I am trying to connect to my work vpn via open connect. If I try to connect without the CSD the error is as follows: Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan. This facility is disabled by default for security reasons, so you may wish to enable it. Failed to obtain WebVPN cookie If I try to connect with getting the shell to work properly and passing a wrapper, it loads a jnlp and doesn't properly execute. ebond:vpn ebond$ sudo openconnect --csd-wrapper=asdf.sh --csd-user=root --user=bonde --cafile=/Users/ebond/work/vpn/rsa.pem vpn-usa-west.NOTREAL.COM Attempting to connect to server 137.69.122.5:443 SSL negotiation with vpn-usa-west.NOTREAL.COM Connected to HTTPS on vpn-usa-west.NOTREAL.COM POST https://vpn-usa-west.NOTREAL.COM/ Got HTTP response: HTTP/1.0 302 Temporary moved Attempting to connect to server 137.69.122.7:443 SSL negotiation with scl02-01i11-vn04.NOTREAL.COM Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM POST https://scl02-01i11-vn04.NOTREAL.COM/ Got HTTP response: HTTP/1.0 302 Object Moved SSL negotiation with scl02-01i11-vn04.NOTREAL.COM Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM GET https://scl02-01i11-vn04.NOTREAL.COM/+webvpn+/index.html GET https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/binaries/sfinst Trying to run Linux CSD trojan script. GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html Params /tmp/csdvpwe38 -ticket "3AE4DA8B75D2785A5205C005" -stub "0" -group "" -certhash "9CE3B7DC697B5FDAA01538E4ECA4B741:" -url "https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/result.htm"; -langselen working with: -url "https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/result.htm"; ok cool trying this https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/webstart.xml?ticket="3AE4DA8B75D2785A5205C005"&stub="0"&group=""&certhash="9CE3B7DC697B5FDAA01538E4ECA4B741:"&langselen=&noCC=1 Refreshing +CSCOE+/sdesktop/wait.html after 1 second... SSL negotiation with scl02-01i11-vn04.NOTREAL.COM Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... /usr/bin/javaws https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/webstart.xml?ticket="3AE4DA8B75D2785A5205C005"&stub="0"&group=""&certhash="9CE3B7DC697B5FDAA01538E4ECA4B741:"&langselen=&noCC=1 SSL negotiation with scl02-01i11-vn04.NOTREAL.COM Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... SSL negotiation with scl02-01i11-vn04.NOTREAL.COM #### Java Web Start Error: #### Unable to load resource: https://scl02-01i11-vn04.NOTREAL.COM/CACHE/sdesktop/install/binaries/extensions/SwordFish.jar Connected to HTTPS on scl02-01i11-vn04.NOTREAL.COM GET https://scl02-01i11-vn04.NOTREAL.COM/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... I have the issue with the following versions: OpenConnect version v5.00 Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), DTLS OpenConnect version v4.07 Using GnuTLS. Features present: PKCS#11, DTLS (using OpenSSL) If I load the web page from safari it works. If I connect via the any connect client it works as well. I can capture the https traffic via a Man in the middle attack as well. I am just having issues generating a CSD wrapper that properly does what is needed that automatically happens for the website. Anyone have any pointers? - Firl
