jun 11 13:52:09 2025
From: kop at karlpinc.com (Karl O. Pinc)
Date: Wed, 11 Jun 2025 15:52:09 -0500
Subject: openconnect (-gui?) on Windows CLI?
In-Reply-To: <ded7718d-ae4a-4044-85d1-09849f2592ea@hrz.uni-marburg.de>
References: <ded7718d-ae4a-4044-85d1-09849f2592ea@hrz.uni-marburg.de>
Message-ID: <20250611155209.0335bf1b@slate.karlpinc.com>

On Wed, 11 Jun 2025 16:05:36 +0200
Martin Pauly <pauly at hrz.uni-marburg.de> wrote:

> The reason I would like CLI on Windows may sound a bit strange:

> This time, I would like to replace the whole Pre-Login
> VPN connection with an openconnect one.

I have only a thought, based on my experience, to offer.

It will be a easier to work entirely from the command line
than try to go through a gui.  (Unless you're just using
the gui to come up with the initial openconnect command
to try, and then you'll add more options to reveal
more debugging information.

(I too recall a documentation page for cisco, but haven't
tried to find it.  I last used just -u and --authgroup,
and also --script to vpnc-script-sshd because I want
the vpn in a separate network namespace.  There
may be no way to do the latter on MS Windows.)

A second thought would be to debug on Linux, and use
what you learn to make MS Windows work.  Life is fraught....

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


From p.kensche at dkfz-heidelberg.de  Tue Jun 17 00:29:00 2025
From: p.kensche at dkfz-heidelberg.de (Philip R. Kensche)
Date: Tue, 17 Jun 2025 09:29:00 +0200
Subject: Priority string override necessary
Message-ID: <aFEZPKWAZcaPTl4h@w610-nb002.dkfz.de>

Dear OpenConnect team,

I had to use a gnuTLS priority override string to get openconnect to work with my company's VPN server again (German Cancer Research Center (DKFZ), Heidelberg).

I now use the following command to log in to our VPN server:

openconnect --protocol=anyconnect '--useragent=AnyConnect Windows 5.1.7.80' --background --gnutls-priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1 --user $USER https://$ourVpnServer/token

Best,

Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20250617/4cceee46/attachment.sig>