> It appears from your log that the server is not sending any > information to the client about how to connect with DTLS; there are no > X-DTLS-* response headers. That is what I noticed as well. I could not find any DTLS response and checking the code path, an empty vpninfo->dtls_options would give the same non-descript fail message I am getting. I do not know if a DTLS channel is ever negotiated. > The log you sent only includes the headers in the *server response* to > the CONNECT. > > Can you include more of the log, including the headers *sent by > openconnect* along with the CONNECT request? > I am unsure how to get any more log messages. I am already running with -vvvv I don't know if the headers sent by openconnect are logged to vpn_progress But I have attached below all the logs prior to the server response. In addition the version of openconnect (running on arch) $ openconnect -V OpenConnect version v7.08 Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS $ sudo openconnect -u user --servercert sha256:cert.... -vvvv company.com : POST https://company.com/ Attempting to connect to server ip:443 Connected to ip:443 SSL negotiation with company.com Server certificate verify failed: signer not found Connected to HTTPS on company.com Got HTTP response: HTTP/1.1 303 See Other Content-Type: text/html Content-Length: 0 Location: https://company.com:443/webvpn.html Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure Connection: Keep-Alive HTTP body length: (0) GET https://company.com/ Attempting to connect to server ip:443 Connected to ip:443 SSL negotiation with company.com Server certificate verify failed: signer not found Connected to HTTPS on company.com Got HTTP response: HTTP/1.1 303 See Other Content-Type: text/html Content-Length: 0 Location: https://company.com:443/webvpn.html Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure Connection: Keep-Alive HTTP body length: (0) GET https://company.com.sa/webvpn.html Got HTTP response: HTTP/1.1 200 OK Cache-Control: max-age=0 Content-Type: text/html Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure X-Transcend-Version: 1 Content-Length: 473 Connection: close HTTP body length: (473) Please enter your username and password. PASSWORD: POST https://company.com/webvpn.html SSL negotiation with company.com Server certificate verify failed: signer not found Connected to HTTPS on company.com Got HTTP response: HTTP/1.1 200 OK Cache-Control: max-age=0 Content-Type: text/html Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpn=<elided>; path=/; Secure Set-Cookie: webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:8AEED847FECA7681FDE9A33D5B0BAB39D86C3&; path=/; Secure X-Transcend-Version: 1 Content-Length: 130 Connection: Keep-Alive HTTP body length: (130) TCP_INFO rcv mss 536, snd mss 536, adv mss 1460, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 10.200.200.175 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Keep: true X-CSTP-DNS: 10.200.200.11 X-CSTP-Lease-Duration: 43200 X-CSTP-MTU: 1406 X-CSTP-Default-Domain: company.com X-CSTP-Split-Include: 10.200.200.0/255.255.255.0 X-CSTP-Split-Include: 10.200.0.0/255.255.0.0 X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 300 X-CSTP-Disconnected-Timeout: 2100 X-CSTP-Idle-Timeout: 2100 X-CSTP-Session-Timeout: 0 X-CSTP-Keepalive: 30 CSTP connected. DPD 300, Keepalive 30 CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1) Set up DTLS failed; using SSL instead Connected as 10.200.200.175, using SSL
