Hi all, I have problems making various clients connecting to the ocserv. So far none of the clients are able to successfully make a VPN connection. Platform: Debian 7, ocserv 2.1 Tried with Android (Anyconnect ICS+), it can successfully authenticate, but after accepting the banner client will prompt "The required license for this type of VPN client is not available on the secure gateway. Please contact your network administrator." I guess it's just Cisco does not like the idea of 3rd party server that can accept Anyconnect Client connections? ;-) Fair enough. Here's the log: Nov 14 22:48:08 hostname ocserv[13183]: [client.ip.addr]:12385 accepted connection Nov 14 22:48:09 hostname ocserv[13183]: GnuTLS error (at worker-vpn.c:546): A TLS fatal alert has been received.: Unknown certificate Nov 14 22:48:09 hostname ocserv[13093]: [client.ip.addr]:12385 command socket closed Nov 14 22:48:13 hostname ocserv[13184]: [client.ip.addr]:37496 accepted connection Nov 14 22:48:13 hostname ocserv[13184]: [client.ip.addr]:37496 TLS handshake completed Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Host: server.ip.addr Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept: */* Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept-Encoding: identity Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Device-UniqueID: someuniqueid Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Aggregate-Auth: 1 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Connection: close Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Length: 319 Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST / Nov 14 22:48:14 hostname ocserv[13184]: [client.ip.addr]:37496 POST body: '<?xml version="1.0" encoding="UTF-8"?>#012<config-auth client="vpn" type="init">#012<device-id platform-version="4.3.1" device-type="MOTO MB526" unique-id="someuniqueid">android</device-id>#012<version who="vpn">3.0.09242</version>#012<group-access>https://server.ip.addr/</group-access>#012</config-auth>#012' Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Host: server.ip.addr Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept: */* Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept-Encoding: identity Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Device-UniqueID: someuniqueid Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Aggregate-Auth: 1 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Length: 13 Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 22:48:16 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST /auth Nov 14 22:48:16 hostname ocserv[13093]: [client.ip.addr]:37496 auth init for user 'tony' from '[client.ip.addr]:37496' Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Host: server.ip.addr Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept: */* Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Accept-Encoding: identity Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Transcend-Version: 1 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-AnyConnect-Identifier-Device-UniqueID: someuniqueid Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: X-Aggregate-Auth: 1 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Length: 19 Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 HTTP POST /auth Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 sending auth request Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 auth req for user 'tony' Nov 14 22:48:29 hostname ocserv[13093]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1218834648. Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 accepting user 'tony' Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 auth deinit for user 'tony' Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 Selected IP: [192.168.1.0]:0 Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 assigning tun device vpns0 Nov 14 22:48:29 hostname ocserv[13093]: [client.ip.addr]:37496 user 'tony' of group 'tony' authenticated Nov 14 22:48:29 hostname ocserv[13184]: [client.ip.addr]:37496 User 'tony' logged in Nov 14 22:48:33 hostname ocserv[13192]: [client.ip.addr]:44997 accepted connection Nov 14 22:48:33 hostname ocserv[13192]: [client.ip.addr]:44997 TLS handshake completed Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP: Host: server.ip.addr Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP: Accept: */* Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP: Cookie: webvpn=somesecretcookie Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 HTTP GET /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect Nov 14 22:48:34 hostname ocserv[13192]: [client.ip.addr]:44997 requested fixed string: /+CSCOT+/translation-table?type=combined-manifest&textdomain=AnyConnect Nov 14 22:48:34 hostname ocserv[13093]: [client.ip.addr]:44997 command socket closed Nov 14 22:48:35 hostname ocserv[13193]: [client.ip.addr]:10753 accepted connection Nov 14 22:48:36 hostname ocserv[13193]: [client.ip.addr]:10753 TLS handshake completed Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: Host: server.ip.addr Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: User-Agent: Cisco AnyConnect VPN Agent for Android 3.0.09242 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: Cookie: webvpn=somesecretcookie Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-Version: 1 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-Hostname: localhost Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-MTU: 1405 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-Address-Type: IPv6,IPv4 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-License: mobile Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-AnyConnect-Identifier-Device-UniqueID: someuniqueid Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-DTLS-Master-Secret: somesecret Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-DTLS-Accept-Encoding: lzs Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-Accept-Encoding: lzs,deflate Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP: X-CSTP-TCP-Keepalive: false Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 HTTP CONNECT /CSCOSSLC/tunnel Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 sending cookie authentication request Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 accepting user 'tony' Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 auth deinit for user 'tony' Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 Selected IP: [192.168.1.0]:0 Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 assigning tun device vpns1 Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 user 'tony' of group 'tony' re-authenticated (using cookie) Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 sending IPv4 192.168.1.1 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 adding route 192.168.1.0/255.255.255.0 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 peer CSTP MTU is 1405 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 TCP MSS is 1375 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 reducing MTU due to TCP MSS to 1367 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 DTLS ciphersuite: AES128-SHA Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 suggesting DTLS MTU 1301 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 suggesting CSTP MTU 1301 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 plaintext MTU is 1366 Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 setting vpns1 MTU to 1367 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 TCP MSS is 1375 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 reducing MTU due to TCP MSS to 1346 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 setting MTU to 1346 Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 received 59 byte(s) (TLS) Nov 14 22:48:37 hostname ocserv[13193]: [client.ip.addr]:10753 received BYE packet; exiting Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 setting vpns1 MTU to 1345 Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 ioctl SIOCSIFMTU error: No such device Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:10753 command socket closed Nov 14 22:48:37 hostname ocserv[13093]: [client.ip.addr]:37496 command socket closed And another attempt was made with Windows Client. (3.0.08057, the latest 3.1.04072 won't connect at all), and this one cannot even finish the authentication process - repeatedly asking for username/password. Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 accepted connection Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 TLS handshake completed Nov 14 23:06:04 hostname ocserv[13218]: [client.ip.addr]:53934 error receiving client data Nov 14 23:06:04 hostname ocserv[13093]: [client.ip.addr]:53934 command socket closed Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 accepted connection Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 sending resumption request (fetch) Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 TLS handshake completed Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: Cache-Control: no-cache Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: Connection: close Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: Pragma: no-cache Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: User-Agent: AnyConnect Windows 3.0.08057 Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: X-Transcend-Version: 1 Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: X-Aggregate-Auth: 1 Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: X-AnyConnect-Platform: win Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: Content-Length: 212 Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP: Host: server.ip.addr Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 HTTP POST / Nov 14 23:06:07 hostname ocserv[13219]: [client.ip.addr]:5566 POST body: '<?xml version="1.0" encoding="UTF-8"?>#012<config-auth client="vpn" type="init">#012<device-id>win</device-id>#012<version who="vpn">3.0.08057</version>#012<group-access>https://server.ip.addr/</group-access>#012</config-auth>#012' Nov 14 23:06:07 hostname ocserv[13093]: [client.ip.addr]:5566 command socket closed Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 accepted connection Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 sending resumption request (fetch) Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 TLS handshake completed Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: Cache-Control: no-cache Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: Connection: Close Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: Pragma: no-cache Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: User-Agent: AnyConnect Windows 3.0.08057 Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: X-Transcend-Version: 1 Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: X-Aggregate-Auth: 1 Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: X-AnyConnect-Platform: win Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: Content-Length: 13 Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP: Host: server.ip.addr Nov 14 23:06:10 hostname ocserv[13220]: [client.ip.addr]:64475 HTTP POST /auth Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 auth init for user 'tony' from '[client.ip.addr]:64475' Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 command socket closed Nov 14 23:06:10 hostname ocserv[13093]: [client.ip.addr]:64475 auth deinit for user 'tony' Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 accepted connection Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 sending resumption request (fetch) Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 TLS handshake completed Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: Cache-Control: no-cache Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: Connection: Close Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: Pragma: no-cache Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: User-Agent: AnyConnect Windows 3.0.08057 Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: X-Transcend-Version: 1 Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: X-Aggregate-Auth: 1 Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: X-AnyConnect-Platform: win Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: Content-Length: 17 Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP: Host: server.ip.addr Nov 14 23:06:17 hostname ocserv[13221]: [client.ip.addr]:57886 HTTP POST /auth Nov 14 23:06:17 hostname ocserv[13093]: [client.ip.addr]:57886 command socket closed Somehow it started authentication, but immediately closed the socket and deinited. Tried with some other clients, including SmoothConnect (Android 3rd party client connecting to Cisco ASA) and HP webOS, but none of them works. Don't have the log at hand at this moment... Any suggestions will be appreciated. Thanks, TZ
