On Tue, Mar 31, 2020 at 10:43 AM Darren Fuller <dfuller@xxxxxxxxxxxxxx> wrote: > I was running openconnect on my old laptop for years without issue. > I was given a new laptop from work and I can't for the life of me get > it to function properly now. What version were you using on the old laptop? Any other possibly relevant changes? Any change in the vpnc-script (https://www.infradead.org/openconnect/vpnc-script.html) that you are using? > > The new laptop is on Linux Mint 19.3. I built all the prerequisite > libraries from source as well as the latest version of openconnect. I haven't seen anyone build OpenConnect with OpenSSL 3.0.0-dev before. This is a very new version and it's possible that something doesn't work right with DTLS. > Here is my output from --version > > > openconnect --version > OpenConnect version v8.06-1-g9377c0ed > Using OpenSSL 3.0.0-dev xx XXX xxxx. Features present: TPM (OpenSSL > ENGINE not present), PKCS#11, RSA software token, HOTP software token, > TOTP software token, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse > > When I connect, I get no errors, but i can't seem to do anything on > the remote network. > > Here is an anonymized version of what i am using to connect. Note, > these are the same values i used on the old machine without issue: Things to try: 1 (help us figure out what's wrong): Run `make check` to test openconnect against a local copy of ocserv. This will likely help to pinpoint a DTLS problem. 2 (just make it work right now): Add --no-dtls to the command line. This disables DTLS and uses only TLS for the tunnel. It's suboptimal, and probably slower, but if it can authenticate and do the routing setup correctly… the tunnel should work pretty much no matter what. 2 (rebuild with GnuTLS): This should be as simple as `sudo apt-get install libgnutls-dev && ./configure --with-gnutls && make`. Do note that DTLS is disabled with some recent versions of GnuTLS, because of a security bug. We generally suggest building with GnuTLS, rather than DTLS. Thanks, Dan > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default testwifi.here 0.0.0.0 UG 600 0 0 wlp4s0 > link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp4s0 > 192.168.86.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp4s0 > > > Route After Connection: > > default 0.0.0.0 0.0.0.0 U 0 0 0 tun0 > default _gateway 0.0.0.0 UG 600 0 0 wlp4s0 > c1.2.3.4. _gateway 255.255.255.255 UGH 0 0 0 wlp4s0 > 142.63.4.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0 > link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp4s0 > 192.168.86.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp4s0 > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
