On Mon, Aug 14, 2023 at 8:31 AM Anthony Becker <abec...@sigcorp.com> wrote: > > > I am unable to connect to a GlobalProtect VPN. I start with the command: > > eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto > ) > > A web form requests my username and password and sends me a Duo push. The > login succeeds and gives me a cookie to use when connecting. I then enter > the command: > > echo $MYCOOKIE | sudo openconnect --protocol=gp --user=$MYUSERNAME > --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin > grizzvpn.oakland.edu
Please show output of `openconnect --version`. > > The login fails with: > > POST > https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux > Attempting to connect to server 141.210.72.2:443 > Connected to 141.210.72.2:443 > SSL negotiation with grizzvpn.oakland.edu > Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite > (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 6720 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; > Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' > 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (6720) > Destination form field prelogin-cookie was specified; assuming SAML POST > authentication is complete. > Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " > prelogin-cookie(PASSWORD) > Enter login credentials > POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 11407 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; > Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' > 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (11407) > Portal set HIP report interval to 60 minutes). > 1 gateway servers available: > OU_VPN_Gateway (grizzvpn.oakland.edu) > Please select GlobalProtect gateway. > GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway > POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp > Got HTTP response: HTTP/1.1 200 OK > Date: Mon, 14 Aug 2023 14:33:26 GMT > Content-Type: text/html; charset=UTF-8 > Content-Length: 69 > Connection: keep-alive > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; > Secure > X-Frame-Options: DENY > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' > 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (69) > Failed to parse server response > Response was: <html> > <body>Error: Login fails (invalid session id)</body> > </html> > Failed to complete authentication > > Can you provide assistance, please? I have never seen this exact error message, but it appears to be in keeping with many other flavors of what I'd call "mindless state propagation" … the GlobalProtect VPN servers expect the *client* to propagate a very large number of random bits of state that the *server* really should be keeping track of on its own (and some interesting security holes result from the server not doing so 😬). Things to try: 1. Pretend to be running on Windows, rather than Linux. (`gp-saml-gui --clientos Windows` → `openconnect --os=win`). 2. Try bypassing the "portal" interface and going straight to the "gateway" interface of the GP VPN server. (`openconnect --usergroup=gateway:prelogin-cookie`) _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
