[PATCH 2/2] one more patch to GP login argument handling

Alexander Kurilo (https://github.com/kamazee) figured out the meaning of this one Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index e5183c2..3

MTU estimation…

David, You're certainly right with this, uh, skeptical comment on the ESP_OVERHEAD estimation in gpst.c … /* XXX: Look at set_esp_algo() and tell me again what the biggest supported IV is? */ #define ESP_OVERHEAD (4 /* SPI */ + 4 /* sequence number */ + \ 20 /* biggest

Re: MTU estimation…

On Tue, Aug 15, 2017 at 11:03 AM, David Woodhouse <dw...@infradead.org> wrote: > On Tue, 2017-08-15 at 10:42 -0700, Daniel Lenski wrote: >> David, >> You're certainly right with this, uh, skeptical comment on the >> ESP_OVERHEAD estimation in gpst.c … >> &g

Re: [PATCH] fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dw...@infradead.org> wrote: > On Tue, 2017-08-15 at 11:42 -0700, Daniel Lenski wrote: >> + mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_OVERHEAD >> + - (vpninfo->hmac_key_len ? : 20) /* b

[PATCH] improved MTU calculation for GlobalProtect ESP

On Wed, Aug 16, 2017 at 8:03 PM, Daniel Lenski wrote: > I believe the correct [ESP padding] algorithm is actually as follows: > > * From payload MTU, add 2 footer bytes, round *up* to a multiple of > the blocksize. Add the size of the MAC, IV, and other headers. That's

Re: [PATCH] fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

On Tue, Aug 15, 2017 at 2:17 PM, Daniel Lenski <dlen...@gmail.com> wrote: > On Tue, Aug 15, 2017 at 12:30 PM, David Woodhouse <dw...@infradead.org> >> So > from wire packet MTU, subtract headers and MAC and IV, round *down* >> to a multiple of blocksize, subt

Re: Issues running OpenConnect on an Asuswrt-Merlin router

On Mon, Aug 21, 2017 at 7:31 PM, Aube, Jeremy wrote: > > I'm having issues running OpenConnect on a router I flashed with > Asuswrt-Merlin. I have a USB drive connected with Entware-ng installed, and > was able to install OpenConnect and related packages. > > The first time I

Re: [PATCH 0/4] [vpnc-script] Support for Pulse's split-exclude routes

On Wed, Oct 11, 2017 at 1:39 PM, Gernot Hillier wrote: > OpenConnect already sets the according environment variables when the Pulse > gateway sends "split-exclude" routes, so we only need to handle them > in vpnc-script. > > I hope this is the right place for

Re: Can't connect with DTLS, using SSL instead

On Wed, Sep 27, 2017 at 11:41 PM, Abdulla Bubshait wrote: > > I have been trying to connect to my office Cisco 800 router using openconnect. > While a VPN connection can be made it doesn't use UDP, but fallbacks to > TCP/SSL. > > I can connect with DTLS using the anyconnect

[PATCH] Include extra headers needed for ICMP packet-building on FreeBSD

From: Brennan Hildebrand <bren...@nthroot.org> Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- esp.c | 4 1 file changed, 4 insertions(+) diff --git a/esp.c b/esp.c index ae60269..7876fd5 100644 --- a/esp.c +++ b/esp.c @@ -23,6 +23,10 @@ #include #include #incl

Re: Can't connect with DTLS, using SSL instead

On Thu, Sep 28, 2017 at 2:48 PM, Abdulla Bubshait wrote: > > > You should use --dump to show the complete chain of HTTPS request and > > response headers. > > Thanks for this. It seems openconnect is indeed issuing the three DTLS > lines, but nothing seems to be coming in

Re: [PATCH 0/4] [vpnc-script] Support for Pulse's split-exclude routes

On Tue, Oct 17, 2017 at 12:54 AM, Gernot Hillier <gernot.hill...@siemens.com> wrote: > > Am 16.10.2017 um 20:54 schrieb Daniel Lenski: >> >> I don't have access to a VPN that provides split-exclude routes, but I >> did test your patched vpnc-script with les

Re: [PATCH] bugfix: a single SSL record can't contain >16KiB, therefore we must loop when writing a larger buffer

As usual, you're right on all counts, in particular the *non-pedantic* bit about <= vs. <. Thanks! -Dan On Wed, Nov 29, 2017 at 1:32 AM, David Woodhouse wrote: > I pushed a modified version (with the loop condition changed). I > haven't actually tested it, especially at the

[PATCH] bugfix: a single SSL record can't contain >16KiB, therefore we must loop when writing a larger buffer

A single SSL record can't contain >16KiB, so the HTTPS request buffer may not get fully written if it's larger than this. I discovered this frustrating bug while working on GlobalProtect HIP support, which requires sending giant blobs of XML to the gateway. Signed-off-by: Daniel Lenski &l

Re: [PATCH] bugfix: a single SSL record can't contain >16KiB, therefore we must loop when writing a larger buffer

tually out of features to support. So I hope I'll succeed in just doing the cleanup very soon :-D -Dan On Wed, Nov 29, 2017 at 2:00 AM, David Woodhouse <dw...@infradead.org> wrote: > On Wed, 2017-11-29 at 01:36 -0800, Daniel Lenski wrote: >> As usual, you're right on all counts, in par

Re: [PATCH 3/3] add support for checking and submitting HIP reports

On Sun, Dec 17, 2017 at 2:33 PM, Daniel Lenski <dlen...@gmail.com> wrote: > Signed-off-by: Daniel Lenski <dlen...@gmail.com> > --- > auth-globalprotect.c | 29 +--- > gpst.c| 158 +++ >

[PATCH 3/3 v2] add support for checking and submitting HIP reports

containing authentication information, but exclude the volatile authcookie field which changes from session to session. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c| 179 + hipreport.sh

Re: OpenConnect / Cisco Anyconnect.

On Mon, Dec 18, 2017 at 11:37 AM, Torben Nielsen wrote: > Hi, > > I'm lost. > > Using OpenConnect to connect to a Cisco Anyconnect appliance at my hosting > provider from my 64-bit computer running Linux Mint 17 works perfect. Trying > to do the same thing from my

[PATCH 1/3] Improve GPST/ESP not-stepping-on-toes tap dance

In preparation for adding re-key support, stop misusing ssl_times.last_rekey. (This seems to fix a weird frantic mainloop-invoking bug I was running into as well.) Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 19 +++ mainloop.c

[PATCH 0/3] further patches to your gpst branch

eport." HIP is basically GlobalProtect's CSD/TNCC equivalent; the one good thing I'll say about it is that it *doesn't* involve downloading and running a Trojan binary. -Dan Daniel Lenski (3): Improve GPST/ESP not-stepping-on-toes tap dance Add support for tunnel-based rekey for GlobalPro

[PATCH 3/3] add support for checking and submitting HIP reports

Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 29 +--- gpst.c| 158 +++ hipreport.sh | 182 ++ www/Makefile.am | 2 +- www/featur

[PATCH 2/3] Add support for tunnel-based rekey for GlobalProtect

This simply means re-pulling the getconfig.esp tunnel configuration and thereby acquiring new ESP keys and extending the lifetime of the authentication cookie, before the elapses. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 18 ++ 1 file changed, 18 inse

Re: [PATCH 2/8] add OC_FORM_OPT_FILL_{USERNAME, PASSWORD} flags to hint at purpose of a form field without requiring a specific name

On Mon, Aug 14, 2017 at 12:48 PM, David Woodhouse wrote: >> > Besides... if I look in your auth-globalprotect.c it looks like you're >> > generating the field names out of thin air anyway. If you had used >> > "username" and "password" instead of "user" and "passwd" then this

Re: Bug#847135: Not fixed by 7.08

On Wed, Dec 13, 2017 at 6:42 AM, David Woodhouse wrote: > On Wed, 2017-12-13 at 14:06 +0100, Adam Cecile wrote: >> Hello, >> >> >> 7.08 still have the issue. I cannot push a docker image through >> openconnect. It stalls around 50Mbytes. > > Hm, that doesn't make much sense

[PATCH] add per-protocol override for HTTP User-Agent

Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- http.c | 2 +- openconnect-internal.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 5307d82..2960296 100644 --- a/http.c +++ b/http.c @@ -1472,7 +1472,7 @@ void http_common_h

Re: [PATCH] add per-protocol override for HTTP User-Agent

On Sun, Dec 17, 2017 at 12:21 PM, Daniel Lenski <dlen...@gmail.com> wrote: > Signed-off-by: Daniel Lenski <dlen...@gmail.com> > --- > http.c | 2 +- > openconnect-internal.h | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git

[PATCH 0/2] add --request-ip option

to master--because the model for these changes is unclear otherwise, and because they're entirely self-contained. I did not make any corresponding changes for AnyConnect IPv6, because I don't have any way to test it right now. Daniel Lenski (2): Protocols should explicitly request the same IP

[PATCH 1/2] Protocols should explicitly request the same IPv4 address on reconnect, since they will abort if new addresses are sent by the server.

of necessity, because GlobalProtect servers tend to provide different IPv4 addresses upon reconnect, after even a brief disconnection. This patch reproduces this behavior in cstp.c; I did not make the corresponding change for IPv6 because I have no way to test it. Signed-off-by: Daniel Lenski <d

[PATCH 2/2] add --request-ip option to explicitly request a specific IPv4 addresses

IPv4 address. I did not implement the corresponding behavior for IPv6 because I do not have a way to test it right now. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 2 ++ cstp.c | 23 +-- gpst.c

Re: [PATCH 3/3 v2] add support for checking and submitting HIP reports

On Mon, Dec 18, 2017 at 8:47 AM, Daniel Lenski <dlen...@gmail.com> wrote: > Unlike CSD, the HIP security checker runs during the connection phase, not > during the authentication phase. This is a rather vexing difference between the GlobalProtect "security theater direct

Re: --servercert option is insecure

On Thu, May 10, 2018 at 4:38 AM, Ryan Taylor wrote: > > Hello, > > The manual describes the --servercert option as follows: > http://www.infradead.org/openconnect/manual.html > > "Accept server’s SSL certificate only if the provided fingerprint matches. > The allowed

Re: Unsupported version error

Pretty sure I see the problem… On Sun, Jun 3, 2018 at 1:30 PM, Stephen Davies wrote: > Here is the debug output:[root@se5 ~]# openconnect - > --config=/etc/openconnect.conf --useragent="Cisco AnyConnect VPN Agent for > Windows 4.2.01035" remotehost > POST https://remotehost/vendor The

Re: Unsupported version error

On Sun, Jun 3, 2018 at 4:27 AM, Stephen Davies wrote: > On 02/06/18 18:50, Daniel Lenski wrote: >> >> On Sat, Jun 2, 2018 at 11:00 AM, Stephen Davies >> wrote: > Down with paranoia! > > I love simple solutions like this but unfortunately, it did not work for me.

Re: Unsupported version error

On Mon, Jun 4, 2018 at 3:17 AM, Stephen Davies wrote: > Sorry, still no joy. > > The actual value in the config file was vendor. Just to be 100% certain here. You *did* try running openconnect without `--userconfig=version`, right? What was the result? > Here is the AnyConnect client XML file

Re: vpnc-script failing to route default gateway with split-tunnel on macOS?

On Sat, Jun 2, 2018 at 6:55 PM, Daniel Lenski wrote: > User's GP VPN with split tunnel: > > CISCO_CSTP_OPTIONS=split-include=1.2.3.4/32 > CISCO_DEF_DOMAIN=company.domain.com > CISCO_SPLIT_INC=3 > CISCO_SPLIT_INC_0_ADDR=10.1.0.11 > CISCO_SPLIT_INC_0_MASK=255.255.255.255 > C

[PATCH] Include --csd-wrapper script in openconnect arguments

work. See check_or_submit_hip_report() in cstp.c in OpenConnect. Signed-off-by: Daniel Lenski --- src/nm-openconnect-service.c | 8 1 file changed, 8 insertions(+) diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c index 77934aa..b18b1a2 100644 --- a/src/nm-openconnect

Re: --dtls-ciphers=LIST option not working

On Mon, Jun 25, 2018 at 12:12 PM, Jeroen Balduyck wrote: > Hi Dan, > > I *think* I figured it out. Hopefully this post will make it to the > list (my other one for this topic is under moderation). I'm using the > info from this document: >

Re: --dtls-ciphers=LIST option not working

On Sat, Jun 23, 2018 at 12:22 PM, Jeroen Balduyck wrote: > Hi > > I've been struggling to get this option to work. Wireshark reports > this cipher in the server hello: > Cipher Suite: TLS_PSK_WITH_AES_256_GCM_SHA384 (0x00a9) Are you sure that the server supports this ciphersuite for *DTLS*, as

Re: Multiple openconnect instances

On Thu, Jun 21, 2018 at 9:10 PM, Jeroen Balduyck wrote: > Hi > > Can anyone tell me how to run multiple concurrent openconnect > instances? I want a establish a client connection to 3 different VPN's > at the same time and use policy based routing to a specifc VPN > instance. > > Regards, >

[PATCH] Save latest ESP sequence number even if replay protection isn't in use

forever. This patch tracks the latest sequence number even if ESP replay protection isn't in use -- however inadvisable that may be -- allowing the handover to work correctly. This patch also improves the confusing trace message shown when a packet from the old SPI is received. Signed-off-by: Daniel

[PATCH] make ESP rekey handle incoming packets even if ESP replay protection isn't in use

if replay protection isn't enabled, right? Daniel Lenski (1): Save latest ESP sequence number even if replay protection isn't in use esp.c | 2 +- gnutls-esp.c | 2 ++ openssl-esp.c | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-)

[PATCH 07/10] Fix a really subtle bug causing 100% CPU utilization after ESP tunnel failure, and subsequent reconnect

l connects, but actually calling esp_close_secret (which closes dtls_fd, unmonitors it, and sets it to -1). Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- esp.c | 3 ++- gpst.c | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/esp.c b/esp.c index 6285ff8..80

[PATCH 06/10] Improve GPST/ESP not-stepping-on-toes tap dance

In preparation for adding re-key support, stop misusing ssl_times.last_rekey. (This seems to fix a weird frantic mainloop-invoking bug I was running into as well.) Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 20 +--- 1 file changed, 5 insertions(

[PATCH 03/10] Clean up dodgy query-string building in gpst.c

the named fields into the buffer */ filter_opts(buf, vpninfo->cookie, "user,authcookie", 1); /* include=0: copy all fields except the named ones into the buffer */ filter_opts(buf, vpninfo->cookie, "authcookie,junk", 0); Signed-off-by: Daniel Lenski <dlen..

[PATCH 01/10] Unfortunately, xmlNodeGetContent can't be avoided

I tested it, and see here: https://stackoverflow.com/a/10441292/20789 Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 1 - 1 file changed, 1 deletion(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index 1e7c854..0c151fe 100644 --- a/auth-globalpro

[PATCH 00/10] GPST patches, trying again

, including a very subtle one that would only occur when the ESP tunnel failed and then the connection was rekeyed or restarted... and would cause CPU usage to spike. Thanks, Dan Daniel Lenski (10): Unfortunately, xmlNodeGetContent can't be avoided Add buf_append_xmlescaped() and use

[PATCH 09/10] Use ESP replay protection with GlobalProtect

GlobalProtect has the strange quirk that incoming (server → client) ESP sequence numbers start at 1, not 0, but this just causes a one-time offset for the replay protection checker. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 1 + 1 file changed, 1 insertion(+) diff

[PATCH 08/10] Add support for tunnel-based rekey for GlobalProtect

This simply means re-pulling the getconfig.esp tunnel configuration and thereby acquiring new ESP keys and extending the lifetime of the authentication cookie, before the elapses. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 18 ++ 1 file changed, 18 inse

[PATCH 04/10] Add support for checking and submitting HIP reports

containing authentication information, but exclude the volatile field (which changes from session to session) and the preferred-ip field (which may not be present in all cases, or may change from session to session). Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c

[PATCH 02/10] Add buf_append_xmlescaped() and use it to build GP XML config

(This also fixes a small bug in d2cbc42c, where David Woodhouse forgot to change the name of the xmlNode variable for the tag in one place) Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 19 ++- http.c

Re: [PATCH] Save latest ESP sequence number even if replay protection isn't in use

On Mon, Jan 8, 2018 at 12:30 AM, David Woodhouse <dw...@infradead.org> wrote: > On Sun, 2018-01-07 at 17:54 -0800, Daniel Lenski wrote: >> >> This patch tracks the latest sequence number even if ESP replay protection >> isn't in use -- however inadvisable that may

[PATCH on top of 82d4430] Smarter MTU calculation for GlobalProtect

enabled and ESP keys, then we should calculate tunnel MTU based on the base/wire MTU, subtracting the IP+UDP+ESP overhead. Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- gpst.c | 41 ++--- 1 file changed, 30 insertions(+), 11 deletions(-) diff

[PATCH 12/10] Check all oc_text_buf for errors (e.g. out-of-memory) before using their contents

Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 19 ++- gpst.c | 26 +++--- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index d3799d6..4ef37f7

[PATCH 13/10] Replace static auth form for GlobalProtect portal with a dynamic auth form

(Also adds more memory-allocation checks to the portal auth form) Signed-off-by: Daniel Lenski <dlen...@gmail.com> --- auth-globalprotect.c | 64 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/auth-globalprotect.c

[PATCH 0/2] make Juniper connection start faster

server versions (NCP-Version 2 and 3) and both with and without ESP enabled. It'd be great if others can test these patches and verify that they can still reliably connect to Juniper VPNs with them. Thanks, Dan Daniel Lenski (2): Reduce unnecessary connection-rebuilding for Juniper Remove fi

[PATCH 2/2] Remove first oNCP negotiation request (only second is necessary)

, one of which returns "NCP-Version: 2" and one which returns "NCP-Version: 3" in response to the oNCP negotiation requests. Removing the first request saves an additional TLS negotiation (2-3 roundtrips with TLS 1.0) and allows the connection to start faster. Signed-o

Re: Why: Setup DTLS failed; using SSL instead

On Fri, Jul 27, 2018 at 11:20 AM, Ahmed Kamal wrote: > > Thanks for the info. Really appreciating your help! I wish more and > more privacy software, would focus a bit more on censorship > resistance. Without it, users who most deeply need the privacy > features, are not getting it. Although I

Re: Preparing for OpenConnect 8.0 release

On Fri, Jun 15, 2018 at 8:24 PM, Ralph Schmieder wrote: > just wanted to chime in and offer some help (if needed) in providing > ASA VPN head ends that could do IPv6 if that would be useful. It would > be low-bandwidth and tunneled to get to it but that should not really > matter... would it? But

Re: Openconnect and old gnutls on Ubuntu 14.04

On Wed, Jul 25, 2018, 1:03 PM Steve Langasek wrote: > > Generally speaking, packages which need to be updated in order to remain > > compatible with changes to protocols on the Internet at large (such as in > this case, changes to the baseline TLS version that clients must negotiate > in order to

Re: LZS decompression failed: File too large

On Tue, Jul 31, 2018 at 5:32 AM, Jeroen Balduyck wrote: > On Opnsense (Freebsd) I'm running Openconnect in client mode. I get > this unusual error: > > LZS decompression failed: File too large. openconnect --compression=none should provide an immediate workaround, by disabling compression of

Re: LZS decompression failed: File too large

David, This looks like a very similar issue to the one from Juniper oNCP where packets sometimes arrive that are larger than the negotiated MTU. Patch was "Do not drop vpn connection if packet arrived is larger than MTU":

[PATCH 1/2] Tolerate packets that are larger than negotiated MTU after decompression

ch extends that approach to tolerate compressed packets which are larger than the negotiated MTU after decompression. Signed-off-by: Daniel Lenski --- cstp.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/cstp.c b/cstp.c index 5477c5c..c131198 100644 --- a/cstp.c ++

[PATCH 2/2] Align naming and commenting of mechanism for receiving oversize packets across protocols

84 is the maximum TLS record size. 4) Use receive_mtu = MAX(2048, vpninfo->vpninfo->ip_info.mtu + 256) for all UDP-based tunnels, because the MTU of IP datagrams on the public internet is effectively ~1500. Signed-off-by: Daniel Lenski --- cstp.c | 11 +++ esp.c | 6 +++

Re: Why: Setup DTLS failed; using SSL instead

et me know if anything else is needed to debug this. Thanks > > On Thu, Jul 26, 2018 at 4:29 AM Daniel Lenski wrote: >> >> On Jul 25, 2018 4:12 PM, "Ahmed Kamal" >> wrote: >> > >> > Hello folks, >> > >> > I'm trying to co

Re: Why: Setup DTLS failed; using SSL instead

On Jul 27, 2018 9:57 AM, "Ahmed Kamal" wrote: > >Thanks a lot Daniel! This seems to have resolved the issue. There is a >remaining tangential issue, which you might be able to help with. So >here I go. Unfortunately Egypt is performing DPI and seems to be >killing the DTLS stream, so I cannot

[PATCH 6/5] Use waitpid() in a portable fashion

The status value set by waitpid() needs to be manipulated using WIFEXITED() and WEXITSTATUS() macros to be portable. Signed-off-by: Daniel Lenski --- gpst.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/gpst.c b/gpst.c index d09df69..a396aa6 100644 --- a/gpst.c

Re: Automatically generate OpenConnect CSD

On Fri, Aug 17, 2018 at 7:14 AM, Corey Gilks wrote: > All, > > I'm not certain if this is the appropriate place for this- if not I > apologize! I was doing some research on generating openconnect CSD > files and stumbled upon this discussion: > >

Re: Authentication type EAP-Anyconnect

On Fri, Aug 17, 2018 at 8:22 AM, wrote: > Hi Dan and all, > > today i tryied to connect simulating os and client Windows, how you can > see, if i use --no-xmlpost the server said "AnyConnect is not enabled > on the VPN server", if i remove --no-xmlpost, the error remain the > same. Okay, that's

Re: OpenConnect VPN connection always fails after a few hours of successfull usage

On Thu, Aug 23, 2018 at 8:15 AM wrote: > > Hello together, > > a few months ago I was asking for help on how to set up a > OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman. > > Thanks to your great advices a friend made it work yesterday! Hereby the > VPN connection is

Re: OpenConnect VPN connection always fails after a few hours of successfull usage

? > > I am happy to hearing from you! > > Thanks a lot for your help! > > With best regards > David > > > > On 08/23/2018 07:57 PM, Daniel Lenski wrote: >> On Thu, Aug 23, 2018 at 8:15 AM wrote: >>> Hello together, >>> >>> a few mon

Re: Unexpected error response to Juniper hostname packet

On Wed, Jul 18, 2018 at 11:35 AM, Daniel Lenski wrote: > The response here indicates some kind of error (length 0, status 1), > and I've never seen it on a real Juniper server before. > > Has anyone encountered this? Is there some version of the Juniper > NC/Pulse server

Re: ocserv AnyConnect DTLS cipher

On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote: > > Hi, > > > > Is there a way to have the latest Cisco AnyConnect 4.6 clients use > > ocserv with a stronger DTLS cipher than the default > > RSA_AES_128_SHA1? > > When the

Re: Connecting to Pulse Secure results in SSL

On Aug 29, 2018 11:43 PM, "David Woodhouse" wrote: > On Wed, 2018-08-29 at 15:13 -0400, Brandon Liles wrote: > > > > Read 3 bytes of SSL record > > < : 01 00 08 > > Server response to hostname packet is error 0x08 > > Creating SSL connection failed > > From distant memory, that seems

Re: Problems with client in Ubuntu Linux.

On Fri, Aug 31, 2018 at 11:06 AM, Christopher Mattern wrote: > Also, while the vopenconnect is attempting to run, a new entry gets added to > my route table: > >> syscjm@ibis:~$ route >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric RefUse >> Iface >>

Re: How to get csd-post.sh data

On Wed, Sep 5, 2018 at 8:04 AM, Mike wrote: > Hi everyone! > > Thanks much for Openconnect! It works great! > > Could you please explain me how to get real data from > cisco-anydisconnect vpn or its trojans to be able to replicate it to > other machines? I want to create an "honest" csd-post.sh

[PATCH] GlobalProtect: always set clientos=Windows in relevant requests, regardless of actual OS

still be sent in the "free-form" `os-version` field, as far as I can tell.) Signed-off-by: Daniel Lenski --- auth-globalprotect.c | 7 ++- gpst.c | 6 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalpro

Re: error 0x08 in response to Juniper vestigial auth packet (was: Connecting to Pulse Secure results in SSL)

Sorry, here's the forgotten Gist: https://gist.github.com/dlenski/33bfa3a8691686d02ddaf7a51843a89a On Tue, Sep 4, 2018 at 2:42 AM, Brandon Liles wrote: > Client Version: > > Pulse Secure 5.3.4 (1183) > > I did install the root Fiddler MITM cert and Fiddler automatically > creates certs on the

Re: Connecting to Pulse Secure results in SSL

On Wed, Aug 29, 2018 at 6:46 PM, Brandon Liles wrote: > Thanks very much for taking the time to look into this. > > Yes, I get the exact same result with 7.08 and with v7.08-125- > g31b5c4a. > > Here is the output you requested: > > Attempting to connect to server xxx.xxx.xxx.xxx:443 > Connected

Re: Slow DNS lookup causing slow web browsing when connected to VPN on Windows 10 (solved)

On Mon, Jul 2, 2018 at 11:52 PM, Mark Jeffrey wrote: > Subject: Resume e-mail Search Search New folder Add e-mail account Premium > Features Help Settings About us Slow DNS lookup causing slow web browsing > when connected to VPN on Windows 10 (solved) Something went slightly crazy with your

Re: Failed Connection over Mobile (Cellular) Networks

On Thu, Jul 12, 2018 at 8:23 AM, Gareth Williams wrote: > Using Wireshark shows that the server returns a RSK, ACK to the client's > CLIENT HELLO message; while messages in ocserv log (jounralctl -xe) shows the > client has disconnected unexpectedly. Are you running Wireshark on the server or

Re: Re: vpnc-script failing to route default gateway with split-tunnel on macOS?

On Thu, Jul 12, 2018 at 8:14 PM, Tegan Snyder wrote: > Hi Dan, > > I also see this very same issue on OSX Sierra. Did you have any luck further > on a fix? Unfortunately not. In order to resolve this, we need someone who uses and understands the Darwin/OSX routing utilities to help figure out

Re: openconnect derailed by Pulse pre sign-in notification?

On Tue, Jan 23, 2018 at 4:45 PM, David Woodhouse wrote: > On Tue, 2018-01-23 at 19:39 -0500, James Ralston wrote: > It isn't pretty but it can be done. Here's what I do on crappy hotel > and airport networks, to get around the fact that $EMPLOYER forces me > to use Ubuntu and

Re: [PATCH 2/5] add PAN GlobalProtect protocol support (HTTPS tunnel only)

On Tue, Mar 6, 2018 at 11:40 AM, David Woodhouse <dw...@infradead.org> wrote: > Thanks for tidying this up. Pushed to my gpst branch with one fixup so > far, still reading through... > > On Sun, 2018-03-04 at 11:31 +0200, Daniel Lenski wrote: >> >> +/* simila

Re: [PATCH 2/5] add PAN GlobalProtect protocol support (HTTPS tunnel only)

rather than strdup'ed) */ + */ static const char *add_option(struct openconnect_info *vpninfo, const char *opt, const char *val) { On Wed, Mar 7, 2018 at 10:01 AM, Daniel Lenski <dlen...@gmail.com> wrote: > On Tue, Mar 6, 2018 at 11:40 AM, David Woodhouse <dw...@infradead.org

[PATCH to fix my PATCH 2/5] fix a bug by which a malicious "GlobalProtect JavaScript mess" could cause a buffer overflow

David Woodhouse wrote: > > Daniel Lenski wrote: > > > > Also, in parse_javascript(), consider an input line which looks like: > > > >var respMsg = ";\n > > > > When you set '*prompt = strndup(start, end-start-2); > > > > ... what is

Re: [PATCH] Fix stoken support for Juniper VPN

On Tue, Apr 10, 2018 at 2:26 PM, Andy Wang wrote: > > Another follow up on this. Is there something I should change to get > this considered for inclusion? I don't know if there are any developers who have access to a Juniper VPN with RSA soft-token in order to test this

Re: [HELP] Option for token-field

On Wed, Apr 4, 2018 at 11:46 AM, Tyson Vinson wrote: > I'm connecting to a VPN endpoint that uses a non-standard field name > for the oath/totp challenge. There was a set of patches to openconnect > here >

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Fri, Apr 13, 2018 at 8:31 AM, Luis l wrote: > After digging around i THINK its a part of this? > > https://github.com/arthepsy/pan-globalprotect-okta/ > > I downloaded it added the totp of that moment, removed pw to prompt me > instead of conf and i get the below from

Re: Unknown DTLS packets

On Fri, Apr 13, 2018 at 11:13 AM, Charles Wise wrote: > It shows 1322 both with and without the '-m 1322'. And now it's > working at full speed, both with and without the '-m 1322'. I checked > the config before and after the failures and the '-m 1322' is the only > difference.

Re: Unknown DTLS packets

On Fri, Apr 13, 2018 at 5:39 AM, Charles Wise wrote: > I'm confused as well. But it reliably fails w/o setting the explicit > MTU in the arguments. > > What command(s) do I run to tell what MTU value is _really_ being > used? This is FreeBSD 11.1-RELEASE-p7 (pfSense

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Apr 6, 2018 2:23 PM, "David Woodhouse" <dw...@infradead.org> wrote: >On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: >> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chel...@hotmail.com> wrote: >> > Hi Guys, I am using the latests version of

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Thu, Apr 12, 2018 at 7:14 PM, Daniel Lenski <dlen...@gmail.com> wrote: > On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse <dw...@infradead.org> wrote: >> Where *are* we with merging it? I did some heckling >> at the last round of patches as there was some str

Re: Unknown DTLS packets

On Thu, Apr 12, 2018 at 8:18 PM, Charles Wise wrote: > Looks like it's the MTU. I did the - and --dump and the output > said the MTU should be 1322 (DTLS option X-DTLS-MTU : 1322). When I > enable DTLS and _don't_ set the MTU, I run iperf3 and the traffic > drops to zero

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse wrote: > Where *are* we with merging it? I did some heckling > at the last round of patches as there was some string allocation > confusion, and it looked like it hadn't been run in valgrind. Did you > give me another set after

Re: Unknown DTLS packets

On Thu, Apr 12, 2018 at 5:34 AM, Charles Wise wrote: > Hello, I'm using the latest version - OpenConnect version > v7.08-unknown - on FreeBSD ARM. Is that big-endian or little-endian? (Have you tested on a more conventional system, say, Linux or BSD on arm64?) > I have to

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Wed, Apr 11, 2018 at 8:14 AM, Luis l wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not

Re: [PATCH v2] Allow specifying server in configuration file

uot;)); > usage(); > } > @@ -1513,7 +1519,10 @@ int main(int argc, char **argv) > if (config_lookup_host(vpninfo, argv[optind])) > exit(1); > > - if (!vpninfo->hostname) { > + /* The last argument without a correspo

Re: Openconnect - Palo Alto - Okta SSO / MFA

On Fri, Apr 6, 2018 at 11:27 AM, Luis l wrote: > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … As explained on the page for the fork with PAN GlobalProtect support (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), you should report

Re: no-route a.k.a X-CSTP-Split-Exclude configure on ocserv not working with openconnect cli/gui

On Mon, Apr 9, 2018 at 1:37 AM, Kee K Y CHEN wrote: > Do you mind to check why X-CSTP-Split-Exclude not triggering local > routing commands rewrite local routing table? openconnect can read split-exclude subnets for all supported protocols, and provides them to the routing

Re: [PATCH 2/5] add PAN GlobalProtect protocol support (HTTPS tunnel only)

On Wed, Mar 7, 2018 at 11:34 AM, David Woodhouse <dw...@infradead.org> wrote: > > > On Wed, 2018-03-07 at 10:01 +0200, Daniel Lenski wrote: >> What do you prefer? Refactoring the two versions of xmlnode_get_text() >> down to a single function, renaming the gpst.c

  1   2   3   4   >