On Fri, Aug 24, 2018 at 1:36 AM, <scrap at mailbox.org> wrote: > Hi Dan, > > thanks once again for your kind help! :-) > >> Are you actually *using* the VPN continuously, and it just cuts off >> suddenly with no warning? Or is it going idle, and then you notice >> that it's disconnected when you go and try to use it again later? > > Actually I'm connecting to the VPN, using it for a few minutes and after > finishing my work I switch off my computer. When rebooting the computer > some minutes later the VPN will still work fine. Only if the intercostal > break lasts longer (e.g. for a few hours) I am not able anymore to > connect it again with the same cookie. > >> NetworkManager can reconnect *using the same >> cookie* after a period where Connman cannot? > > I am not sure if NetworkManager uses the same cookie for later > reconnects. My speculation is more in that way that NetworkManager is > able to create new cookies by himself. When using the same VPN tunnel > with NetworkManager I never had problems to reconnect it, independent of > the duration of non-usage. > > Two more questions are: > > 1. Is there any option to force Connman to renew the cookie by himself? > Or could I create a regular cronjob that runs the OpenConnect-script, > creates the new cookie and pastes it into > /var/lib/connman-vpn/vpnname.config? I'm not sure that I fully understand your setup. I don't use Connman myself, and rarely use Networkmanager. When NetworkManager disconnects, it *will not* initiate a new connection (new cookie) using previously-entered credentials without user input, but if the underlying openconnect library can reconnect (using the same cookie), it will > 2. Currently I am using the following OpenConnect command to generate > the cookie: > > openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh > --authenticate --user=<username> <VPN-host> > > Is there an option available to pass-over the password to OpenConnect > without further user prompt as well? For example by extending the upper > command like > > "--user=<username> --password=<password> <VPN-host>"? You can use `echo "$PASSWORD" | openconnect --passwd-on-stdin`. Passing passwords via command-line arguments is inherently insecure, because any process running on the system can see the command-line arguments (in `/proc/*/cmdline` on Linux). There are some tricks to overwrite the visible options, but they don't work on all OSes, and suffer from race conditions. Dan
