On 08/30/2018 08:57 PM, Daniel Lenski wrote: > On Thu, Aug 30, 2018 at 2:13 PM, Christopher Mattern <syscjm at gwu.edu> wrote: >> Recently started having a problem with openconnect connecting to a Cisco >> AnyConnect VPN server. I suspect the problem is vpnc-client not correctly >> opening up a tunnel, but I'm not sure and I have no idea how to fix it. >> I've tried three different vpn-client scripts. > > Just for clarity of nomenclature, this script is simply called > `vpnc-script` (no "client" :-D). > >> With any of them, I have no >> network connectivity, and I get different error messages when I ctrl-C. I >> used to get a message about it setting up a tun0 device after a short delay, >> but I'm not seeing that any more. >> >> This is what I was originally getting from the install from the Ubuntu >> repository: > > Which Ubuntu release? > > The errors you are getting? > >>> Error: argument "via" is wrong: use nexthop syntax to specify multiple via >>> ... >>> Error: any valid prefix is expected rather than "dev". >>> .. >>> Error: any valid prefix is expected rather than "dev". > > ? indicate some kind of syntax error in the invocation of routing > configuration utilities (iproute2 or route) by the vpnc-script, > seemingly a missing netmask. The VPN gateway is somehow providing an > unexpected routing configuration which the script isn't parsing > correctly. > >> Any help on how I can fix this? > > 1) Run with `openconnect --dump-http-traffic`. Capture all the CONNECT > headers that start with X-CSTP and relate to routing and post 'em. > None of this should be confidential, given that you've already > publicized the gateway address, but obfuscate anything that looks > password-y? > > Got CONNECT response: HTTP/1.1 200 OK > X-CSTP-Version: 1 > X-CSTP-Address: 10.5.5.5 > X-CSTP-Netmask: 255.255.0.0.0 > ... > X-CSTP-MSIE-Proxy-Lockdown: false > X-CSTP-Smartcard-Removal-Disconnect: true > ... > CSTP connected. DPD 30, Keepalive 20 > > 2) Go back to the distro-provided vpnc-script (under Ubuntu, this > should be /usr/share/vpnc-scripts/vpnc-script). > > Then invoke openconnect with: > > openconnect -u syscjm https://go.vpn.gwu.edu/ses \ > --script 'bash -x /usr/share/vpnc-script/vpnc-script' > > This will produce a torrent of tracing output from the vpnc-script, > which should help you to identify exactly which of the routing > configuration commands is leading to the syntax error, and we can take > it from there. > > Dan > Thanks for your help. Sorry I forgot to put what Ubuntu release; it's 18.04.1 LTS. I ran a session with --dump-http-traffic. Here are the lines with of output with CSTP: >> X-CSTP-Version: 1 >> X-CSTP-Hostname: ibis >> X-CSTP-Accept-Encoding: oc-lz4,lzs >> X-CSTP-Base-MTU: 1500 >> X-CSTP-MTU: 1406 >> X-CSTP-Address-Type: IPv6,IPv4 >> X-CSTP-Full-IPv6-Capability: true > X-CSTP-Version: 1 > X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. > X-CSTP-Address: 128.164.108.32 > X-CSTP-Netmask: 255.255.255.192 > X-CSTP-Hostname: ASAFB1.gwu.edu > X-CSTP-DNS: 128.164.141.231 > X-CSTP-DNS: 161.253.152.241 > X-CSTP-Lease-Duration: 43200 > X-CSTP-Session-Timeout: 43200 > X-CSTP-Idle-Timeout: 3600 > X-CSTP-Disconnected-Timeout: 3600 > X-CSTP-Default-Domain: ead.gwu.edu > X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 > X-CSTP-Keep: true > X-CSTP-Tunnel-All-DNS: false > X-CSTP-DPD: 30 > X-CSTP-Keepalive: 20 > X-CSTP-MSIE-Proxy: none > X-CSTP-MSIE-Proxy-Lockdown: true > X-CSTP-Smartcard-Removal-Disconnect: true > X-CSTP-MTU: 1406 > X-CSTP-Routing-Filtering-Ignore: false > X-CSTP-Quarantine: false > X-CSTP-Disable-Always-On-VPN: false > X-CSTP-Client-Bypass-Protocol: false > X-CSTP-TCP-Keepalive: true > X-CSTP-Post-Auth-XML: <elided> > CSTP connected. DPD 30, Keepalive 20 > CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1) > Send CSTP DPD A run with sh -x on the vpnc-script shows it seems to be hanging when it tries to run "/sbin/resolvconf -a tun0". -- Christopher Mattern Unix Engineer, George Washington University
