Alexander Kurilo (https://github.com/kamazee) figured out the meaning of this
one
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index e5183c2..3
David,
You're certainly right with this, uh, skeptical comment on the
ESP_OVERHEAD estimation in gpst.c …
/* XXX: Look at set_esp_algo() and tell me again what the biggest
supported IV is? */
#define ESP_OVERHEAD (4 /* SPI */ + 4 /* sequence number */ + \
20 /* biggest
On Tue, Aug 15, 2017 at 11:03 AM, David Woodhouse <dw...@infradead.org> wrote:
> On Tue, 2017-08-15 at 10:42 -0700, Daniel Lenski wrote:
>> David,
>> You're certainly right with this, uh, skeptical comment on the
>> ESP_OVERHEAD estimation in gpst.c …
>>
&g
On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dw...@infradead.org> wrote:
> On Tue, 2017-08-15 at 11:42 -0700, Daniel Lenski wrote:
>> + mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD
>> + - (vpninfo->hmac_key_len ? : 20) /* b
On Wed, Aug 16, 2017 at 8:03 PM, Daniel Lenski wrote:
> I believe the correct [ESP padding] algorithm is actually as follows:
>
> * From payload MTU, add 2 footer bytes, round *up* to a multiple of
> the blocksize. Add the size of the MAC, IV, and other headers. That's
On Tue, Aug 15, 2017 at 2:17 PM, Daniel Lenski <dlen...@gmail.com> wrote:
> On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dw...@infradead.org> >> So
> from wire packet MTU, subtract headers and MAC and IV, round *down*
>> to a multiple of blocksize, subt
On Mon, Aug 21, 2017 at 7:31 PM, Aube, Jeremy wrote:
>
> I'm having issues running OpenConnect on a router I flashed with
> Asuswrt-Merlin. I have a USB drive connected with Entware-ng installed, and
> was able to install OpenConnect and related packages.
>
> The first time I
On Wed, Oct 11, 2017 at 1:39 PM, Gernot Hillier
wrote:
> OpenConnect already sets the according environment variables when the Pulse
> gateway sends "split-exclude" routes, so we only need to handle them
> in vpnc-script.
>
> I hope this is the right place for
On Wed, Sep 27, 2017 at 11:41 PM, Abdulla Bubshait wrote:
>
> I have been trying to connect to my office Cisco 800 router using openconnect.
> While a VPN connection can be made it doesn't use UDP, but fallbacks to
> TCP/SSL.
>
> I can connect with DTLS using the anyconnect
From: Brennan Hildebrand <bren...@nthroot.org>
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
esp.c | 4
1 file changed, 4 insertions(+)
diff --git a/esp.c b/esp.c
index ae60269..7876fd5 100644
--- a/esp.c
+++ b/esp.c
@@ -23,6 +23,10 @@
#include
#include
#incl
On Thu, Sep 28, 2017 at 2:48 PM, Abdulla Bubshait wrote:
>
> > You should use --dump to show the complete chain of HTTPS request and
> > response headers.
>
> Thanks for this. It seems openconnect is indeed issuing the three DTLS
> lines, but nothing seems to be coming in
On Tue, Oct 17, 2017 at 12:54 AM, Gernot Hillier
<gernot.hill...@siemens.com> wrote:
>
> Am 16.10.2017 um 20:54 schrieb Daniel Lenski:
>>
>> I don't have access to a VPN that provides split-exclude routes, but I
>> did test your patched vpnc-script with les
As usual, you're right on all counts, in particular the *non-pedantic*
bit about <= vs. <.
Thanks!
-Dan
On Wed, Nov 29, 2017 at 1:32 AM, David Woodhouse wrote:
> I pushed a modified version (with the loop condition changed). I
> haven't actually tested it, especially at the
A single SSL record can't contain >16KiB, so the HTTPS request buffer may not
get
fully written if it's larger than this.
I discovered this frustrating bug while working on GlobalProtect HIP support,
which
requires sending giant blobs of XML to the gateway.
Signed-off-by: Daniel Lenski &l
tually out of features to support. So I hope I'll
succeed in just doing the cleanup very soon :-D
-Dan
On Wed, Nov 29, 2017 at 2:00 AM, David Woodhouse <dw...@infradead.org> wrote:
> On Wed, 2017-11-29 at 01:36 -0800, Daniel Lenski wrote:
>> As usual, you're right on all counts, in par
On Sun, Dec 17, 2017 at 2:33 PM, Daniel Lenski <dlen...@gmail.com> wrote:
> Signed-off-by: Daniel Lenski <dlen...@gmail.com>
> ---
> auth-globalprotect.c | 29 +---
> gpst.c| 158 +++
>
containing authentication information, but exclude the volatile authcookie
field which changes from session to session.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c| 179 +
hipreport.sh
On Mon, Dec 18, 2017 at 11:37 AM, Torben Nielsen
wrote:
> Hi,
>
> I'm lost.
>
> Using OpenConnect to connect to a Cisco Anyconnect appliance at my hosting
> provider from my 64-bit computer running Linux Mint 17 works perfect. Trying
> to do the same thing from my
In preparation for adding re-key support, stop misusing ssl_times.last_rekey.
(This seems to fix a weird frantic mainloop-invoking bug I was running into as
well.)
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 19 +++
mainloop.c
eport."
HIP is basically GlobalProtect's CSD/TNCC equivalent; the one good
thing I'll say about it is that it *doesn't* involve downloading and
running a Trojan binary.
-Dan
Daniel Lenski (3):
Improve GPST/ESP not-stepping-on-toes tap dance
Add support for tunnel-based rekey for GlobalPro
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 29 +---
gpst.c| 158 +++
hipreport.sh | 182 ++
www/Makefile.am | 2 +-
www/featur
This simply means re-pulling the getconfig.esp tunnel configuration
and thereby acquiring new ESP keys and extending the lifetime of the
authentication cookie, before the elapses.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 18 ++
1 file changed, 18 inse
On Mon, Aug 14, 2017 at 12:48 PM, David Woodhouse wrote:
>> > Besides... if I look in your auth-globalprotect.c it looks like you're
>> > generating the field names out of thin air anyway. If you had used
>> > "username" and "password" instead of "user" and "passwd" then this
On Wed, Dec 13, 2017 at 6:42 AM, David Woodhouse wrote:
> On Wed, 2017-12-13 at 14:06 +0100, Adam Cecile wrote:
>> Hello,
>>
>>
>> 7.08 still have the issue. I cannot push a docker image through
>> openconnect. It stalls around 50Mbytes.
>
> Hm, that doesn't make much sense
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
http.c | 2 +-
openconnect-internal.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index 5307d82..2960296 100644
--- a/http.c
+++ b/http.c
@@ -1472,7 +1472,7 @@ void http_common_h
On Sun, Dec 17, 2017 at 12:21 PM, Daniel Lenski <dlen...@gmail.com> wrote:
> Signed-off-by: Daniel Lenski <dlen...@gmail.com>
> ---
> http.c | 2 +-
> openconnect-internal.h | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git
to master--because the model for these changes is unclear
otherwise, and because they're entirely self-contained.
I did not make any corresponding changes for AnyConnect IPv6, because
I don't have any way to test it right now.
Daniel Lenski (2):
Protocols should explicitly request the same IP
of necessity, because GlobalProtect
servers tend to provide different IPv4 addresses upon reconnect, after even a
brief
disconnection.
This patch reproduces this behavior in cstp.c; I did not make the corresponding
change for IPv6 because I have no way to test it.
Signed-off-by: Daniel Lenski <d
IPv4 address.
I did not implement the corresponding behavior for IPv6 because I do not
have a way to test it right now.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 2 ++
cstp.c | 23 +--
gpst.c
On Mon, Dec 18, 2017 at 8:47 AM, Daniel Lenski <dlen...@gmail.com> wrote:
> Unlike CSD, the HIP security checker runs during the connection phase, not
> during the authentication phase.
This is a rather vexing difference between the GlobalProtect "security
theater direct
On Thu, May 10, 2018 at 4:38 AM, Ryan Taylor wrote:
>
> Hello,
>
> The manual describes the --servercert option as follows:
> http://www.infradead.org/openconnect/manual.html
>
> "Accept server’s SSL certificate only if the provided fingerprint matches.
> The allowed
Pretty sure I see the problem…
On Sun, Jun 3, 2018 at 1:30 PM, Stephen Davies wrote:
> Here is the debug output:[root@se5 ~]# openconnect -
> --config=/etc/openconnect.conf --useragent="Cisco AnyConnect VPN Agent for
> Windows 4.2.01035" remotehost
> POST https://remotehost/vendor
The
On Sun, Jun 3, 2018 at 4:27 AM, Stephen Davies wrote:
> On 02/06/18 18:50, Daniel Lenski wrote:
>>
>> On Sat, Jun 2, 2018 at 11:00 AM, Stephen Davies
>> wrote:
> Down with paranoia!
>
> I love simple solutions like this but unfortunately, it did not work for me.
On Mon, Jun 4, 2018 at 3:17 AM, Stephen Davies wrote:
> Sorry, still no joy.
>
> The actual value in the config file was vendor.
Just to be 100% certain here.
You *did* try running openconnect without `--userconfig=version`, right?
What was the result?
> Here is the AnyConnect client XML file
On Sat, Jun 2, 2018 at 6:55 PM, Daniel Lenski wrote:
> User's GP VPN with split tunnel:
>
> CISCO_CSTP_OPTIONS=split-include=1.2.3.4/32
> CISCO_DEF_DOMAIN=company.domain.com
> CISCO_SPLIT_INC=3
> CISCO_SPLIT_INC_0_ADDR=10.1.0.11
> CISCO_SPLIT_INC_0_MASK=255.255.255.255
> C
work.
See check_or_submit_hip_report() in cstp.c in OpenConnect.
Signed-off-by: Daniel Lenski
---
src/nm-openconnect-service.c | 8
1 file changed, 8 insertions(+)
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index 77934aa..b18b1a2 100644
--- a/src/nm-openconnect
On Mon, Jun 25, 2018 at 12:12 PM, Jeroen Balduyck
wrote:
> Hi Dan,
>
> I *think* I figured it out. Hopefully this post will make it to the
> list (my other one for this topic is under moderation). I'm using the
> info from this document:
>
On Sat, Jun 23, 2018 at 12:22 PM, Jeroen Balduyck
wrote:
> Hi
>
> I've been struggling to get this option to work. Wireshark reports
> this cipher in the server hello:
> Cipher Suite: TLS_PSK_WITH_AES_256_GCM_SHA384 (0x00a9)
Are you sure that the server supports this ciphersuite for *DTLS*, as
On Thu, Jun 21, 2018 at 9:10 PM, Jeroen Balduyck
wrote:
> Hi
>
> Can anyone tell me how to run multiple concurrent openconnect
> instances? I want a establish a client connection to 3 different VPN's
> at the same time and use policy based routing to a specifc VPN
> instance.
>
> Regards,
>
forever.
This patch tracks the latest sequence number even if ESP replay protection
isn't in use -- however inadvisable that may be -- allowing the handover to
work correctly.
This patch also improves the confusing trace message shown when a packet
from the old SPI is received.
Signed-off-by: Daniel
if replay protection isn't enabled, right?
Daniel Lenski (1):
Save latest ESP sequence number even if replay protection isn't in use
esp.c | 2 +-
gnutls-esp.c | 2 ++
openssl-esp.c | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
l connects, but actually calling esp_close_secret (which closes
dtls_fd, unmonitors it, and sets it to -1).
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
esp.c | 3 ++-
gpst.c | 3 +--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/esp.c b/esp.c
index 6285ff8..80
In preparation for adding re-key support, stop misusing ssl_times.last_rekey.
(This seems to fix a weird frantic mainloop-invoking bug I was running into as
well.)
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 20 +---
1 file changed, 5 insertions(
the named fields into the buffer */
filter_opts(buf, vpninfo->cookie, "user,authcookie", 1);
/* include=0: copy all fields except the named ones into the buffer */
filter_opts(buf, vpninfo->cookie, "authcookie,junk", 0);
Signed-off-by: Daniel Lenski <dlen..
I tested it, and see here: https://stackoverflow.com/a/10441292/20789
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index 1e7c854..0c151fe 100644
--- a/auth-globalpro
, including a very subtle
one that would only occur when the ESP tunnel failed and then
the connection was rekeyed or restarted... and would cause CPU
usage to spike.
Thanks,
Dan
Daniel Lenski (10):
Unfortunately, xmlNodeGetContent can't be avoided
Add buf_append_xmlescaped() and use
GlobalProtect has the strange quirk that incoming (server → client) ESP
sequence numbers start at 1, not 0, but this just causes a one-time offset
for the replay protection checker.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 1 +
1 file changed, 1 insertion(+)
diff
This simply means re-pulling the getconfig.esp tunnel configuration
and thereby acquiring new ESP keys and extending the lifetime of the
authentication cookie, before the elapses.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 18 ++
1 file changed, 18 inse
containing authentication information,
but exclude the volatile field (which changes from session to session)
and the preferred-ip field (which may not be present in all cases, or may
change from session to session).
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c
(This also fixes a small bug in d2cbc42c, where David Woodhouse forgot to
change the name of the xmlNode variable for the tag in one
place)
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 19 ++-
http.c
On Mon, Jan 8, 2018 at 12:30 AM, David Woodhouse <dw...@infradead.org> wrote:
> On Sun, 2018-01-07 at 17:54 -0800, Daniel Lenski wrote:
>>
>> This patch tracks the latest sequence number even if ESP replay protection
>> isn't in use -- however inadvisable that may
enabled and ESP keys, then we should calculate tunnel
MTU based on the base/wire MTU, subtracting the IP+UDP+ESP overhead.
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
gpst.c | 41 ++---
1 file changed, 30 insertions(+), 11 deletions(-)
diff
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 19 ++-
gpst.c | 26 +++---
2 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index d3799d6..4ef37f7
(Also adds more memory-allocation checks to the portal auth form)
Signed-off-by: Daniel Lenski <dlen...@gmail.com>
---
auth-globalprotect.c | 64
1 file changed, 34 insertions(+), 30 deletions(-)
diff --git a/auth-globalprotect.c
server versions (NCP-Version 2 and 3) and both with
and without ESP enabled.
It'd be great if others can test these patches and verify that they
can still reliably connect to Juniper VPNs with them.
Thanks,
Dan
Daniel Lenski (2):
Reduce unnecessary connection-rebuilding for Juniper
Remove fi
, one of which returns
"NCP-Version: 2" and one which returns "NCP-Version: 3" in response to the
oNCP negotiation requests.
Removing the first request saves an additional TLS negotiation (2-3
roundtrips with TLS 1.0) and allows the connection to start faster.
Signed-o
On Fri, Jul 27, 2018 at 11:20 AM, Ahmed Kamal
wrote:
>
> Thanks for the info. Really appreciating your help! I wish more and
> more privacy software, would focus a bit more on censorship
> resistance. Without it, users who most deeply need the privacy
> features, are not getting it. Although I
On Fri, Jun 15, 2018 at 8:24 PM, Ralph Schmieder
wrote:
> just wanted to chime in and offer some help (if needed) in providing
> ASA VPN head ends that could do IPv6 if that would be useful. It would
> be low-bandwidth and tunneled to get to it but that should not really
> matter... would it? But
On Wed, Jul 25, 2018, 1:03 PM Steve Langasek wrote:
>
> Generally speaking, packages which need to be updated in order to remain
>
> compatible with changes to protocols on the Internet at large (such as in
> this case, changes to the baseline TLS version that clients must negotiate
> in order to
On Tue, Jul 31, 2018 at 5:32 AM, Jeroen Balduyck
wrote:
> On Opnsense (Freebsd) I'm running Openconnect in client mode. I get
> this unusual error:
>
> LZS decompression failed: File too large.
openconnect --compression=none should provide an immediate workaround,
by disabling compression of
David,
This looks like a very similar issue to the one from Juniper oNCP
where packets sometimes arrive that are larger than the negotiated
MTU.
Patch was "Do not drop vpn connection if packet arrived is larger than
MTU":
ch extends that approach to tolerate compressed packets which are
larger than the negotiated MTU after decompression.
Signed-off-by: Daniel Lenski
---
cstp.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/cstp.c b/cstp.c
index 5477c5c..c131198 100644
--- a/cstp.c
++
84 is the maximum TLS record size.
4) Use receive_mtu = MAX(2048, vpninfo->vpninfo->ip_info.mtu + 256) for
all UDP-based tunnels, because the MTU of IP datagrams on the public
internet is effectively ~1500.
Signed-off-by: Daniel Lenski
---
cstp.c | 11 +++
esp.c | 6 +++
et me know if anything else is needed to debug this. Thanks
>
> On Thu, Jul 26, 2018 at 4:29 AM Daniel Lenski wrote:
>>
>> On Jul 25, 2018 4:12 PM, "Ahmed Kamal"
>> wrote:
>> >
>> > Hello folks,
>> >
>> > I'm trying to co
On Jul 27, 2018 9:57 AM, "Ahmed Kamal" wrote:
>
>Thanks a lot Daniel! This seems to have resolved the issue. There is a
>remaining tangential issue, which you might be able to help with. So
>here I go. Unfortunately Egypt is performing DPI and seems to be
>killing the DTLS stream, so I cannot
The status value set by waitpid() needs to be manipulated using
WIFEXITED() and WEXITSTATUS() macros to be portable.
Signed-off-by: Daniel Lenski
---
gpst.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/gpst.c b/gpst.c
index d09df69..a396aa6 100644
--- a/gpst.c
On Fri, Aug 17, 2018 at 7:14 AM, Corey Gilks wrote:
> All,
>
> I'm not certain if this is the appropriate place for this- if not I
> apologize! I was doing some research on generating openconnect CSD
> files and stumbled upon this discussion:
>
>
On Fri, Aug 17, 2018 at 8:22 AM, wrote:
> Hi Dan and all,
>
> today i tryied to connect simulating os and client Windows, how you can
> see, if i use --no-xmlpost the server said "AnyConnect is not enabled
> on the VPN server", if i remove --no-xmlpost, the error remain the
> same.
Okay, that's
On Thu, Aug 23, 2018 at 8:15 AM wrote:
>
> Hello together,
>
> a few months ago I was asking for help on how to set up a
> OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman.
>
> Thanks to your great advices a friend made it work yesterday! Hereby the
> VPN connection is
?
>
> I am happy to hearing from you!
>
> Thanks a lot for your help!
>
> With best regards
> David
>
>
>
> On 08/23/2018 07:57 PM, Daniel Lenski wrote:
>> On Thu, Aug 23, 2018 at 8:15 AM wrote:
>>> Hello together,
>>>
>>> a few mon
On Wed, Jul 18, 2018 at 11:35 AM, Daniel Lenski wrote:
> The response here indicates some kind of error (length 0, status 1),
> and I've never seen it on a real Juniper server before.
>
> Has anyone encountered this? Is there some version of the Juniper
> NC/Pulse server
On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos
wrote:
>
> On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote:
> > Hi,
> >
> > Is there a way to have the latest Cisco AnyConnect 4.6 clients use
> > ocserv with a stronger DTLS cipher than the default
> > RSA_AES_128_SHA1?
> > When the
On Aug 29, 2018 11:43 PM, "David Woodhouse" wrote:
> On Wed, 2018-08-29 at 15:13 -0400, Brandon Liles wrote:
> >
> > Read 3 bytes of SSL record
> > < : 01 00 08
> > Server response to hostname packet is error 0x08
> > Creating SSL connection failed
>
> From distant memory, that seems
On Fri, Aug 31, 2018 at 11:06 AM, Christopher Mattern wrote:
> Also, while the vopenconnect is attempting to run, a new entry gets added to
> my route table:
>
>> syscjm@ibis:~$ route
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric RefUse
>> Iface
>>
On Wed, Sep 5, 2018 at 8:04 AM, Mike wrote:
> Hi everyone!
>
> Thanks much for Openconnect! It works great!
>
> Could you please explain me how to get real data from
> cisco-anydisconnect vpn or its trojans to be able to replicate it to
> other machines? I want to create an "honest" csd-post.sh
still be sent in the "free-form" `os-version` field, as far as I can tell.)
Signed-off-by: Daniel Lenski
---
auth-globalprotect.c | 7 ++-
gpst.c | 6 +-
2 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/auth-globalprotect.c b/auth-globalpro
Sorry, here's the forgotten Gist:
https://gist.github.com/dlenski/33bfa3a8691686d02ddaf7a51843a89a
On Tue, Sep 4, 2018 at 2:42 AM, Brandon Liles wrote:
> Client Version:
>
> Pulse Secure 5.3.4 (1183)
>
> I did install the root Fiddler MITM cert and Fiddler automatically
> creates certs on the
On Wed, Aug 29, 2018 at 6:46 PM, Brandon Liles wrote:
> Thanks very much for taking the time to look into this.
>
> Yes, I get the exact same result with 7.08 and with v7.08-125-
> g31b5c4a.
>
> Here is the output you requested:
>
> Attempting to connect to server xxx.xxx.xxx.xxx:443
> Connected
On Mon, Jul 2, 2018 at 11:52 PM, Mark Jeffrey wrote:
> Subject: Resume e-mail Search Search New folder Add e-mail account Premium
> Features Help Settings About us Slow DNS lookup causing slow web browsing
> when connected to VPN on Windows 10 (solved)
Something went slightly crazy with your
On Thu, Jul 12, 2018 at 8:23 AM, Gareth Williams
wrote:
> Using Wireshark shows that the server returns a RSK, ACK to the client's
> CLIENT HELLO message; while messages in ocserv log (jounralctl -xe) shows the
> client has disconnected unexpectedly.
Are you running Wireshark on the server or
On Thu, Jul 12, 2018 at 8:14 PM, Tegan Snyder wrote:
> Hi Dan,
>
> I also see this very same issue on OSX Sierra. Did you have any luck further
> on a fix?
Unfortunately not.
In order to resolve this, we need someone who uses and understands the
Darwin/OSX routing utilities to help figure out
On Tue, Jan 23, 2018 at 4:45 PM, David Woodhouse wrote:
> On Tue, 2018-01-23 at 19:39 -0500, James Ralston wrote:
> It isn't pretty but it can be done. Here's what I do on crappy hotel
> and airport networks, to get around the fact that $EMPLOYER forces me
> to use Ubuntu and
On Tue, Mar 6, 2018 at 11:40 AM, David Woodhouse <dw...@infradead.org> wrote:
> Thanks for tidying this up. Pushed to my gpst branch with one fixup so
> far, still reading through...
>
> On Sun, 2018-03-04 at 11:31 +0200, Daniel Lenski wrote:
>>
>> +/* simila
rather than strdup'ed) */
+ */
static const char *add_option(struct openconnect_info *vpninfo, const
char *opt, const char *val)
{
On Wed, Mar 7, 2018 at 10:01 AM, Daniel Lenski <dlen...@gmail.com> wrote:
> On Tue, Mar 6, 2018 at 11:40 AM, David Woodhouse <dw...@infradead.org
David Woodhouse wrote:
>
> Daniel Lenski wrote:
> >
> > Also, in parse_javascript(), consider an input line which looks like:
> >
> >var respMsg = ";\n
> >
> > When you set '*prompt = strndup(start, end-start-2);
> >
> > ... what is
On Tue, Apr 10, 2018 at 2:26 PM, Andy Wang wrote:
>
> Another follow up on this. Is there something I should change to get
> this considered for inclusion?
I don't know if there are any developers who have access to a Juniper
VPN with RSA soft-token in order to test this
On Wed, Apr 4, 2018 at 11:46 AM, Tyson Vinson wrote:
> I'm connecting to a VPN endpoint that uses a non-standard field name
> for the oath/totp challenge. There was a set of patches to openconnect
> here
>
On Fri, Apr 13, 2018 at 8:31 AM, Luis l wrote:
> After digging around i THINK its a part of this?
>
> https://github.com/arthepsy/pan-globalprotect-okta/
>
> I downloaded it added the totp of that moment, removed pw to prompt me
> instead of conf and i get the below from
On Fri, Apr 13, 2018 at 11:13 AM, Charles Wise wrote:
> It shows 1322 both with and without the '-m 1322'. And now it's
> working at full speed, both with and without the '-m 1322'. I checked
> the config before and after the failures and the '-m 1322' is the only
> difference.
On Fri, Apr 13, 2018 at 5:39 AM, Charles Wise wrote:
> I'm confused as well. But it reliably fails w/o setting the explicit
> MTU in the arguments.
>
> What command(s) do I run to tell what MTU value is _really_ being
> used? This is FreeBSD 11.1-RELEASE-p7 (pfSense
On Apr 6, 2018 2:23 PM, "David Woodhouse" <dw...@infradead.org> wrote:
>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chel...@hotmail.com> wrote:
>> > Hi Guys, I am using the latests version of
On Thu, Apr 12, 2018 at 7:14 PM, Daniel Lenski <dlen...@gmail.com> wrote:
> On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse <dw...@infradead.org> wrote:
>> Where *are* we with merging it? I did some heckling
>> at the last round of patches as there was some str
On Thu, Apr 12, 2018 at 8:18 PM, Charles Wise wrote:
> Looks like it's the MTU. I did the - and --dump and the output
> said the MTU should be 1322 (DTLS option X-DTLS-MTU : 1322). When I
> enable DTLS and _don't_ set the MTU, I run iperf3 and the traffic
> drops to zero
On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse wrote:
> Where *are* we with merging it? I did some heckling
> at the last round of patches as there was some string allocation
> confusion, and it looked like it hadn't been run in valgrind. Did you
> give me another set after
On Thu, Apr 12, 2018 at 5:34 AM, Charles Wise wrote:
> Hello, I'm using the latest version - OpenConnect version
> v7.08-unknown - on FreeBSD ARM.
Is that big-endian or little-endian? (Have you tested on a more
conventional system, say, Linux or BSD on arm64?)
> I have to
On Wed, Apr 11, 2018 at 8:14 AM, Luis l wrote:
>
> Thank you guys, I wasnt sure where to post it so any guidance would help.
>
>
> So yes Okta / IDP = SSO = Multifactor Auth doesnt work
>
>
> I saw that in the link i pasted they get presented with it, but if its still
> not
uot;));
> usage();
> }
> @@ -1513,7 +1519,10 @@ int main(int argc, char **argv)
> if (config_lookup_host(vpninfo, argv[optind]))
> exit(1);
>
> - if (!vpninfo->hostname) {
> + /* The last argument without a correspo
On Fri, Apr 6, 2018 at 11:27 AM, Luis l wrote:
> Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
As explained on the page for the fork with PAN GlobalProtect support
(https://github.com/dlenski/openconnect#feedback-and-troubleshooting),
you should report
On Mon, Apr 9, 2018 at 1:37 AM, Kee K Y CHEN wrote:
> Do you mind to check why X-CSTP-Split-Exclude not triggering local
> routing commands rewrite local routing table?
openconnect can read split-exclude subnets for all supported
protocols, and provides them to the routing
On Wed, Mar 7, 2018 at 11:34 AM, David Woodhouse <dw...@infradead.org> wrote:
>
>
> On Wed, 2018-03-07 at 10:01 +0200, Daniel Lenski wrote:
>> What do you prefer? Refactoring the two versions of xmlnode_get_text()
>> down to a single function, renaming the gpst.c
1 - 100 of 323 matches
Mail list logo