Follow-up on this note: Through some more trial & error I was able to succesfully connect to my work VPN!!! The key to this was identifying the exact certificate and key I needed to provide to openconnect to do the proper authentication with my work's VPN server. One thing that helped immensely is the scripts provided here: https://github.com/JonathonReinhart/linux-cac-setup/ Which guided me through selecting first a hardware token (CRISP.WILL.J.xxxxxxxxxx) and then a choice of certificates to go with that hardware token. The certificate the vpn server wants is the "PIV Email Signature Certificate". Armed with this knowledge, I was then able to identify the exact pkcs11 URLs that I needed to pass to openconnect and later to NetworkManager-openconnect in order to successfully establish a VPN connection. Maybe this will help someone else out there reading this someday. Thank you to the devs who created this software, so glad I don't have to use a Windows client anymore!! -Will On Mon, Apr 17, 2017 at 7:10 AM, Will Crisp <crispjw at gmail.com> wrote: > I'm getting the subject error message, "XML response has no "auth" > node", when attempting to connect to my work's VPN concentrator. What > follows is output of my connection attempt. I can establish SSL > connection, but I can't get further than that. I will attempt to > connect using Windows (later today hopefully) and compare results, but > hoping someone on this list has some ideas what else I can try to > connect from Linux. > > Thanks, > -Will > > $ sudo openconnect -c > 'pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate' > --dump-http-traffic --verbose --os win vpn.amrdec.army.mil > POST https://vpn.amrdec.army.mil/ > Attempting to connect to server 199.209.145.10:443 > Using PKCS#11 certificate > pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate;object-type=cert > PIN required for CRISP.WILL.J.xxxxxxxxxx > Enter PIN: > Using PKCS#11 key > pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate;object-type=private > Using client certificate 'CRISP.WILL.J.xxxxxxxxxx' > Adding supporting CA 'DOD CA-31' > SSL negotiation with vpn.amrdec.army.mil > Connected to HTTPS on vpn.amrdec.army.mil >> POST / HTTP/1.1 >> Host: vpn.amrdec.army.mil >> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7 >> Accept: */* >> Accept-Encoding: identity >> X-Transcend-Version: 1 >> X-Aggregate-Auth: 1 >> X-AnyConnect-Platform: win >> X-Support-HTTP-Auth: true >> X-Pad: 000000000000000000000000000000000000000000 >> Content-Type: application/x-www-form-urlencoded >> Content-Length: 214 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <config-auth client="vpn" type="init"><version who="vpn">v7.06-1.el7</version><device-id>win</device-id><group-access>https://vpn.amrdec.army.mil</group-access></config-auth> > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/html; charset=utf-8 > Transfer-Encoding: chunked > Cache-Control: no-cache > Pragma: no-cache > Connection: Keep-Alive > Date: Mon, 17 Apr 2017 02:35:28 GMT > X-Frame-Options: SAMEORIGIN > X-Aggregate-Auth: 1 > HTTP body chunked (-2) > < <?xml version="1.0" encoding="UTF-8"?> > < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2"> > < <client-cert-request></client-cert-request> > < </config-auth> > POST https://vpn.amrdec.army.mil/ > SSL negotiation with vpn.amrdec.army.mil > Connected to HTTPS on vpn.amrdec.army.mil >> POST / HTTP/1.1 >> Host: vpn.amrdec.army.mil >> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7 >> Accept: */* >> Accept-Encoding: identity >> X-Transcend-Version: 1 >> X-Aggregate-Auth: 1 >> X-AnyConnect-Platform: win >> X-Support-HTTP-Auth: true >> X-Pad: 000000000000000000000000000000000000000000 >> Content-Type: application/x-www-form-urlencoded >> Content-Length: 214 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <config-auth client="vpn" type="init"><version who="vpn">v7.06-1.el7</version><device-id>win</device-id><group-access>https://vpn.amrdec.army.mil</group-access></config-auth> > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/html; charset=utf-8 > Transfer-Encoding: chunked > Cache-Control: no-cache > Pragma: no-cache > Connection: Keep-Alive > Date: Mon, 17 Apr 2017 02:35:30 GMT > X-Frame-Options: SAMEORIGIN > X-Aggregate-Auth: 1 > HTTP body chunked (-2) > < <?xml version="1.0" encoding="UTF-8"?> > < <config-auth client="vpn" type="complete" aggregate-auth-version="2"> > < <error id="15" param1="" param2="">Login failed.</error> > < </config-auth> > XML response has no "auth" node > GET https://vpn.amrdec.army.mil/ > Attempting to connect to server 199.209.145.10:443 > SSL negotiation with vpn.amrdec.army.mil > Connected to HTTPS on vpn.amrdec.army.mil >> GET / HTTP/1.1 >> Host: vpn.amrdec.army.mil >> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7 >> Accept: */* >> Accept-Encoding: identity >> X-Transcend-Version: 1 >> X-Support-HTTP-Auth: true >> > Got HTTP response: HTTP/1.0 302 Object Moved > Content-Type: text/html; charset=utf-8 > Content-Length: 0 > Cache-Control: no-cache > Pragma: no-cache > Connection: Close > Date: Mon, 17 Apr 2017 02:36:22 GMT > X-Frame-Options: SAMEORIGIN > Location: /+webvpn+/index.html > Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure > HTTP body length: (0) > GET https://vpn.amrdec.army.mil/+webvpn+/index.html > SSL negotiation with vpn.amrdec.army.mil > Connected to HTTPS on vpn.amrdec.army.mil >> GET /+webvpn+/index.html HTTP/1.1 >> Host: vpn.amrdec.army.mil >> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7 >> Accept: */* >> Accept-Encoding: identity >> X-Transcend-Version: 1 >> X-Support-HTTP-Auth: true >> > Got HTTP response: HTTP/1.1 200 OK > Transfer-Encoding: chunked > Content-Type: text/xml > Cache-Control: max-age=0 > Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure > Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure > Set-Cookie: webvpnlogin=1; secure > X-Frame-Options: SAMEORIGIN > X-Transcend-Version: 1 > HTTP body chunked (-2) > < <?xml version="1.0" encoding="UTF-8"?> > < <!-- > < Copyright (c) 2013 by Cisco Systems, Inc. > < All rights reserved. > < --> > < <auth id="main"> > < <title>SSL VPN Service</title> > < <ca status="disabled" href="/+CSCOCA+/login.html" /> > < > < > < > < <banner></banner> > < <message>Please enter your username and password.</message> > < > < > < <error id="15" param1="" param2="">Login failed.</error> > < <form method="post" action="/+webvpn+/index.html"> > < > < > < > < > < > < > < > < <input type="submit" name="Login" value="Login" /> > < <input type="reset" name="Clear" value="Clear" /> > < > < > < </form> > < </auth> > < > Please enter your username and password. > Login failed. > Failed to obtain WebVPN cookie
