Thanks a lot Daniel! This seems to have resolved the issue. There is a remaining tangential issue, which you might be able to help with. So here I go. Unfortunately Egypt is performing DPI and seems to be killing the DTLS stream, so I cannot connect over DTLS even though I'm using v7.08 (from brew on OSX). The client emits the error message: DTLS handshake failed: Resource temporarily unavailable, try again.
and on the server side "# tcpdump -ni eth0 udp and port 443" is showing zero packets reaching the server! Unfortunately it seems the DPI is effective here. My question is, is there any extra encryption/obfuscation that can be done on the DTLS stream? Would using newer ciphers like TLS_1.3 perhaps help? I know it's a long shot, but worth trying. Thanks again! On Thu, Jul 26, 2018 at 3:08 PM Daniel Lenski <dlen...@gmail.com> wrote: > > On Jul 26, 2018 7:28 AM, "Ahmed Kamal" <email.ahmedka...@googlemail.com> > wrote: > > > > Thanks for helping. My config file is mostly defaults. Here it is: > > https://transfer.sh/tXIM0/ocserv.conf.txt > > Let me know if anything else is needed to debug this. Thanks > > In your configuration file, you've explicitly *disabled* the settings which > allow DTLS connections from (a) Cisco clients and (b) openconnect < v7.08. > Since you're connecting with openconnect v7.06, that explains the problem. > (It's not offering the PSK-NEGOTIATE cipher which newer openconnect versions > send to trigger the new-style DTLS negotiation.) > > > # This option will enable the pre-draft-DTLS version of DTLS, and > # will not require clients to present their certificate on every TLS > # connection. It must be set to true to support legacy CISCO clients > # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = > true. > cisco-client-compat = false > > # This option allows to disable the legacy DTLS negotiation (enabled by > default, > # but that may change in the future). > # The legacy DTLS uses a pre-draft version of the DTLS protocol and was > # from AnyConnect protocol. It has several limitations, that are addressed > # by the dtls-psk protocol supported by openconnect 7.08+. > dtls-legacy = false > > > -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
