Getting started

Paul Floyd paulf at free.fr
Thu Dec 10 16:19:12 EST 2009 

David Woodhouse wrote:
> On Thu, 2009-12-10 at 09:45 +0100, Paul Floyd wrote:
> 
>>On Windows, as far as I can tell, it's a certificate plus the AnyConnect client
>>asks for a password. I'm not sure that I can count on much help from my
>>employer, as only AnuConnect on Windows and RHEL are officially supported.
>>
>>[getting certificate]
> 
> 
> How do you go about getting a cert for RHEL? That's probably easier to
> deal with. I believe that the official AnyConnect client on Linux
> doesn't cope with any form of certificate storage other than
> _unencrypted_ in the user's firefox certificate store -- and you can
> just export it from there.

Hi

I haven't gotten that far yet (I have Fedora 11 on the same PC, which 
ought to work).

In any case, I've figured out the jailbreak issue [I had run the mmc 
plugin rather than the jailbreak exe which should run the plugin], and 
so have managed to progress a bit.

Now I get this

Attempting to connect to [vpn gateway]
Enter PKCS#12 pass phrase:
SSL negotiation with [vpn gateway]
Connected to HTTPS on [vpn gateway]
GET [vpn gateway]/
Attempting to connect to [vpn gateway]
SSL negotiation with [vpn gateway]
Connected to HTTPS on [vpn gateway]
GET [vpn gateway]/+webvpn+/index.html
GET [vpn gateway]/CACHE/sdesktop/install/binaries/sfinst
Trying to run Linux CSD trojan script.GET [vpn gateway]/+CSCOE+/sde
ait.html
/tmp/csdaMaWRb: syntax error at line 3: `MARKER=$' unexpected
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET [vpn gateway]/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
[many repeates]
Error fetching HTTPS response

Here's the start of /tmp/csdaMaWRb

#!/bin/sh
#
MARKER=$((`grep -an "[B]EGIN\ ARCHIVE" $0 | cut -d ":" -f 1` + 1))

Is that some broken shell script that my company's vpn server is trying 
to run on my machine? Assuming it is, then it seems to be trying to 
extract a Linux or Darwin binary (only). Ho hum. I would have preferred 
to use (Open)Solaris, but there's not a snowball's chance in hell that 
out IT dept will bother to support it.

Now on to the Mac version. Seems to get even further, asking me for my 
group/user/password.

Then
CSTP connected. DPD 10, Keepalive 300
open tun: No such file or directory

Next, I installed TunTap. Now I can connect. I get this message

add net xxx: gateway ggg [x several]
SSL_set_session() failed with old protocol version 0x100
Your OpenSSL may lack Cisco compatibility support
See http://rt.openssl.org/Ticket/Display.html?id=1751
Use the --no-dtls command line option to avoid this message
Set up DTLS failed; using SSL instead

I suppose that isn't too serious?

Though nslookup works but if I run vpnclient with a hostname I get

  main:        unable to resolve host by name: No such file or directory (2)

When I'm not connected, my /etc/resolv.conf contains

search orange.fr

and this remains, but with my employer's domain added to the line. That 
doesn't seem right to me (though perhaps harmless).

And when I disconnect
^CSend BYE packet: Client received SIGINT
route: writing to routing socket: No such process
delete net default: not in table

Thanks for the quick help so far.

A+
Paul

-- 
Paul Floyd                 http://paulf.free.fr

More information about the openconnect-devel mailing list