Hello, I compiled ocserv git head and 0.2.4 on Debian Wheezy using the gnutls library from backports, I configured it and I'm able to connect using the Android AnyConenct Client without any issue, however I'm not able to connect using AnyConenct 3.0 and 3.1 from a Windows 7 PC. My config is: auth = "pam" listen-host = 78.47.70.72 max-clients = 16 max-same-clients = 0 tcp-port = 443 udp-port = 443 keepalive = 32400 dpd = 440 try-mtu-discovery = false server-cert = /home/sithglan/work/certificates/wildcard_2013-02-17/half_chain.pem server-key = /home/sithglan/work/certificates/wildcard_2013-02-17/server.key dh-params = /local/ocserv-2014-01-11/etc/dh.pem tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" auth-timeout = 40 cookie-validity = 172800 use-utmp = true use-dbus = true pid-file = /var/run/ocserv.pid socket-file = /var/run/ocserv-socket run-as-user = nobody run-as-group = nogroup device = vpns default-domain = gmvl.de ipv4-network = 10.12.12.0 ipv4-netmask = 255.255.255.0 ipv4-dns = local ping-leases = false output-buffer = 10 route = 0.0.0.0/0.0.0.0 config-per-user = /local/ocserv-2014-01-11/etc/config-per-user/ config-per-group = /local/ocserv-2014-01-11/etc/config-per-group/ route-add-cmd = "ip route add %R dev %D" route-del-cmd = "ip route delete %R dev %D" user-profile = /local/ocserv-2014-01-11/etc/profile.xml always-require-cert = false profile.xml is: <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <StrictCertificateTrust>false</StrictCertificateTrust> <RestrictPreferenceCaching>false</RestrictPreferenceCaching> <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> <BypassDownloader>true</BypassDownloader> <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> <CertificateMatch> <KeyUsage> <MatchKey>Digital_Signature</MatchKey> </KeyUsage> <ExtendedKeyUsage> <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> </ExtendedKeyUsage> </CertificateMatch> <BackupServerList> <HostAddress>localhost</HostAddress> </BackupServerList> </ClientInitialization> <ServerList> <HostEntry> <HostName>view-01.gmvl.de</HostName> <HostAddress>view-01.gmvl.de</HostAddress> </HostEntry> </ServerList> </AnyConnectProfile> My server cert has the certificate itself and the intermediate certificate in it. I tried to use a wildcard and a certificate with only one CN. Here is the debug log: http://pbot.rmdir.de/PhPvw1B5B14p5be5FCCepw I tried with and without DH. The debug log is without DH. When I connect using Cisco AnyConnect on Windows, I'm asked for a username and a password. Once I type them in it prompts me again for username. I made sure than I open all ports in both of my firewalls. I would appreciate if someone could tell me what I'm doing wrong. Cheers, Thomas
