2

I need to connect to a Cisco VPN on Linux and at first I did this using the KDE NetworkManager plasma widget thingy. That worked fine and I'm able to connect to the VPN if I choose it from the Network Manager widget.

However, if I try using the command line things don't work (IPs and URLs have been changed to protect the innocent):

➜  ~  sudo openconnect --proxy http://proxy.mycompany.com:8080 vpn.mycompany.com:443 
POST https://vpn.mycompany.com/
Attempting to connect to proxy 172.17.122.135:8080
Requesting HTTP proxy connection to vpn.mycompany.com:443
Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2'
Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 445D5E14-309A-4AA2-B7AF-07CAAD5BB21D'
SSL negotiation with vpn.mycompany.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.mycompany.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.mycompany.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.mycompany.com/
Attempting to connect to proxy 172.17.122.135:8080
Requesting HTTP proxy connection to vpn.mycompany.com:443
Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2'
Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 39FA73DC-1FDD-4C4C-A1A6-5993477DD8E3'
SSL negotiation with vpn.mycompany.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.mycompany.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.mycompany.com/+webvpn+/index.html
Requesting HTTP proxy connection to vpn.mycompany.com:443
Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2'
Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 0141A4E6-1EA7-4FAE-AFA0-E56B2BC07BD1'
SSL negotiation with vpn.mycompany.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.mycompany.com
Please enter your username and password.
GROUP: [1..VPN|2..AD]:2
Auth choice "2" not valid
Failed to obtain WebVPN cookie
➜  ~  

I get prompted that the certificate verification failed and then I get prompted to choose the group but then everything fails with "Auth choice "2" not valid".

I've tried different options for the openconnect command. For example -g to specify the group -u to specify the username and --no-cert-check to skip the certificate check that's failing, but nothing works.

As you can see I'm using a proxy. This may have something to do with this but I'm not sure how it is (maybe?) affecting this.

I don't get how openconnect can work via the NetworkManager KDE widget but fail on the command line. Am I missing something here?

StFS
  • 273
  • 2
  • 9
  • Connect with the KDE widget then check what were the parameters it passed to openconnect (`ps axwww` or check /proc/PID entries) – Giovanni Tirloni Sep 10 '14 at 11:17
  • @gtirloni I had done that already... here is the output (again with ips and urls obfuscated): 4976 ? S 0:00 /usr/sbin/openconnect --servercert 5EEEDA5649D06EEC0697E08BEC2D52F9AC631881 --proxy http://proxy.mycompany.com:8080 --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 vpn.mycompany.com:443 I tried running this command in a shell and it didn't work. I assumed that was because of the --cookie-on-stdin option so I removed that and then I get exactly the same error as before (Failed to obtain WebVPN cookie). – StFS Sep 10 '14 at 13:45
  • related question [openconnect cannot connect to Anyconnect VPN group using -g](http://serverfault.com/q/771645/125845) – user1129682 Dec 06 '16 at 11:08

1 Answers1

6

You have got to be kidding me!!!

So the problem was that when I got presented with the following option:

Please enter your username and password.
GROUP: [1..VPN|2..AD]:

I chose "2" and pressed enter! Just for fun I even tried to type in "AD" instead of using "2", still had no luck.

Just now I tried typing in "2..AD"... and that worked!

Mindbogglingly stupid "user experience"!

StFS
  • 273
  • 2
  • 9
  • You got presented with two choices and are upset that it only works if you pick one of them? Seriously? – user1129682 Dec 06 '16 at 11:05
  • 7
    From a UX perspective, those are horrible choices. It's entirely reasonable (to me) that a human would expect entering `2` to work. – Randall Jan 19 '17 at 15:59
  • @StFS: I have a similar problem, but in my case the available group names contain empty spaces. Now I am wondering how I can pass them within the `openconnect`-command correctly: The group names are `GROUP: [tunnel Company XYZ|tunnel all]:`. How should I type this? :-) – Dave Aug 27 '18 at 08:46
  • @Dave I imagine you can quote them: `openconnect --authgroup='tunnel Company XYZ' ...`. Note however, I'm not sure whether `--authgroup` is the correct command line option. I'm no longer on a linux machine ;-) – StFS Aug 27 '18 at 12:16