On Sat, Sep 7, 2024 at 2:19 AM David Woodhouse wrote:
> > - What you're seeing here is the tunnel/data phase, running in the
> > `openconnect` process (as a privileged user).
>
> No, NetworkManager runs openconnect as an *unprivileged* user. Not
> actually "nobody" but its own "NM-openconnect" ver
On Sun, Sep 8, 2024 at 1:10 PM Martin Pauly wrote:
> On 07.09.24 07:14, Daniel Lenski wrote:
> >> Ooh, interesting. Reading between the lines a bit here… "leaving a CA
> >> setting blank" in WiFi enterprise authentication (802.1x) resulted in
> >> "d
On Mon, Sep 2, 2024 at 4:56 AM Martin Pauly wrote:
>
> Am 01.09.24 um 06:32 schrieb Daniel Lenski:
>
> Actually, the original question came from the GUI side, i.e. Network Manager.
> A colleague of mine recently stumbled on our outdated documentation
> recommending to set CA
On Sun, Sep 1, 2024 at 4:10 PM Daniel Lenski wrote:
>
> On Sun, Sep 1, 2024 at 1:46 PM Moorko wrote:
> >
> > Thanks for your detailed response, Daniel.
> >
> > I now realize that I clearly missed the big picture here as I'm relatively
> > new to this
On Sun, Sep 1, 2024 at 1:46 PM Moorko wrote:
>
> Thanks for your detailed response, Daniel.
>
> I now realize that I clearly missed the big picture here as I'm relatively
> new to this domain.
No worries! Looks like you're tackling a tricky problem and asking the
right questions :-)
> > I'm not
On Sun, Sep 1, 2024 at 8:19 AM Moorko wrote:
> I noticed that the OpenConnect package available in Linux distributions
> like Ubuntu and Fedora is built with GnuTLS rather than OpenSSL.
> Is there a specific reason for this?
Many such reasons, from my point of view…
1. Historically, OpenSSL didn
On Fri, Aug 30, 2024, 1:42 PM Cline, Wade wrote:
>
> On Fri, Aug 30, 2024 at 07:14:07PM +0200, Martin Pauly wrote:
> > Hi all,
> >
> > we have encountered what we think might be a sloppy check of the server
> > cert by the openconnect client.
> > AFAIU, --cafile allows the user to pin the CA that
On Thu, Aug 1, 2024 at 9:58 AM Benjamin Cardon wrote:
>
> Here is the handshake [of the connection when ESP works] still using GPopen
> in case it's helpful.
There is no apparent difference between these logs other than the fact
that the ESP-over-UDP packets get through in one and not the other.
On Wed, Jul 31, 2024 at 8:58 AM Benjamin Cardon wrote:
> Attached is the handshake. Everything up to line 72 is collecting the
> auth cookie from Okta.
Yes, it appears from this log that there's simply no UDP connectivity
between the client and the server. The ESP-over-UDP tunnel can't be
connect
On Tue, Jul 30, 2024 at 11:47 AM Benjamin Cardon wrote:
>
> Hi, my company has a GlobalProtect VPN and I've been successfully
> using it using GPopen and openconnect for years.
What is GPopen?
> A few months ago, they changed something in our network or VPN that is
> causing the VPN to fail to
On Sat, Jul 27, 2024 at 2:03 PM Karl O. Pinc wrote:
>
> > I put together a fix for this in
> > https://gitlab.com/openconnect/openconnect/-/commits/handle_GP_ESP_magic_address_corner_case
> >
> > Can you please build and test that? I don't have a real GP VPN that I
> > can test it on anymore, unfo
On Thu, Jul 25, 2024 at 4:59 PM Karl O. Pinc wrote:
> Thanks for the reply. Here's the info you asked for.
> It looks like the proprietary client sets up a UDP VPN
> and openconnect does not.
Thanks. From your detailed log I have an idea of what's going on:
> POST https://vpnhost.example.com/ss
On Wed, Jul 24, 2024 at 3:02 PM Karl O. Pinc wrote:
>
> No matter the -vvv, I get no real information as to why.
"No real information" is not actionable.
If you run a recent version of OpenConnect with `-vvv
--dump-http-traffic --protocol=gp`, you should ALWAYS get AT LEAST ONE
log line that spe
On Wed, Jun 19, 2024 at 7:05 PM Lee <309820...@qq.com> wrote:
> Dear author,
> I hope this email finds you well. I am writing to report a bug that I have
> encountered while using the OpenConnect software on my Ubuntu 24 system.
> When attempting to connect to a VPN using OpenConnect, I am prompte
On Thu, May 9, 2024 at 1:08 AM David Woodhouse wrote:
> On Wed, 2024-05-08 at 17:59 -0600, Oscar Velazquez wrote:
> > I have a hunch: it is to change server-cert-hash, but I do not know
> > what the correct values could be or if this is a valid approach.
> > Any help would be appreciated.
> >
>
>
On Sat, Apr 20, 2024 at 12:35 PM Peter Tulpen wrote:
> Hello,we want to use openconnect to connect to our company network and having
> like 2 modes:
> - always have a connection to our management server based on a client
> certificate, so the management server can scan him: basic connection
> -
On Mon, Apr 15, 2024 at 10:35 AM Alfredo Tomasini wrote:
> Note: the router is not a cisco but huawei AR150, in spite most likely
> they use the same protocol, maybe!
You probably should've led with that 😬.
There is absolutely no reason to think a *Huawei* server would work
with the AnyConnect p
On Fri, Apr 12, 2024 at 4:29 PM Alfredo Tomasini wrote:
> I am trying to get a vpn connection to our pattern in China
What does this mean? (Maybe your meant PARTNER in China… maybe not?)
> by using
> openconnect
Specifically, you're using OpenConnect v9.01 according to your logs.
Released just
On Wed, Apr 3, 2024 at 2:49 AM Markus Robert Kessler
wrote:
>
> When using networkmanager for invoking openconnect, there is an option
> "Ignore automatically obtained routes".
> This is essential because some obtained routes conflict with local addresses.
>
> Unfortunately, we cannot find the rel
On Tue, Feb 27, 2024 at 7:20 PM Cline, Wade wrote:
> On Tue, Feb 27, 2024 at 03:37:47PM -0800, Daniel Lenski wrote:
> Sorry about that; I added the sign-off in one environment but forgot to
> sync the two before sending the patch!
Thank you, now merged and with a changelog ent
On Tue, Feb 27, 2024 at 3:58 PM Larry Ploetz wrote:
>
> On 2024-02-25 11:03, Larry Ploetz wrote:
> >> Are the users of the official PAN GP clients keeping SSH sessions open
> >> for 6+ hours like you are?
> >
> >
> > Yes, I believe so. I'll verify.
>
> Yes, ssh as well as other TCP connections are
On Sat, Jan 20, 2024 at 4:41 PM Dave Brosius wrote:
> However today, when i try to connect, i get
>
> Connected as 10.69.12.166 + 2606:b400:600:c063::11c/64, using SSL,
> with DTLS in progress
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
> Detect
On Tue, Feb 27, 2024 at 9:04 AM Daniel Lenski wrote:
>
> On Mon, Feb 26, 2024 at 6:50 PM Cline, Wade wrote:
> >
> > ---
> > main.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/main.c b/main.c
> > index 65be
On Mon, Feb 26, 2024 at 6:50 PM Cline, Wade wrote:
>
> ---
> main.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/main.c b/main.c
> index 65be6a2f..ef426dd6 100644
> --- a/main.c
> +++ b/main.c
> @@ -1565,14 +1565,14 @@ static void print_connection_stats(void *_vp
First off, what is your `openconnect --version`?
On Wed, Feb 21, 2024 at 11:24 AM Larry Ploetz wrote:
> On 2024-02-20 00:25, Daniel Lenski wrote:
> > Do you have some reason to think that this has anything to do with
> > OpenConnect per se, as opposed to being a limitation
On Thu, Jan 11, 2024 at 6:25 PM wrote:
> I am a physics student using openconnect on arch linux to connect to my
> school's GlobalProtect server that uses both IPv6 and IPv4. So far, I
> have not been able to connect using IPv6; IPv6 connection times out and
> the vpn connects via IPv4. Let me kno
On Wed, Jan 31, 2024 at 4:16 PM Larry Ploetz wrote:
> I've noticed that all my ssh sessions, regardless of when they start
> relative to the start of openconnect, get disconnected after openconnect
> has been up 6 hours, and 9 hours (about - ± 5 minutes). I assume that
> would happen with other lo
On Sat, Feb 3, 2024 at 9:10 AM Jon DeVree wrote:
> By default xmlstarlet does not include a final newline on the output.
> Because POSIX says that all lines must end in a newline, this causes the
> final line of output to be skipped by the 'while read ...' loop in bash.
> Adding a '-n' after the '
On Fri, Jan 19, 2024 at 4:33 AM Daniel Loxtermann
wrote:
>
> Hey all!
>
> While trying to understand how to get IPv6 on our GlobalProtect Clients,
> we found out about OpenConnect!
>
> You're asking for results about IPv6 with GP.
As the author of the GP IPv6 support, thank you very much for this
On Mon, Nov 6, 2023 at 9:08 AM Jang, WonSeok
wrote:
> My school uses duo mfa when logging in.
>
> Is there anyway to fix this?? I am currently using Arch linux.
Your VPN requires SAML authentication, but OpenConnect generally can't
handle SAML authentication on its own; an external web browser th
On Wed, Oct 25, 2023 at 3:45 PM O. William McClung wrote:
>
> I have openconnect v8.05-1, the latest for Ubuntu 20.04, and am trying
> to connect to a GlobalProtect server which I know requires
> gp-saml-gui.
This is an extremely old version (from 2019). We've made a large
number of improvements
On Thu, Sep 28, 2023 at 3:06 AM julio toribio wrote:
>
> I'm using Windows and trying to connect to a VPN(Fortinet) but by
> default SAML is used to authenticate. When we hit connect in
> Forticlient, a web browser is launched, we authenticate in i.e
> Microsoft, then Forticlient is connected.
>
On Mon, Sep 18, 2023 at 11:44 AM Daniel Lenski wrote:
> On Sun, Sep 17, 2023 at 10:47 AM Paolo Ienne (严保罗)
> wrote:
> > Last but not least, you may want to note that the links to "master branch
> > for
> > 32-bit Windows or for 64-bit Windows" on
> >
>
On Sun, Sep 17, 2023 at 10:47 AM Paolo Ienne (严保罗) wrote:
> But I am writing to ask if it is correct that the Windows port of
> OpenConnect does not offer the "--background" switch. It seems so (I
> finally managed to access the latest build for Windows 10, thinking that
> the slighter older one
On Fri, Sep 1, 2023, 7:33 AM Mike Gilbert wrote:
>
> On Fri, Sep 1, 2023 at 4:47 AM Jarosław Siebert wrote:
> > I updateted my Slackware machine and noticed that I can not compile
> > openconnect with it.
> >
> > I use gnutls 3.8.1
> >
> > when I try to compile openconnect 9.12 then it stops with
On Thu, Aug 17, 2023 at 11:04 AM Anthony Becker wrote:
> Hi Daniel –
>
> Here is the openconnect version output:
>
> sshuser@oakvpn:~$ openconnect --version
> OpenConnect version v8.20-1
> Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token,
> HOTP software token, TOTP soft
On Mon, Aug 14, 2023 at 8:31 AM Anthony Becker wrote:
>
>
> I am unable to connect to a GlobalProtect VPN. I start with the command:
>
> eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto
> )
>
> A web form requests my username and password and sends me a Duo push. Th
On Wed, Jul 26, 2023 at 1:17 AM Mah, Matthew Yew Mun
wrote:
> I am using OpenSUSE tumbleweed with openconnect 9.12-1.2 through the KDE
> network manager to connect to a Cisco AnyConnect VPN using two-factor
> authentication with Duo. This was working until the VPN server side recently
> changed
On Mon, Jul 31, 2023 at 3:00 AM Lisa BINDER
wrote:
>
> The Cisco AnyConnect VPN Client supports the IEEE 802.1AE standard which
> allows to perform downlink MACsec between a client and a switch.
> Does OpenConnect also support this feature or does it only focus on the VPN
> functionality of Cisc
On Fri, Jun 23, 2023 at 5:14 AM Dimitri Papadopoulos Orfanos
wrote:
> I have opened an issue here:
> https://gitlab.com/openconnect/openconnect/-/issues/634
Aaron Smith, can you please test
https://gitlab.com/openconnect/openconnect/-/merge_requests/483 which
should fix this?
> * search domains,
On Mon, Jun 26, 2023 at 4:56 AM Grant Williamson wrote:
> I'm encountering an issue with the csd-post.sh script. When attempting
> to use it, I receive the error message: "You are attempting to use a
> digital certificate not assigned to this device." I would appreciate
> any insights on how to ad
On Wed, Jun 7, 2023 at 7:03 AM Laszlo Fekete wrote:
> cisco's own GUI vpn tool also doesn't accept the
> yubikey generated characters as a 2nd password
This strongly suggests that the *server* doesn't accept the Yubikey
OTP as a 2nd factor. 🤷🏻♂️
> can you please help me with this?
It's extreme
On Wed, May 31, 2023 at 3:48 AM Popp, Thomas wrote:
> The Cisco VPN server I try to connect to expects the correct authgroup to be
> send as in the initial POST request, like:
>
>
> ...
> correct-auth-group
> ...
>
>
> I also failed to manipulate the initial POST request form with the
On Thu, May 25, 2023 at 12:43 PM David Raison wrote:
> 1. In the http communication with the endpoint, when it comes to the
> point where the web UI or the anyconnect client prompt for the token,
> there is simply no field included in the XML response sent by the
> server, only the element:
>
> <
On Mon, May 22, 2023 at 9:40 AM David Gstir wrote:
> I’m running into issue #489 [1] with the latest OpenConnect v9.12-3-ga4f1a345.
> Unfortunately none of the suggested solutions there work for me. I’ve also
> tried
> the --form-entry workaround from [2]. See the dump below.
>
> It does work fin
On Wed, May 17, 2023 at 12:00 PM David Woodhouse wrote:
>
> Traxtopel (1):
> Add support for OpenConnect's `--no-dtls` option to disable UDP
This one has been much sought-after
(https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/55)…
Now if users are connecting from
> Daniel Lenski (101):
> …
> Combine Legacy IP and IPv6 cases in GP config XML parsing>
> …
Unfortunately, this change introduced a bug — that is to say, I
introduced a bug (🪞) — which causes GlobalProtect ESP to be entirely
non-functional in OpenConnect v9.10.
On Fri, May 5, 2023 at 5:25 AM Grant Williamson wrote:
> It appears I have an issue when attempting to edit an existing
> connection using the "copr build ba7cf175", as an WARNING message is
> displayed in the terminal indicating that "ca.pem uses an unknown
> scheme". Will not add/import or save
On Wed, Apr 12, 2023 at 11:29 PM lobbia wrote:
>
> In my case, v9.01+ doesn't work for my openwrt. My company's Cisco ASA server
> prefers Azure SSO over user/pass sign-in. When using openconnect v9.01 to
> connect, it propsed SSO in capacilities list and then got suck due to lack of
> sufficie
On Wed, Apr 12, 2023 at 4:43 AM lobbia wrote:
>
> Code branch to be built: add_local_id_option
> https://gitlab.com/openconnect/openconnect/-/tree/add_local_id_option
(It would be a good idea to rebase this on the latest `master`, rather
than just build it as-is.)
I'm the author of the changes o
On Wed, Feb 22, 2023 at 7:33 PM James Ralston wrote:
>
> I gently echo the requests for a 9.02 release.
Yep, it's pretty much just waiting for our BDFL to sign it :-)
https://gitlab.com/openconnect/openconnect/-/commits/proposed-9.02
___
openconnect-d
On Mon, Feb 6, 2023 at 4:04 AM Zbyněk Kačer wrote:
>
> I will now try to decrypt the tcp channel - there must be something
> useful inside. But so far it refuses to use mitmproxy.
You may well need to use TRANSPARENT proxying
(https://docs.mitmproxy.org/stable/howto-transparent/) in order to
forc
On Tue, Feb 7, 2023 at 9:48 AM Rogerio Carvalho dos Santos
wrote:
>
> Tag de config de GlobalProtect possivelmente relacionada a IPv6
> : no
> Essa compilação não suporta o GlobalProtect IPv6 devido à falta de
> de informações sobre como está configurado. Por favor, reporte isso
> para openconnect
I'm afraid tuning parameters does not help at all. I unsuccessfully
>
> tried various combinantions.
> Then I dumped the /opt/cisco/anyconnect/bin/vpnui traffic, tried what
> the official client sends and still no success.
Hmmm. So you can see all (or almost all) of the traffic between the
officia
On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer wrote:
> So I tried openconnect
openconnect --version?
> So I tried
> openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh
> gateway.host.some.server.com
>
> but the csd-post script seems never be called (I've inserted some echos
> at the be
On Fri, Nov 4, 2022 at 3:14 PM Ahmet Karalar wrote:
>
> Hello,
>
> I can connect to my company VPN (Cisco Anyconnect) using openconnect,
> entering credentials as the CLI asks me, however I'd like to reduce
> that to 1 step if possible. When authenticating, openconnect asks me:
> - username
> - pa
On Thu, Nov 3, 2022 at 2:18 PM Schütz Dominik
wrote:
> Hi,
>
> I have a question in connection with OpenConnect (currently
> v9.01+74+g76dc679-0+113.1) and the Pulse Secure Appliance (currently 9.1R14).
>
> We authenticate with "protocol=pulse" and "protocol=nc" either with username
> + password
On Fri, Oct 14, 2022 at 7:48 AM LeJacq, Jean Pierre
wrote:
>
> I'm trying to use OpenConnect's with the relatively new F5 protocol support.
>
> I'm running into problems with the initial handshake and looking for some
> advice on how to debug.
>
> My environment is the following. I have confirmed
On Wed, Oct 12, 2022 at 4:22 PM Djunzu wrote:
>
> I tried double quotes and single quotes. But did not thought in trying no
> quotes at all.
Yeah, we should update the documentation to clarify this. Or, better
yet, we should update the code to accept single and/or double quotes
in config files.
On Thu, Sep 15, 2022 at 8:00 AM Bernhard Reutner-Fischer
wrote:
> On Thu, 15 Sep 2022 11:54:39 +0200
> Dimitri Papadopoulos wrote:
>
> > Perhaps the double [[ == ]] can be changed to [ = ] in most cases, as it
> > implies regular expressions might be involved - but they are not.
>
> The hunks in
On Wed, Sep 14, 2022 at 5:30 AM Bernhard Reutner-Fischer
wrote:
>
> s/==/=/g
> s/]]/]/g
> s/\[\[/[/g
>
> The POSIXly correct shorthand of test(1) is [, not [[
> and string comparison is POSIXly correct =, not ==.
Do note that all three of these scripts are explicitly intended+tested
*only* to run
On Tue, Sep 13, 2022 at 3:43 AM Ian Braithwaite wrote:
>
> On 12/09/2022 19:18, Daniel Lenski wrote:
> > On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite wrote:
> >> 1. Ian, does your server also fall back to the non-XML-based
> >> authentication, like Henry Lui
On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite wrote:
>
> I'm not the original poster, but I'm experiencing the same problem.
> Here's the details of the challenge form as requested.
> As you guessed, OpenConnect isn't recognizing that a field needs to be
> filled in
> and is just continuing with
On Thu, Sep 1, 2022 at 3:42 PM Ian Cornelius wrote:
> This error began to appear about the time that Pulse Secure was acquired
> by Ivanti.
Almost certainly related to the changes in the Pulse configuration
packet from the 9.1R14 and 9.1R16 server versions. (These are
mystifyingly vestigial/usele
On Wed, Aug 10, 2022 at 1:37 PM Bernd Schubert
wrote:
> At least for me the interesting part is that openconnect is not sending
> these ESP probes anymore then - I wonder if it is hanging. Going to get
> pstack output tomorrow.
>
> So I enabled time stamps now (thanks for the parameter)
>
> 1)
> .
On Wed, Aug 10, 2022 at 1:21 AM Bernd Schubert
wrote:
> I had found this thread
>
> https://askubuntu.com/questions/1273285/vpn-openconnect-pulse-disconnects-itself-in-ubuntu-20
>
> and according to the discussion the issue is supposed to be resolved
> with 8.20.
No.
I think you are referring to
On Thu, Jul 21, 2022 at 3:04 AM Iseli Christian wrote:
> The university of Lausanne recently introduced 2-factor authentication for
> its VPN, and since then my working openconnect setup is failing with this
> error :
>
> Unknown form (name 'form1', id '(null)')
> Dumping unknown HTML form:
> m
On Fri, Jul 1, 2022 at 6:55 PM Sam wrote:
> I use the vpnc-script from
> https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script like
> this:
> sudo openconnect vpn.thecompany.com
> --script=/usr/share/vpnc-scripts/vpnc-script
Cisco AnyConnect protocol, right?
> The only way that I ca
On Fri, Jun 10, 2022 at 9:57 AM David Woodhouse wrote:
> But IT departments using proprietary VPN products clearly *do* trust
> the likes of Cisco far more than we do, and the endorsement *is*
> meaningful to them. So it doesn't hurt to highlight it.
>
> Especially for individual users who are see
On Mon, Jun 6, 2022 at 12:54 PM Randall Sindlinger
wrote:
> In any case, has this and the DevNet recommendation been added to the
> https://www.infradead.org/openconnect/ page? I'm not sure where it would
> best fit; but I think it
> would be invaluable to give users and potential users the know
On Wed, Jun 8, 2022 at 5:29 PM David Woodhouse wrote:
>
> On Wed, 2022-06-08 at 19:35 +, Schütz Dominik wrote:
> > Hi,
> >
> > sorry that the reply to the mail with the subject "Pulse with ESP has
> > problems with Kerberos Tickets" and "OpenConnect does not take over
> > MTU" took so long.
>
On Mon, Jun 6, 2022 at 1:27 PM Daniel Pou wrote:
>
> I will give it a shot. The possibly oddball thing about VIA, is the
> "hybrid" nature, that it "automatically scans and selects the best,
> secure connection to terminate traffic" where it supports IPSec/SSL.
Yes, that's typical marketing fluff
On Mon, Jun 6, 2022 at 9:00 AM Daniel Pou wrote:
>
> After a cursory inspection, I have not found any request to add
> support for Aruba VIA VPN protocol in issues or the mailing list. I am
> curious if anyone has considered or made any effort so far? I am
> trying to look through the links refere
On Wed, May 4, 2022 at 11:17 AM Schütz Dominik
wrote:
> yes, it works with "--authgroup" for "--protocol=nc" and "--protocol=pulse".
We need better documentation for the `--authgroup` option.
Its current description is very Cisco-specific, which makes it
completely non-obvious that it will work
On Sun, Jun 5, 2022 at 10:04 AM Fourhundred Thecat <400the...@gmx.ch> wrote:
> when I connect with openconnect, I am getting these errors:
>
> DTLS handshake failed: Error in the push function.
> (Is a firewall preventing you from sending UDP packets?)
What version of OpenConnect? `openconnect --v
On Fri, Jun 3, 2022 at 1:44 PM Randall Sindlinger
wrote:
>
> If you aren't aware, I just found that Cisco's DEVNET has a genuine
> recommendation to use
> OpenConnect.
Cisco's own IP phones, at least model "SPA-525g", use the OpenConnect
client. https://gitlab.com/openconnect/ocserv/-/issues/51#
On Thu, May 12, 2022 at 2:19 PM Henry Luis
wrote:
> Today, openconnect prompts me for the 2FA code but does not give me the
> chance to enter it (see the "Enter PASSCODE" line below). The same happens
> when I use the network manager Gnome GUI. This used to work as of yesterday.
Clearly, somet
On Wed, May 4, 2022 at 3:11 AM David Woodhouse wrote:
>
> On Wed, 2022-05-04 at 09:36 +, Schütz Dominik wrote:
> > Hi,
> >
> > how can I specify a realm with "--protocol=pulse"?
> > # output without specify realm
> > Choose Pulse user realm:
> > Realm:
> > [REALM_xxx_Productive|REALM_xxx_Limi
On Tue, Mar 29, 2022 at 2:50 PM Athanasios Silis
wrote:
>
> Hi everyone,
> this is not a new question as I see but maybe the combination of options is.
> So my company has been using the pulse protocol for its vpn service.
> Microsoft 2FA will soon become unavoidable for the connection.
>
> I've i
On Thu, Mar 17, 2022 at 2:30 AM Dimitri Papadopoulos
wrote:
> One could re-enable TLS < 1.2, but it's always the same story: I don't
> want to do that for a whole system, just for specific (client) software.
Agreed.
I've got a (work-in-progress) MR which adds additional warning
messages for thes
On Tue, Mar 15, 2022 at 12:12 PM Daniel Lenski wrote:
> This patch suggests that the "OpenSSL security level" could be the
> culprit: if the "OpenSSL security level is set to >=2, then vanilla
> OpenSSL 1.1.1f will allow old/bad/Cisco DTLS, but Debian/Ubuntu
> Open
On Tue, Mar 15, 2022 at 12:38 AM Dimitri Papadopoulos
wrote:
>
> Hi,
>
> It definitely looks like an Ubuntu bug. I can reproduce this issue when
> building against the OpenSSL library that ships with Ubuntu 20.04:
>
> $ ./configure \
> --prefix=/my/path/openconnect \
> --with-vpnc-
On Mon, Mar 14, 2022 at 3:41 AM Dimitri Papadopoulos Orfanos
wrote:
> I guess libgnutls28-dev was initially missing. By installing it, your
> build switched to GnuTLS, which appears to support the broken Cisco DTLS
> version, unlike OpenSSL version 1.1.1f (the version shipping with Ubuntu
> 20.04)
On Fri, Mar 4, 2022 at 9:55 AM Adam Mercer wrote:
>
> Hi
>
> We use a GlobalProtect VPN at work and they recently required the
> usage of Microsoft MFA when connecting, I've been trying to get this
> working with openconnect but have been having problems. I've built the
> latest client from git an
On Mon, Mar 7, 2022 at 3:44 PM Daniel Lenski wrote:
>
> On Fri, Mar 4, 2022 at 6:25 AM Eveno, Manuel wrote:
> > $ cat openconnect-8.20/tests/test-suite.log
> > - Output :
> > FAIL: bad_dtls_test
>
> 1. If you just want to *use* O
On Fri, Mar 4, 2022 at 6:25 AM Eveno, Manuel wrote:
> Trying to build openconnect 8.20 on ubuntu 20
What is "ubuntu 20"? I assume you mean 20.04 / focal? Running
`lsb_release -a` should clarify.
> I need to test the fortinet protocol.
> I'm trying to build openconnect for the downloaded package.
On Wed, Dec 29, 2021 at 7:16 PM Scott wrote:
>
> Regarding this bug: https://gitlab.com/openconnect/openconnect/-/issues/322
>
> I've been having dropouts for 18 months, reconnecting 20-30 times a day,
> I just want to say thanks so much for fixing it! Much appreciated.
Glad to hear it.
We reall
On Tue, Dec 14, 2021 at 10:08 PM Daniel Lenski wrote:
>
> What you've specified, `--os=windows`, is not a value that OpenConnect
> understands; per the manual,
> (https://www.infradead.org/openconnect/manual.html), `--os=win` is the
> legal value. Does that work?
Have you
On Tue, Dec 14, 2021 at 1:47 PM Dev Faye wrote:
> I'm not a programmer at all? Though, it's been nearly 1 week I'm going
> back and forth, trying to get at least one VPN client working on my
> virtual machine. I've tried built-in VPN, CheckPointCapsule,
> GlobalProtectUWP, GlobalProtect MacOS clie
On Tue, Nov 30, 2021 at 7:36 AM Frank Winkler wrote:
> I've been using oc on Linux and macOS for quite a while now and it
> worked fine so far. Since I upgraded to macOS 12, it seems that oc is
> crashing the entire network stack after running for some time.
Can you clarify what "crashing the ent
quot; for him. We tried bypassing the GUI by running openconnect from
> the command line, which resulted in the output Amirali has shown previously.
> I'm confident I've never seen the "Error in the push function" message
> before, so I suggested Amirali reach out to
On Sat, Nov 20, 2021 at 1:11 AM Oleg Tyurin wrote:
>
> When I connect to our corporate VPN server, I do not receive all routes, so I
> cannot use some resources
What does "not receive all routes" mean? What routes do you *expect*,
but don't get set? What happens if you try to manually add them t
On Thu, Nov 18, 2021 at 1:33 PM Amirali Hossein wrote:
> How should I resolve "Error in the push function."?
Can you give us more information? Start with the complete output of
`openconnect --version`, and what operating system you're running on.
All I can tell from the messages ("SSL connection
On Thu, Oct 14, 2021 at 5:14 PM Shane Hird wrote:
>
> With UDP enabled (or not disabled) upload speeds are extremely slow.
> This seems very similar to the bug mentioned by Microsoft for KB5006674
>
> https://support.microsoft.com/en-us/topic/october-12-2021-kb5006674-os-build-22000-258-32255bb8-6
On Mon, Jan 11, 2021 at 2:03 PM John Hannafin wrote:
> Sometime last year, we noticed that at
> some point between version 8.03 and 8.06, using openconnect would
> become unreliable. Using 8.03, I can run the command "sudo
> openconnect --juniper --protocol=nc https://[REDACTED_HOSTNAME]";, and
>
On Wed, Sep 15, 2021 at 3:01 AM David Love wrote:
>
> I noticed this in syslog (from the Debian package of 8.10):
>
> Potential IPv6-related GlobalProtect config tag :
> no#012This build does not support GlobalProtect IPv6 due to a lack of#012of
> information on how it is configured. Please re
Hi Ralph,
On Fri, Sep 10, 2021 at 9:01 AM Ralph Serge wrote:
> I came across OpenConnect while looking for a client to connect to a Fortinet
> VPN server using multifactor authentication.
It'd be great to have other users test our Fortinet MFA support.
Currently, it *only* supports the "challe
On Wed, Aug 4, 2021 at 10:57 AM Antonio Petrelli
wrote:
>
> Il giorno mer 4 ago 2021 alle ore 19:40 Antonio Petrelli
> ha scritto:
>
> > > OMG IT WORKED! It seems that the error before happens sometimes, but
> > it happens anyway sometimes because something is wrong server side.
> > Wait a bit, i
On Tue, Aug 3, 2021 at 9:08 AM Antonio Petrelli
wrote:
>
> Hello again
> From now on, the edited values are between , but the
> rest is literal.ù
> Ok after login, I land on a page that says "Connect to VPN".
>
> Clicking on it this request is sent:
>
> GET /vdesk/get_token_for_sessid.php3 HTTP/1.
On Tue, Aug 3, 2021 at 1:22 AM Antonio Petrelli
wrote:
> Hello
> At my firm we are using F5 and MFA from Microsoft. I noticed in the
> website that, in case I have a different authentication than
> username+password, it would be nice to contact you to add support for
> a different authentication m
1 - 100 of 441 matches
Mail list logo
