Network | @sskaje

OpenConnect Public Key Authentication

By @sskaje
Link: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

cn = "sskaje"
unit = "vpn"
serial = 1000
expiration_days = 365
signing_key
tls_www_client

cn = "sskaje"

unit = "vpn"

serial = 1000

expiration_days = 365

signing_key

tls_www_client

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:

auth

# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
auth = "certificate"
#auth = "plain[/opt/ocserv/etc/passwd]"
#auth = "pam"

# User authentication method. Could be set multiple times and in that case

# all should succeed.

# Options: certificate, pam.

auth = "certificate"

#auth = "plain[/opt/ocserv/etc/passwd]"

#auth = "pam"

I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:

cat ssl.crt > server-cert.pem; 
cat sub.class1.server.ca.pem >> server-cert.pem; 
cat ca.pem >> server-cert.pem

cat ssl.crt > server-cert.pem;

cat sub.class1.server.ca.pem >> server-cert.pem;

cat ca.pem >> server-cert.pem

If you don’t make these three in a right order, you’ll see errors below in syslog:

Jun 19 03:59:08 sskaje ocserv[11730]: GnuTLS error (at tlslib.c:510): The provided X.509 certificate list is not sorted (in subject to issuer order)

1	Jun 19 03:59:08 sskaje ocserv[11730]: GnuTLS error (at tlslib.c:510): The provided X.509 certificate list is not sorted (in subject to issuer order)

The server-key I got from startssl is encrypted, decrypt it:

openssl rsa -in ssl.key -out server-key.pem

1	openssl rsa -in ssl.key -out server-key.pem

Encrypted private key would result:

Jun 19 03:59:08 sskaje ocserv[11731]: GnuTLS error (at sec-mod.c:498): Decryption has failed.

1	Jun 19 03:59:08 sskaje ocserv[11731]: GnuTLS error (at sec-mod.c:498): Decryption has failed.

ca-cert

This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:

cert-user-oid = 2.5.4.3
cert-group-oid = 2.5.4.11

1 2	cert-user-oid = 2.5.4.3 cert-group-oid = 2.5.4.11

cisco-client-compat

Enable this! Thanks to @simamy.

cisco-client-compat = true

1	cisco-client-compat = true

OpenConnect Public Key Authentication by @sskaje: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Incoming search terms:

IPSec VPN Working for OS X Mavericks

By @sskaje
Link: https://sskaje.me/2014/04/ipsec-vpn-working-os-mavericks/

In iOS IPSec VPN Server on Ubuntu, I host a VPN on Ubuntu 13.10 based on StrongSwan 4.x, working for iOS, but not for OSX.

Then I upgraded to Ubuntu 14.04, which has StrongSwan upgraded to 5.x, error like:

Apr 24 14:56:46 sskaje charon: 15[CFG] no XAuth method found

1	Apr 24 14:56:46 sskaje charon: 15[CFG] no XAuth method found

To fix this, install all strongswan’s plugins by:

apt-get install strongswan-*

1	apt-get install strongswan-*

And make some changes to configurations:
/etc/ipsec.conf:

config setup
    # plutodebug=all
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    #nat_traversal=yes
    #charonstart=yes
    #plutostart=yes
...
conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    forceencaps=yes
    compress=yes
    auto=add
    #pfs=no
...

config setup

# plutodebug=all

# crlcheckinterval=600

# strictcrlpolicy=yes

# cachecrls=yes

#nat_traversal=yes

#charonstart=yes

#plutostart=yes

...

conn %default

left=%defaultroute

leftsubnet=0.0.0.0/0

forceencaps=yes

compress=yes

auto=add

#pfs=no

...

/etc/strongswan.conf:
Replace with strongswan.conf.dpkg-dist

After these, VPN is connectable by OS X but DNS settings is not pushed to the client-side

/etc/strongswan.d/charon.conf:

...
    # DNS server assigned to peer via configuration payload (CP).
    dns1 = 8.8.8.8

    # DNS server assigned to peer via configuration payload (CP).
    dns2 = 8.8.4.4
...

...

# DNS server assigned to peer via configuration payload (CP).

dns1 = 8.8.8.8

# DNS server assigned to peer via configuration payload (CP).

dns2 = 8.8.4.4

...

DONE.

If you get a error saying the certificate is not trusted, and then check /var/log/system.log, you may found

Apr 26 23:38:25 sskajedemini kernel[0]: flow_divert_kctl_disconnect (0): disconnecting group 1
Apr 26 23:38:27 sskajedemini configd[24]: IPSec connecting to server ipsec.sskaje.me
Apr 26 23:38:27 sskajedemini configd[24]: SCNC: start, triggered by (691) com.apple.prefe, type IPSec, status 0, trafficClass 0
Apr 26 23:38:27 sskajedemini configd[24]: network changed: v4(en1:192.168.1.121) DNS Proxy SMB
Apr 26 23:38:27 sskajedemini configd[24]: IPSec Phase1 starting.
Apr 26 23:38:27 sskajedemini racoon[702]: plogsetfile: about to add racoon log file: /var/log/racoon.log
Apr 26 23:38:27 sskajedemini racoon[702]: accepted connection on vpn control socket.
Apr 26 23:38:27 sskajedemini racoon[702]: IPSec connecting to server 106.186.27.96
Apr 26 23:38:27 sskajedemini racoon[702]: Connecting.
Apr 26 23:38:27 sskajedemini racoon[702]: IPSec Phase 1 started (Initiated by me).
Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by us
Apr 26 23:38:27 sskajedemini configd[24]: network changed.
Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by peer
Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Apr 26 23:38:27 sskajedemini configd[24]: network changed.
Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Apr 26 23:38:28 sskajedemini racoon[702]: Error evaluating certificate.
Apr 26 23:38:28 sskajedemini racoon[702]: ---------------Returned error strings: ---------------.
Apr 26 23:38:28 sskajedemini racoon[702]: -----------------------------------------------------.
Apr 26 23:38:28 sskajedemini racoon[702]: the peer's certificate is not verified.
Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Phase 1 AUTH: failed. (Initiator, Main-Mode Message 6).
Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: transmit success. (Information message).
Apr 26 23:38:28 sskajedemini configd[24]: IPSec Controller: IKE FAILED. phase 3, assert 0
Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: receive failed. (Initiator, Main-Mode Message 6).
Apr 26 23:38:28 sskajedemini racoon[702]: mode config 6 from 106.186.27.96[4500], but ISAKMP-SA 833200190d7bf5d0:9d4bf610953dbb0b isn't established.
Apr 26 23:38:28 sskajedemini configd[24]: IPSec disconnecting from server 106.186.27.96
Apr 26 23:38:28 sskajedemini racoon[702]: IPSec disconnecting from server 106.186.27.96
Apr 26 23:38:28 --- last message repeated 1 time ---
Apr 26 23:38:28 sskajedemini racoon[702]: glob found no matches for path "/var/run/racoon/*.conf"
Apr 26 23:38:28 sskajedemini configd[24]: network changed.
Apr 26 23:38:58 --- last message repeated 1 time ---
Apr 26 23:39:26 sskajedemini ServerEventAgent[138]: CertsKeychainMonitor: received a keychain delete event

Apr 26 23:38:25 sskajedemini kernel[0]: flow_divert_kctl_disconnect (0): disconnecting group 1

Apr 26 23:38:27 sskajedemini configd[24]: IPSec connecting to server ipsec.sskaje.me

Apr 26 23:38:27 sskajedemini configd[24]: SCNC: start, triggered by (691) com.apple.prefe, type IPSec, status 0, trafficClass 0

Apr 26 23:38:27 sskajedemini configd[24]: network changed: v4(en1:192.168.1.121) DNS Proxy SMB

Apr 26 23:38:27 sskajedemini configd[24]: IPSec Phase1 starting.

Apr 26 23:38:27 sskajedemini racoon[702]: plogsetfile: about to add racoon log file: /var/log/racoon.log

Apr 26 23:38:27 sskajedemini racoon[702]: accepted connection on vpn control socket.

Apr 26 23:38:27 sskajedemini racoon[702]: IPSec connecting to server 106.186.27.96

Apr 26 23:38:27 sskajedemini racoon[702]: Connecting.

Apr 26 23:38:27 sskajedemini racoon[702]: IPSec Phase 1 started (Initiated by me).

Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by us

Apr 26 23:38:27 sskajedemini configd[24]: network changed.

Apr 26 23:38:27 sskajedemini racoon[702]: >>>>> phase change status = Phase 1 started by peer

Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 2).

Apr 26 23:38:27 sskajedemini configd[24]: network changed.

Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: receive success. (Initiator, Main-Mode message 4).

Apr 26 23:38:27 sskajedemini racoon[702]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).

Apr 26 23:38:28 sskajedemini racoon[702]: Error evaluating certificate.

Apr 26 23:38:28 sskajedemini racoon[702]: ---------------Returned error strings: ---------------.

Apr 26 23:38:28 sskajedemini racoon[702]: -----------------------------------------------------.

Apr 26 23:38:28 sskajedemini racoon[702]: the peer's certificate is not verified.

Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Phase 1 AUTH: failed. (Initiator, Main-Mode Message 6).

Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: transmit success. (Information message).

Apr 26 23:38:28 sskajedemini configd[24]: IPSec Controller: IKE FAILED. phase 3, assert 0

Apr 26 23:38:28 sskajedemini racoon[702]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

Apr 26 23:38:28 sskajedemini racoon[702]: IKE Packet: receive failed. (Initiator, Main-Mode Message 6).

Apr 26 23:38:28 sskajedemini racoon[702]: mode config 6 from 106.186.27.96[4500], but ISAKMP-SA 833200190d7bf5d0:9d4bf610953dbb0b isn't established.

Apr 26 23:38:28 sskajedemini configd[24]: IPSec disconnecting from server 106.186.27.96

Apr 26 23:38:28 sskajedemini racoon[702]: IPSec disconnecting from server 106.186.27.96

Apr 26 23:38:28 --- last message repeated 1 time ---

Apr 26 23:38:28 sskajedemini racoon[702]: glob found no matches for path "/var/run/racoon/*.conf"

Apr 26 23:38:28 sskajedemini configd[24]: network changed.

Apr 26 23:38:58 --- last message repeated 1 time ---

Apr 26 23:39:26 sskajedemini ServerEventAgent[138]: CertsKeychainMonitor: received a keychain delete event

If you have debug logging enabled in /etc/racoon/racoon.conf like

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;
path logfile "/var/log/racoon.log";

# "log" specifies logging level. It is followed by either "notify", "debug"

# or "debug2".

log debug;

path logfile "/var/log/racoon.log";

You may see more detail in /var/log/racoon.log, kSecTrustResultRecoverableTrustFailure might be a useful keyword.
Google it, the only useful article is http://www.traud.de/vpn/ but still not working here.

I tried on my macbook pro, and also as a dude told me, the Root CA I gave and the mobileconfig worked without any error nor warning.
But on my mac mini and from some others, error like above, which stopped me getting ipsec on os x work before.

I tried to delete the certificate, both root ca and client’s, from Keychain Access app, and the mobileconfig from Profiles in Preferences, reinstall like firstly CA secondly mobileconfig, check if the mobileconfig is signed and has passed the certificate verification, green light on then there it goes.

IPSec VPN Working for OS X Mavericks by @sskaje: https://sskaje.me/2014/04/ipsec-vpn-working-os-mavericks/

Incoming search terms:

Open Connect Server Configuration (Working for iOS)

By @sskaje
Link: https://sskaje.me/2014/04/open-connect-server-configuration-working-ios/

Working for iOS only, but for OSX, (Cisco AnyConnect Client for OS X 3.1.05160), captive portal is detected.
‘Web Authentication Required’ and error log like

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages 
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED 
Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443.

Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A)

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

OpenConnect on Ubuntu
Generate Certificate with GnuTLS and Sign with OpenSSL

Continue reading “Open Connect Server Configuration (Working for iOS)” »

Open Connect Server Configuration (Working for iOS) by @sskaje: https://sskaje.me/2014/04/open-connect-server-configuration-working-ios/

Incoming search terms:

Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

By @sskaje
Link: https://sskaje.me/2014/04/cisco-anyconnect-client/

You are not authorised to read all content in this post.

Please login…

Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160) by @sskaje: https://sskaje.me/2014/04/cisco-anyconnect-client/

Incoming search terms:

Cisco AnyConnect 3 1 05160

OpenConnect on Ubuntu

By @sskaje
Link: https://sskaje.me/2014/02/openconnect-ubuntu/

This post is not yet finished

OpenConnect is an open source implementation of Cisco’s AnyConnect SSL VPN which is natively supported by iOS(You can create profile with Apple Configurator like iOS IPSec VPN Server on Ubuntu).

OpenConnect VPN Server can be found on http://www.infradead.org/ocserv/ and downloaded from ftp://ftp.infradead.org/pub/ocserv/, manual http://www.infradead.org/ocserv/manual.html
Let’s build it on Ubuntu 13.10!

Download & Extract

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz
tar xvf ocserv-0.3.0.tar.xz
cd ocserv-0.3.0

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz

tar xvf ocserv-0.3.0.tar.xz

cd ocserv-0.3.0

Dependencies

apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \
  libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \
  autogen libgnutls28 libgnutls28-dev  libseccomp-dev

apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \

libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \

autogen libgnutls28 libgnutls28-dev libseccomp-dev

Continue reading “OpenConnect on Ubuntu” »

OpenConnect on Ubuntu by @sskaje: https://sskaje.me/2014/02/openconnect-ubuntu/