On Tue, 2018-06-12 at 18:07 +0200, scrap at mailbox.org wrote: > Hello together, > > in the past I was using NetworkManager and got OpenConnect including > Cisco's Secure Desktop (CSD) working easily. > > Now I switched to the more lightweight ConnMan and have some trouble to > set up OpenConnect correctly. > > -------------------------------------------------------------------------- > > The first question is: ConnMan's CMST-GUI provides several options for > possible OpenConnect-VPN types to build the necessary config file. In > detail these are: > > -??? Provider OpenConnect > -??? OpenConnect.ServerCert > -??? OpenConnect.CACert > -??? OpenConnect.ClientCert > -??? OpenConnect.MTU > -??? OpenConnect.Cookie > -??? OpenConnect.VPNHost > > Which type do I have to choose to get OpenConnect working together with CSD? It's been a while since I paid much attention to ConnMan so I'm not entirely sure of the current state of the authentication agents. The way the VPN works is that you *first* authenticate (using the CSD trojan and your cert and password and anything else), and you are rewarded with a cookie ? literally, an HTTP cookie called "webvpn". You then take that cookie, along with the IP address of the VPN server you were talking to (after any load balancing and other redirects), and its certificate fingerprint (because it might not have been trusted; you might have accepted it manually). So there are three pieces of information which are needed to actually make the connection: ?? VPN server address ?? Certificate fingerprint ?? Cookie When you compare with your NetworkManager configuration, you are comparing apples and oranges. That contains the information that you *start* with ? the first server you start authenticating to, things like usernames and passwords. ConnMan doesn't care about any of that, or didn't when I last looked. It just needs those three fields listed above (which are precisely what the NM auth-dialog actually hands off to NetworkManager itself, behind the scenes). Somewhere there was a script which runs 'openconnect --authenticate' to obtain the three relevant fields, and then poke ConnMan to connect using them. Isn't that still in the ConnMan repo somewhere? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180612/49db26a9/attachment.bin>
