On Thu, Apr 17, 2014 at 8:01 PM, Kevin Cernekee <cernekee at gmail.com> wrote: > On Thu, Apr 17, 2014 at 5:23 PM, John Hendy <jw.hendy at gmail.com> wrote: >> It looks like what you thought: csd-wrapper gets run and then stops >> (when I quit openconnect, that defunct entry goes away). I also >> noticed that when re-checking after being vpn'd for ~10min (with >> openconnect still going), the cscan entry wasn't there anymore, >> either. I quit and restarted openconnect and it looks like it ran for >> ~1min. > > Well, just to rule it out, you can try the attached csd.sh (which > skips running the trojan). You'll need the curl utility installed to > POST the policy info to the gateway. $ sudo pacman -Q | grep curl curl 7.36.0-1 I can't connect with that script -- my credentials get denied and there's a message to contact my company IT Help Desk. If I recall correctly, I used to get that message when trying with the anyconnect client if I hadn't started the /etc/rc.d/hostscan service. >> $ sudo pacman -Qi openconnect # Arch's versioning... which appears >> different than the below >> Name : openconnect >> Version : 1:5.03-1 >> Description : Open client for Cisco AnyConnect VPN >> Architecture : x86_64 >> URL : http://www.infradead.org/openconnect.html >> Licenses : GPL > > This should probably say LGPLv2.1. I couldn't figure out how to contact the maintainer or packager for the package, so I just submitted a bug report with the correct information to let them know: - https://bugs.archlinux.org/task/39927 >> $ openconnect --version >> OpenConnect version v5.03 >> Using GnuTLS. Features present: PKCS#11, DTLS >> >> $ sudo pacman -Q | grep gnutls >> gnutls 3.3.0-1 > > When I saw your pastebin I wondered whether it was an old build that > didn't have DTLS compiled in. But that doesn't seem to be the case. > So your client supports DTLS but you're getting a TLS-only connection > for some reason. > > On a public wifi network I would worry about packet loss / congestion, > and maybe timeouts on long lived TCP sessions. DTLS would help with > all of those. > > Could you post the result from connecting with "openconnect -v" so we > can see if the gateway has DTLS disabled? Here's the verbose output using the csd-wrapper.sh I posted earlier: - http://pastebin.com/5ZcNpUuj I terminated it shortly after initiating, as the stuff at the very end looked to just be repeating at rapid pace. I can re-run a failed attempt with your csd.sh if that would be useful. Best regards, John
