Open Connect Server Configuration (Working for iOS)

By @sskaje
Link: https://sskaje.me/2014/04/open-connect-server-configuration-working-ios/

Working for iOS only, but for OSX, (Cisco AnyConnect Client for OS X 3.1.05160), captive portal is detected.
‘Web Authentication Required’ and error log like

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

OpenConnect on Ubuntu
Generate Certificate with GnuTLS and Sign with OpenSSL

/opt/ocserv/etc/config

# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
#auth = "certificate"
auth = "plain[/opt/ocserv/etc/passwd]"
#auth = "pam"

# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"

# A banner to be displayed on clients
#banner = "Welcome"

# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16

# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 0

# TCP and UDP port number
tcp-port = 443
udp-port = 443

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds.
dpd = 240

# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800

# MTU discovery (DPD must be enabled)
try-mtu-discovery = false

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /opt/ocserv/etc/server-cert.pem
server-key = /opt/ocserv/etc/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /opt/ocserv/etc/cacert.pem

# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the 
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11

# The revocation list of the certificates issued by the 'ca-cert' above.
crl = /opt/ocserv/etc/crl.pem

# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200

# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400

# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400

# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800

# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript

# UTMP
use-utmp = true

# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
use-dbus = true

# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon

# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3

# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"

#
# Network settings
#

# The name of the tun device
device = vpns

# The default domain to be advertised
default-domain = example.com

# The pool of addresses that leases will be given from.
ipv4-network = 192.168.122.0
ipv4-netmask = 255.255.255.0

# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
dns = 8.8.8.8

# The NBNS server (if any)
#nbns = 192.168.1.3

# The IPv6 subnet that leases will be given from.
#ipv6-network = fc00::
#ipv6-prefix = 16

# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Unset to assign the default MTU of the device
# mtu = 

# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
output-buffer = 10

# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64

# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).

#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/

# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24

#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"

#
# The following options are for (experimental) AnyConnect client 
# compatibility. 

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
user-profile = /opt/ocserv/etc/profile.xml

# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be 
# set for them.
#cisco-client-compat = false
#cisco-client-compat = true

#Advanced options

# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establ

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

# User authentication method. Could be set multiple times and in that case

# all should succeed.

# Options: certificate, pam.

#auth = "certificate"

auth = "plain[/opt/ocserv/etc/passwd]"

#auth = "pam"

# The plain option requires specifying a password file which contains

# entries of the following format.

# "username:groupname:encoded-password"

# One entry must be listed per line, and 'ocpasswd' can be used

# to generate password entries.

#auth = "plain[/etc/ocserv/ocpasswd]"

# A banner to be displayed on clients

#banner = "Welcome"

# Use listen-host to limit to specific IPs or to the IPs of a provided

# hostname.

#listen-host = [IP|HOSTNAME]

# Limit the number of clients. Unset or set to zero for unlimited.

#max-clients = 1024

max-clients = 16

# Limit the number of client connections to one every X milliseconds

# (X is the provided value). Set to zero for no limit.

#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting

# multiple times). Unset or set to zero for unlimited.

max-same-clients = 0

# TCP and UDP port number

tcp-port = 443

udp-port = 443

# Keepalive in seconds

keepalive = 32400

# Dead peer detection in seconds.

dpd = 240

# Dead peer detection for mobile clients. The needs to

# be much higher to prevent such clients being awaken too

# often by the DPD messages, and save battery.

# (clients that send the X-AnyConnect-Identifier-DeviceType)

mobile-dpd = 1800

# MTU discovery (DPD must be enabled)

try-mtu-discovery = false

# The key and the certificates of the server

# The key may be a file, or any URL supported by GnuTLS (e.g.,

# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user

# or pkcs11:object=my-vpn-key;object-type=private)

# There may be multiple certificate and key pairs and each key

# should correspond to the preceding certificate.

server-cert = /opt/ocserv/etc/server-cert.pem

server-key = /opt/ocserv/etc/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support

# for the DHE ciphersuites (by default this server supports ECDHE).

# Can be generated using:

# certtool --generate-dh-params --outfile /path/to/dh.pem

#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP

# service you may provide a fresh OCSP status response within

# the TLS handshake. That will prevent the client from connecting

# independently on the OCSP server.

# You can update this response periodically using:

# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response

# Make sure that you replace the following file in an atomic way.

#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available

# in files. The srk-pin-file is applicable to TPM keys only, and is the

# storage root key.

#pin-file = /path/to/pin.txt

#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used to verify

# client certificates (public keys) if certificate authentication

# is set.

ca-cert = /opt/ocserv/etc/cacert.pem

# The object identifier that will be used to read the user ID in the client

# certificate. The object identifier should be part of the certificate's DN

# Useful OIDs are:

# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1

#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the

# client certificate. The object identifier should be part of the certificate's

# DN. Useful OIDs are:

# OU (organizational unit) = 2.5.4.11

#cert-group-oid = 2.5.4.11

# The revocation list of the certificates issued by the 'ca-cert' above.

crl = /opt/ocserv/etc/crl.pem

# GnuTLS priority string

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.

#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior

# to authentication

auth-timeout = 40

# The time (in seconds) that a client is allowed to stay idle (no traffic)

# before being disconnected. Unset to disable.

#idle-timeout = 1200

# The time (in seconds) that a mobile client is allowed to stay idle (no

# traffic) before being disconnected. Unset to disable.

#mobile-idle-timeout = 2400

# The time (in seconds) that a client is not allowed to reconnect after

# a failed authentication attempt.

#min-reauth-time = 2

# Cookie validity time (in seconds)

# Once a client is authenticated he's provided a cookie with

# which he can reconnect. This option sets the maximum lifetime

# of that cookie.

cookie-validity = 86400

# ReKey time (in seconds)

# ocserv will ask the client to refresh keys periodically once

# this amount of seconds is elapsed. Set to zero to disable.

rekey-time = 172800

# ReKey method

# Valid options: ssl, new-tunnel

# ssl: Will perform an efficient rehandshake on the channel allowing

# a seamless connection during rekey.

# new-tunnel: Will instruct the client to discard and re-establish the channel.

# Use this option only if the connecting clients have issues with the ssl

# option.

rekey-method = ssl

# Script to call when a client connects and obtains an IP

# Parameters are passed on the environment.

# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),

# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP

# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),

# ID (a unique numeric ID); REASON may be "connect" or "disconnect".

#connect-script = /usr/bin/myscript

#disconnect-script = /usr/bin/myscript

# UTMP

use-utmp = true

# D-BUS usage. If disabled occtl tool cannot be used. If enabled

# then ocserv must have access to register org.infradead.ocserv

# D-BUS service. See doc/dbus/org.infradead.ocserv.conf

use-dbus = true

# PID file. It can be overriden in the command line.

pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.

#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID

# It must be accessible within the chroot environment (if any)

socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be

# unique (no other services run as this user).

run-as-user = nobody

run-as-group = daemon

# Set the protocol-defined priority (SO_PRIORITY) for packets to

# be sent. That is a number from 0 to 6 with 0 being the lowest

# priority. Alternatively this can be used to set the IP Type-

# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).

# This can be set per user/group or globally.

#net-priority = 3

# Set the VPN worker process into a specific cgroup. This is Linux

# specific and can be set per user/group or globally.

#cgroup = "cpuset,cpu:test"

# Network settings

# The name of the tun device

device = vpns

# The default domain to be advertised

default-domain = example.com

# The pool of addresses that leases will be given from.

ipv4-network = 192.168.122.0

ipv4-netmask = 255.255.255.0

# The advertized DNS server. Use multiple lines for

# multiple servers.

# dns = fc00::4be0

#dns = 192.168.1.2

dns = 8.8.8.8

# The NBNS server (if any)

#nbns = 192.168.1.3

# The IPv6 subnet that leases will be given from.

#ipv6-network = fc00::

#ipv6-prefix = 16

# The domains over which the provided DNS should be used. Use

# multiple lines for multiple domains.

#split-dns = example.com

# Prior to leasing any IP from the pool ping it to verify that

# it is not in use by another (unrelated to this server) host.

ping-leases = false

# Unset to assign the default MTU of the device

# mtu =

# Unset to enable bandwidth restrictions (in bytes/sec). The

# setting here is global, but can also be set per user or per group.

#rx-data-per-sec = 40000

#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in

# the output buffer. The default is low to improve latency.

# Setting it higher will improve throughput.

output-buffer = 10

# Routes to be forwarded to the client. If you need the

# client to forward routes to the server, you may use the

# config-per-user/group or even connect and disconnect scripts.

# To set the server as the default gateway for the client just

# comment out all routes from the server.

#route = 192.168.1.0/255.255.255.0

#route = 192.168.5.0/255.255.255.0

#route = fef4:db8:1000:1001::/64

# Configuration files that will be applied per user connection or

# per group. Each file name on these directories must match the username

# or the groupname.

# The options allowed in the configuration files are dns, nbns,

# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,

# net-priority and cgroup.

# Note that the 'iroute' option allows to add routes on the server

# based on a user or group. The syntax depends on the input accepted

# by the commands route-add-cmd and route-del-cmd (see below).

#config-per-user = /etc/ocserv/config-per-user/

#config-per-group = /etc/ocserv/config-per-group/

# The system command to use to setup a route. %R will be replaced with the

# route/mask and %D with the (tun) device.

# The following example is from linux systems. %R should be something

# like 192.168.2.0/24

#route-add-cmd = "ip route add %R dev %D"

#route-del-cmd = "ip route delete %R dev %D"

# The following options are for (experimental) AnyConnect client

# compatibility.

# Client profile xml. A sample file exists in doc/profile.xml.

# This file must be accessible from inside the worker's chroot.

# It is not used by the openconnect client.

user-profile = /opt/ocserv/etc/profile.xml

# Binary files that may be downloaded by the CISCO client. Must

# be within any chroot environment.

#binary-files = /path/to/binaries

# Unless set to false it is required for clients to present their

# certificate even if they are authenticating via a previously granted

# cookie and complete their authentication in the same TCP connection.

# Legacy CISCO clients do not do that, and thus this option should be

# set for them.

#cisco-client-compat = false

#cisco-client-compat = true

#Advanced options

# Option to allow sending arbitrary custom headers to the client after

# authentication and prior to VPN tunnel establ

/opt/ocserv/etc/profile.xml

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

	<ClientInitialization>
		<AutoUpdate>true</AutoUpdate>

		<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
		<StrictCertificateTrust>false</StrictCertificateTrust>
		<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
		<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
		<BypassDownloader>true</BypassDownloader>
		<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
		<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
		<CertificateMatch>
			<KeyUsage>
				<MatchKey>Digital_Signature</MatchKey>
			</KeyUsage>
			<ExtendedKeyUsage>
				<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
			</ExtendedKeyUsage>
		</CertificateMatch>
<!--
		<BackupServerList>
	            <HostAddress>106.186.27.96:443</HostAddress>
		</BackupServerList>
-->
	</ClientInitialization>

	<ServerList>
		<HostEntry>
	            <HostName>sskaje.OpenConnect</HostName>
	            <HostAddress>openconnect.sskaje.me:443</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

<?xml version="1.0" encoding="UTF-8"?>

<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>

<StrictCertificateTrust>false</StrictCertificateTrust>

<RestrictPreferenceCaching>false</RestrictPreferenceCaching>

<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>

<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>

<MatchKey>Digital_Signature</MatchKey>

</KeyUsage>

<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>

</ExtendedKeyUsage>

</CertificateMatch>

<!--

</BackupServerList>

-->

</ClientInitialization>

<HostName>sskaje.OpenConnect</HostName>

<HostAddress>openconnect.sskaje.me:443</HostAddress>

</HostEntry>

</ServerList>

</AnyConnectProfile>

Open Connect Server Configuration (Working for iOS) by @sskaje: https://sskaje.me/2014/04/open-connect-server-configuration-working-ios/

/opt/ocserv/etc/config

/opt/ocserv/etc/profile.xml

Incoming search terms:

Related posts: