On Jul 26, 2018 7:28 AM, "Ahmed Kamal" <email.ahmedkamal at googlemail.com> wrote: > > Thanks for helping. My config file is mostly defaults. Here it is: > https://transfer.sh/tXIM0/ocserv.conf.txt > Let me know if anything else is needed to debug this. Thanks In your configuration file, you've explicitly *disabled* the settings which allow DTLS connections from (a) Cisco clients and (b) openconnect < v7.08. Since you're connecting with openconnect v7.06, that explains the problem. (It's not offering the PSK-NEGOTIATE cipher which newer openconnect versions send to trigger the new-style DTLS negotiation.) # This option will enable the pre-draft-DTLS version of DTLS, and # will not require clients to present their certificate on every TLS # connection. It must be set to true to support legacy CISCO clients # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = false # This option allows to disable the legacy DTLS negotiation (enabled by default, # but that may change in the future). # The legacy DTLS uses a pre-draft version of the DTLS protocol and was # from AnyConnect protocol. It has several limitations, that are addressed # by the dtls-psk protocol supported by openconnect 7.08+. dtls-legacy = false -Dan On Thu, Jul 26, 2018 at 4:28 AM, Ahmed Kamal <email.ahmedkamal at googlemail.com> wrote: > Thanks for helping. My config file is mostly defaults. Here it is: > https://transfer.sh/tXIM0/ocserv.conf.txt > Let me know if anything else is needed to debug this. Thanks > > On Thu, Jul 26, 2018 at 4:29 AM Daniel Lenski <dlenski at gmail.com> wrote: >> >> On Jul 25, 2018 4:12 PM, "Ahmed Kamal" <email.ahmedkamal at googlemail.com> wrote: >> > >> > Hello folks, >> > >> > I'm trying to connect to ocserv. DTLS is always failing to connect. >> > You can find a dump of the connection attempt here >> > http://paste.ubuntu.com/p/fPP9X59yFH/ >> > >> > PS: I'm not subscribed to the list. >> >> In your connection log, the response returned from the server after >> the CONNECT contain no X-DTLS headers (except, for some reason, for >> X-DTLS-Content-Encoding). >> >> Is the *server* not configured to offer a DTLS connection? >> >> Dan
