I have been using OpenConnect successfully for some time in an Ubuntu Linux chroot on a chromebook, as this is the only way to authenticate using a SmartCard into my office's Cisco VPN network on ChromeOS. Starting in September, when I attempt to connect to the VPN, the connection seems to work but I am no longer able to access anything on the network. Unfortunately, I cannot ascertain whether the problem is on my end, or on my office's end, because I had recently re-installed my chroot. Most of my colleagues run Windows with AnyConnect, and are not now experiencing issues with connectivity, though there were some problems with the building WiFi and VPN around the same time. There are a few Mac users who use OpenConnect, and they report a similar issue as mine on the latest version of MacOS, but OpenConnect works on earlier versions of MacOS. Output from openconnect --version: OpenConnect version v7.08-3ubuntu0.18.04.1 Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS An example of the OpenConnect command I am attempting with my SmartCard cert url info removed: sudo openconnect -v -u adam.allgood --cafile='/home/avrammeir/Downloads/UserNSSDB 6cd262f44f10e19bc2ba48_DOD EMAIL CA-51 - U.S.pem' -c '<REMOVED>' cpvpn.ncep.noaa.gov/cac/ > openconnect-log.txt The output I see on the command line is: PIN required for <REMOVED> Enter PIN: CSTP Dead Peer Detection detected dead peer! Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out And in the file openconnect-log.txt, I see: POST https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 Connected to 140.90.73.186:443 Using PKCS#11 certificate <REMOVED> Using PKCS#11 key <REMOVED> Using client certificate '<REMOVED>' Adding supporting CA 'DOD EMAIL CA-51' SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=0QW55Y29ubmVjdC1DQUM=; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 23 Oct 2019 18:08:36 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 Connected to 140.90.73.186:443 SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=0QW55Y29ubmVjdC1DQUM=; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 23 Oct 2019 18:08:38 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/+webvpn+/index.html SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000; preload; Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: tg=1QW55Y29ubmVjdC1DQUM=; expires=Thu, 24 Oct 2019 06:08:40 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:085BA44D4EA3D7B8341016BEB24D434431A6CD47&sh:9B065194EB3622CB9E80466DA9C36CC5792D6AF7&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Frame-Options: SAMEORIGIN X-Transcend-Version: 1 HTTP body chunked (-2) SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. X-CSTP-Address: 192.168.56.214 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Hostname: NCOFW2.ncep.noaa.gov X-CSTP-DNS: 10.90.110.51 X-CSTP-DNS: 10.90.110.52 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Session-Timeout-Alert-Interval: 60 X-CSTP-Session-Timeout-Remaining: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: ncepad.noaa.gov X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: false X-DTLS-Session-ID: A56FC73238401DFFA653FD0EBC8F18B9499152172A98777C4E0E68116B42C624 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1395 X-DTLS-MTU: 1406 X-DTLS-CipherSuite: DHE-RSA-AES256-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(DHE-RSA-1024)-(AES-256-CBC)-(SHA1) DTLS option X-DTLS-Session-ID : A56FC73238401DFFA653FD0EBC8F18B9499152172A98777C4E0E68116B42C624 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-MTU : 1406 DTLS option X-DTLS-CipherSuite : DHE-RSA-AES256-SHA DTLS initialised. DPD 30, Keepalive 20 Connected as 192.168.56.214, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1). Initiating IPv4 MTU detection (min=703, max=1406) No change in MTU after detection (was 1406) Send CSTP Keepalive Send CSTP DPD Send CSTP DPD Got DTLS DPD request Send CSTP DPD sleep 10s, remaining timeout 300s sleep 20s, remaining timeout 290s sleep 30s, remaining timeout 270s sleep 40s, remaining timeout 240s sleep 50s, remaining timeout 200s sleep 60s, remaining timeout 150s sleep 70s, remaining timeout 90s sleep 80s, remaining timeout 20s One piece of weirdness that may be helpful to report as well, when I try this on xenial (the previous LTS Ubuntu) instead of bionic, I get a DTLS handshake failed - resource temporarily unavailable error. Here the DTLS connection seems to be made, but then.... nothing. Thank you so much for maintaining this software! Adam _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
