On Sun, Dec 6, 2015 at 6:52 PM, Andrew Falk <falk0069 at gmail.com> wrote: > Hopefully, no matter what the admins configure, as long as you can get one OS to connect you can get another OS to connect by just mimicking the valid one. The hard part is capturing the encrypted data so you can mimic it. Yeah, this was a pain for me too. I wound up using a combination of stunnel 3, tcpflow, and fake DNS entries a few years ago. There are probably better ways. I also noticed that if you tried to trick Windows AnyConnect into using another IP by modifying your HOSTS file, it would quietly revert your changes. I wonder if it might be easier to use a modified version of ocserv (possibly even setting up a permanent public host that anyone can use) than to try to MITM the session between AnyConnect and your company's VPN. It could issue the CSD challenge and then spit out a ready-made wrapper script matching your configuration on a web page. FWIW, a while back somebody had success using a tweaked version of the OpenSSL library to log AnyConnect's traffic. This was on Linux, though. It might be documented in the list archives.
