Hey there,
I am sending an email because open connect told me so haha.I just want to run the corporate VPN via NetworkManager and the OpenConnect plugin but I suppose because of this issue it doesn't work.
Using the gnutls-priority argument also only partly works, because I am unable to come up with a quick solution to do a split tunnel and then just lose my connection to the "regular" internet.
Reviewing the diff between both outputs, it seems that I updated my system somehow to use TLS1.3 but the server doesn't support it? This issue is also being already reported here; https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/127
Here are the command outputs:running with `--gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1"`
```
╰─❯ sudo bash vpn.sh
WARNING: You specified --gnutls-priority. This should not be
necessary; please report cases where a priority string
override is necessary to connect to a server
to <[email protected]>.
POST https://vpn-xx.xx.xx/
Connected to xxx.xxx.xx.222:443
SSL negotiation with vpn-xx.xx.xx
Connected to HTTPS on vpn-xx.xx.xx with ciphersuite
(TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA256)-(AES-256-GCM)
XML POST enabled Please enter your username and password. POST https://vpn-xx.xx/ Please enter the TOTP code generated on your device Response: POST https://vpn-xx.xx/ Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 2, Keepalive 20Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Configured as 10.252.0.103, with SSL connected and DTLS connected Session authentication will expire at Wed Dec 11 22:12:11 2024 Using vhost-net for tun acceleration, ring size 32 ``` running without it ``` ╰─❯ sudo bash vpn.sh POST https://vpn-xx.xx.xx/ Connected to xxx.xxx.xx.222:443 SSL negotiation with vpn-xx.xx.xxConnected to HTTPS on vpn-xx.xx.xx with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-128-GCM)
XML POST enabled Please enter your username and password. POST https://vpn-xx.xx/ Please enter the TOTP code generated on your device Response: POST https://vpn-xx.xx.xx/ Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized Creating SSL connection failed Cookie was rejected by server; exiting. ``` ``` ╰─❯ openconnect --version OpenConnect version v9.12Using GnuTLS 3.8.6. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /nix/store/lr3qc5xqbjph3nrcrik5b8gxrfq44mhn-vpnc-scripts-unstable-2023-01-03/bin/vpnc-script
``` If I can provide any more infos, please feel free to instruct me on how to. Best wishes, Claus -- Claus-Peter Käpplinger Linux / Unix Consultant & Developer Tel.: +49 160 7713661 E-Mail: [email protected] B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / https://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt, HRB 3537
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
