Osx Anyconnect | @sskaje

By @sskaje
Link: https://sskaje.me/2014/10/ocserv-anyconnect-osx/

I tried a lot to make Cisco Anyconnect Secure Mobility Client work with OCServ, on OSX, on Windows, all failed.
But the AnyConnect for iOS works fine.
You can download the latest clients from: Cisco AnyConnect Clients 3.1.05170 download, 3.1.05182 is also provided.

AnyConnect for OSX always says:

The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

1	The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

In /var/log/system.log:

Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnagent[9494]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)
Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnagent[9494]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).
Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Message type warning sent to the user: Connection attempt has failed.
Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected
Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.
Apr  2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnagent[9494]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A)

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnagent[9494]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated).

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Message type warning sent to the user: Connection attempt has failed.

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue.

Apr 2 15:25:04 sskajetekiMacBook-Pro.local acvpnui[9520]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

I read the chapter ‘False Captive Portal Detection‘ from Cisco’s official documentation, nothing useful.

I saw someone said that AnyConnect 3.1 added extra certificate verification than 3.0, which makes 3.1 not compatible with ocserv.
The latest version of AnyConnect for iOS is 3.0.12119, but for PC/Mac 3.1.05182.
I tried to find clients of AnyConnect 3.0.11042/3.0.11046, only two can be found, and MD5 checksum are same no matter where I downloaded.

MD5 (anyconnect-macosx-i386-3.0.11042-k9.dmg) = a28324d5bc5e5d31b9cc61d4a33f084e
MD5 (anyconnect-win-3.0.11042-pre-deploy-k9.msi) = b29135529a832f41c4e9268a2672db99

1 2	MD5 (anyconnect-macosx-i386-3.0.11042-k9.dmg) = a28324d5bc5e5d31b9cc61d4a33f084e MD5 (anyconnect-win-3.0.11042-pre-deploy-k9.msi) = b29135529a832f41c4e9268a2672db99

You can find files here: http://dl.sskaje.me/anyconnect/3.0/3.0.11042/

I tested the OSX one, the PKG file requires me change security level of application installing, it really works, the bad news is, there’s nowhere to choose client certificate but clicking allow/decline of private key usage.

BTW, DO NOT INSTALL WEB SECURITY MODULE!!!

OCServ with AnyConnect on OSX by @sskaje: https://sskaje.me/2014/10/ocserv-anyconnect-osx/

Tag: osx anyconnect

OCServ with AnyConnect on OSX

Incoming search terms: