With some one-on-one help from David (thank you!), I finally got OpenConnect working to connect to my corporate Cisco VPN. The solution consists of a workaround, similar to one I have to do to connect to another VPN with OpenConnect's Juniper support. Not having success connecting to the Cisco VPN, trying all kinds of options and suggestions from David, I looked into maybe using the workaround where I obtain a valid webvpn cookie and passing it to OpenConnect. The VPN has a website for initially connecting to the VPN over the web and downloading the Cisco AnyConnect client, which of course is Windows only. Using a Windows VM, I connect to the VPN with the IE browser, and obtain the webvpn cookie value. At first, that didn't work either. But then I noticed the URL to the VPN in the browser had a path appended to the FQDN after authenticating. So I ran OpenConnect with this extended URL, and voila, it connected! Granted, not ideal, and David wanted to help me figure out how to get OpenConnect to mimic what the Cisco client does on the wire, but I can live with this workaround. Thanks again for all the help! On Mon, Jul 11, 2016 at 5:40 PM, Oliver Hernandez <mr.oliver.hernandez at gmail.com> wrote: > That was it, thanks! > > Now I'm troubleshooting another issue, which is likely not related to > OpenConnect. I'll post back if I get stuck again, but my initial > thought is the VPN server might have some setting that will only allow > usage of the Cisco brand VPN client. If that ends up being the case, > then I'll be at the mercy of their help desk, as they don't officially > support Linux, only Windoze clients. :-/ > > On Mon, Jul 11, 2016 at 3:11 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> On Mon, 2016-07-11 at 15:05 -0400, Oliver Hernandez wrote: >>> pkcs11:model=;manufacturer=;serial=;token=HERNANDEZ.OLIVER.xxx.xxxxxx;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert >>> Type: X.509 Certificate >>> Label: CAC Email Signature Certificate >>> ID: 00:02 >>> >>> And the result of attempting to connect: >>> >>> # openconnect --no-cert-check -c >>> 'pkcs11:token=HERNANDEZ.OLIVER.xxx.xxxxx;id=%02' foo.remotevpn >> >> "id=%02" != "id=%00%02" >> >> -- >> dwmw2
