On 02/06/18 18:50, Daniel Lenski wrote: > On Sat, Jun 2, 2018 at 11:00 AM, Stephen Davies <sdavies at sdc.com.au> wrote: >> I am trying to connect to a client's VPN with openconnect. >> >> I successfully used openconnect to this site two years ago but obviously >> things have changed since then. >> >> I have tried with the version provided by Centos 7 and with versions >> compiled here with several different OpenSSL releases but to no avail. >> >> Here is what I see (edited to protect the innocent): >> >> [root at se5 ~]# openconnect --config=/etc/openconnect.conf remotehost >> POST https://remotehost/vendor >> Attempting to connect to server 1.2.3.4:443 >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.1 404 Not Found >> Unexpected 404 result from server >> GET https://remotehost/vendor >> Attempting to connect to server 1.2.3.4:443 >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.0 302 Temporary moved >> GET https://remotehost/+webvpn+/index.html >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.1 301 Moved Permanently >> GET https://remotehost/+CSCOU+/anyconnect_unsupported_version.html >> Please upgrade your AnyConnect Client >> Failed to obtain WebVPN cookie > There's nothing wrong with the new version of openconnect; it's just > that the server has decided to refuse connections from clients it > doesn't recognize. This kind of gratuitous incompatibility is easily > bypassed by spoofing the User-Agent string of an "acceptable" client. > See manual (http://www.infradead.org/openconnect/manual.html) or try > something like this: > > --useragent ?Cisco AnyConnect VPN Agent for Windows 4.6.01098? > > Dan > Down with paranoia! I love simple solutions like this but unfortunately, it did not work for me. I added --useragent="Cisco AnyConnect VPN Agent for Windows 4.6.01098" to my command line and then to my config file but neither made any difference to the output. I tried 7.06 (from Centos 7) and 7.08 built here with OpenSSL 1.1.0h. The results were the same except that 7.08 gave additional messages re the issuer certificate. I then managed to find that the Windoze AnyConnect client that they use is 4.2.01035 so I tried that in the useragent but still no joy. Is there something different in that old version of AnyConnect? Cheers and thanks, Stephen
