On Thu, Apr 17, 2014 at 5:23 PM, John Hendy <jw.hendy at gmail.com> wrote: > It looks like what you thought: csd-wrapper gets run and then stops > (when I quit openconnect, that defunct entry goes away). I also > noticed that when re-checking after being vpn'd for ~10min (with > openconnect still going), the cscan entry wasn't there anymore, > either. I quit and restarted openconnect and it looks like it ran for > ~1min. Well, just to rule it out, you can try the attached csd.sh (which skips running the trojan). You'll need the curl utility installed to POST the policy info to the gateway. > $ sudo pacman -Qi openconnect # Arch's versioning... which appears > different than the below > Name : openconnect > Version : 1:5.03-1 > Description : Open client for Cisco AnyConnect VPN > Architecture : x86_64 > URL : http://www.infradead.org/openconnect.html > Licenses : GPL This should probably say LGPLv2.1. > $ openconnect --version > OpenConnect version v5.03 > Using GnuTLS. Features present: PKCS#11, DTLS > > $ sudo pacman -Q | grep gnutls > gnutls 3.3.0-1 When I saw your pastebin I wondered whether it was an old build that didn't have DTLS compiled in. But that doesn't seem to be the case. So your client supports DTLS but you're getting a TLS-only connection for some reason. On a public wifi network I would worry about packet loss / congestion, and maybe timeouts on long lived TCP sessions. DTLS would help with all of those. Could you post the result from connecting with "openconnect -v" so we can see if the gateway has DTLS disabled? -------------- next part -------------- A non-text attachment was scrubbed... Name: csd.sh Type: application/x-sh Size: 417 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140417/0d52ecb6/attachment-0001.sh>
