On Thu, 2020-04-30 at 10:54 +0100, Dave Love wrote:
> I don't know if this should really be a networkmaneger question or
> not,
> but this seems the most likely place to ask for a recipe.
>
> I've built backported packages for network-manager-openconnect to
> support use with globalprotect (and Duo 2fa); see below. They work
> under network-manager-gnome configured to use the GP gateway
> straightforwardly via the GUI: authenticate with <password>,<otp-
> code>
> and connect.
>
> However I'd like to use the command line (nmcli), rather than raw
> openconnect (which works), on remote systems. I'm used to doing that
> with a less-reliable tcp-over-tcp openvpn service just by doing
> nmcli --ask c up <config>
> and authenticating. However, I can't get it working with
> openconnect/GP. The doc isn't clear to me about the prompts I'm
> seeing
> and how to configure out what I don't need -- at least the a
> certificate. I get this output, assuming the first prompt is for
> <password>,<code>:
>
> Connected to HTTPS on ***
> Got HTTP response: HTTP/1.1 502 Bad Gateway
> Unexpected 502 result from server
> Failed to obtain WebVPN cookie
> Error: openconnect failed with status 1
> A password is required to connect to 'GP'.
> Gateway (vpn.secrets.gateway):
> A password is required to connect to 'GP'.
> Cookie (vpn.secrets.cookie):
> A password is required to connect to 'GP'.
> Gateway certificate hash (vpn.secrets.gwcert):
> Error: Connection activation failed: No valid secrets
>
> Can anyone advise?
The three secrets it's looking for there are the *result* of
authentication. Whatever you have to do with certificates, passwords,
SAML and 2FA aren't relevant; it just wants three things:
• The host you ended up authenticating to (after redirects, etc.).
• Hash of *its* SSL certificate.
• The 'cookie' that was the result of successful authentication.
Those are the things you get if you run 'openconnect --authenticate'.
Here's a script which will provide them to NetworkManager for you:
#!/bin/sh
HOST="$1"
if [ -z "$HOST" ]; then
HOST=vpn.example.com
fi
COOKIE=
eval `openconnect --user $LOGNAME $HOST --authenticate`
if [ -z "$COOKIE" ]; then
exit 1
fi
nmcli con up 'Example VPN' passwd-file /proc/self/fd/5 5<<EOF
vpn.secrets.cookie:$COOKIE
vpn.secrets.gwcert:$FINGERPRINT
vpn.secrets.gateway:$HOST
EOF
> If the backported packages are useful, Debian/Ubuntu is at
> <https://download.opensuse.org/repositories/home:/fx/> and EL6/EL7 is at
> <https://copr.fedorainfracloud.org/coprs/loveshack/openconnect/>. (The
> dwmw2 copr doesn't have recent versions for el6/7; there are many build
> attempts which are failing after a day, I think just because the tests
> won't run.
The COPR has been unreliable recently. Broken versions of http-parser,
ocserv, wine in Fedora updates have been a pain, and recently a lot of
builds seem to die when running out of disk space.
But there is a build of 8.09 for both el6 and el7.
https://copr-be.cloud.fedoraproject.org/results/dwmw2/openconnect/epel-6-x86_64/01356430-openconnect/
https://copr-be.cloud.fedoraproject.org/results/dwmw2/openconnect/epel-7-x86_64/01356430-openconnect/
> The rpms and dpkgs are built with the trojan in the same
> place for ease of documentation rather than using the dwmw2 PPA, but
> that make contravene Debian rules which I'm not up-to-date with. The
> PPA also doesn't have a recent enough network-manager-openconnect.)
Hm, is that just for EPEL or also for Fedora? Let's fix that in my COPR
too. What's missing?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
