On Tue, Mar 31, 2020 at 3:40 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > On Tue, Mar 31, 2020 at 10:43 AM Darren Fuller <dfuller@xxxxxxxxxxxxxx> wrote: > > I was running openconnect on my old laptop for years without issue. > > I was given a new laptop from work and I can't for the life of me get > > it to function properly now. > > What version were you using on the old laptop? > Any other possibly relevant changes? > Any change in the vpnc-script > (https://www.infradead.org/openconnect/vpnc-script.html) that you are > using? I have no idea other than i had it for about 2 years.. the laptop went tits up unexpectedly and although i had the script i used to connect saved in a private git repo, i didn't have information on versions. I used to use the vpn-slice script, but when that didn't work, I omitted the -s altogether to see if i could figure it out. > > The new laptop is on Linux Mint 19.3. I built all the prerequisite > > libraries from source as well as the latest version of openconnect. > > I haven't seen anyone build OpenConnect with OpenSSL 3.0.0-dev before. > This is a very new version and it's possible that something doesn't > work right with DTLS. OK.... i will back that out and try an older version.. is there a preferred version to use? > > > Here is my output from --version > > > > > openconnect --version > > OpenConnect version v8.06-1-g9377c0ed > > Using OpenSSL 3.0.0-dev xx XXX xxxx. Features present: TPM (OpenSSL > > ENGINE not present), PKCS#11, RSA software token, HOTP software token, > > TOTP software token, DTLS, ESP > > Supported protocols: anyconnect (default), nc, gp, pulse > > > > When I connect, I get no errors, but i can't seem to do anything on > > the remote network. > > > > Here is an anonymized version of what i am using to connect. Note, > > these are the same values i used on the old machine without issue: > > Things to try: > > 1 (help us figure out what's wrong): Run `make check` to test > openconnect against a local copy of ocserv. This will likely help to > pinpoint a DTLS problem. I did run make check when i built it initially. here is the make check output: (Tue Mar-3 4:48:56pm)-(CPU 24.7%:0:Net 88)-(darren:~/dev/openconnect)-(3.8M:139) > make check Making check in tests make[1]: Entering directory '/home/darren/dev/openconnect/tests' make make[2]: Entering directory '/home/darren/dev/openconnect/tests' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/home/darren/dev/openconnect/tests' make check-TESTS make[2]: Entering directory '/home/darren/dev/openconnect/tests' make[3]: Entering directory '/home/darren/dev/openconnect/tests' PASS: lzstest PASS: seqtest PASS: bad_dtls_test ============================================================================ Testsuite summary for openconnect 8.06 ============================================================================ # TOTAL: 3 # PASS: 3 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ============================================================================ make[3]: Leaving directory '/home/darren/dev/openconnect/tests' make[2]: Leaving directory '/home/darren/dev/openconnect/tests' make[1]: Leaving directory '/home/darren/dev/openconnect/tests' Making check in po make[1]: Entering directory '/home/darren/dev/openconnect/po' make[1]: Nothing to be done for 'check'. make[1]: Leaving directory '/home/darren/dev/openconnect/po' make[1]: Entering directory '/home/darren/dev/openconnect' make[1]: Leaving directory '/home/darren/dev/openconnect' > 2 (just make it work right now): Add --no-dtls to the command line. > This disables DTLS and uses only TLS for the tunnel. It's suboptimal, > and probably slower, but if it can authenticate and do the routing > setup correctly… the tunnel should work pretty much no matter what. i tried this looking at the output from another set of questions on here.. doesn't seem to make a difference. when i try to open a web page on a known ip in the remote network i get no replies at all: > sudo tcpdump -i tun0 | grep 209.171.240.41 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 16:53:42.630947 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq 383197302, win 64480, options [mss 1240,sackOK,TS val 1577079246 ecr 0,nop,wscale 7], length 0 16:53:42.631004 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq 1061496345, win 64480, options [mss 1240,sackOK,TS val 1577079246 ecr 0,nop,wscale 7], length 0 16:53:42.882330 IP u11026.44832 > 209.171.240.41.8200: Flags [S], seq 2750626011, win 64480, options [mss 1240,sackOK,TS val 1577079497 ecr 0,nop,wscale 7], length 0 16:53:43.633580 IP u11026.44828 > 209.171.240.41.8200: Flags [S], seq 1061496345, win 64480, options [mss 1240,sackOK,TS val 1577080249 ecr 0,nop,wscale 7], length 0 16:53:43.633594 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq 383197302, win 64480, options [mss 1240,sackOK,TS val 1577080249 ecr 0,nop,wscale 7], length 0 16:53:43.889571 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq 2750626011, win 64480, options [mss 1240,sackOK,TS val 1577080505 ecr 0,nop,wscale 7], length 0 16:53:45.649591 IP u11026.44826 > 209.171.240.41.8200: Flags [S], seq 383197302, win 64480, options [mss 1240,sackOK,TS val 1577082265 ecr 0,nop,wscale 7], length 0 > 2 (rebuild with GnuTLS): This should be as simple as `sudo apt-get > install libgnutls-dev && ./configure --with-gnutls && make`. Do note > that DTLS is disabled with some recent versions of GnuTLS, because of > a security bug. > > We generally suggest building with GnuTLS, rather than DTLS. > I'll do this too. stay tuned. thanks for the help Daniel... ./Darren _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
