25

I am using openconnect to connect to a VPN. When starting the client as sudo openconnect -v -u anaphory vpn-gw1.somewhere.net, I am able to connect after entering the GROUP and Password.

# openconnect -v -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
GROUP: [Anyconnect-VPN|CLUSTER-DLCE|Clientless]:CLUSTER-DLCE
POST https://vpn-gw1.somewhere.net
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
[…]

However, when I specify that same group name on the command line, the connection fails with an “Invalid host entry” message.

# openconnect -v -g CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
Password:XML POST enabled
Invalid host entry. Please re-enter.
Failed to obtain WebVPN cookie

Do I need to do any magic to the group name, or how do I find out how to make this work?

Anaphory
  • 351
  • 1
  • 3
  • 6

2 Answers2

32

Try --authgroup instead of -g

openconnect -v --authgroup CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net

Regards

stambata
  • 1,598
  • 3
  • 13
  • 18
Andy S
  • 421
  • 3
  • 3
  • this worked for me – Nikolay Dimitrov Jan 04 '18 at 05:13
  • @AndyS and @stambata: Thanks for your kind help! How can I use this command if the group name contains empty spaces between words, for example a group name like: "tunnel Company XYZ"? I can not write either `authgroup=tunnel Company XYZ` nor `authgroup="tunnel Company XYZ". Do you know how to solve this? – Dave Aug 27 '18 at 08:30
  • @AndyS and @stambata: Just for additional information, the group names are provided in the user prompt in that way: `GROUP: [tunnel Company XYZ|tunnel all]:` - How can I type this into the `openconnect`-command? – Dave Aug 27 '18 at 08:48
4

As a matter of fact, the not answer given by user2000606 leads to success.

The HTTP messages sent to the ASA differ, depending on how you select a group and VPN gateways can be picky about it.

This is my basic call to openconnect

openconnect -v --printcookie --dump-http-traffic \
 --passwd-on-stdin \
 -u johnsmith \
 vpn.ssl.mydomain.tld

Issuing this command and providing my desired VPN group after being prompted results in the followin HTTP chat (I only included the seemingly relevant parts of the XML documents):

[Certificate error, I tell openconnect to continue]
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld</group-access>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/</group-access><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<auth><username>johnsmith</username><password>secret</password></auth><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK

Notice the group-select-groups and that all requests are POST / HTTP/1.1. The same result is achieved by providing --authgroup AnyConnect-MyGroup with the basic call to openconnect.

When using -g AnyConnect-MyGroup instead of --authgroup AnyConnect-MyGroup the following happens:

Me >> ASA:  POST /AnyConnect-MyGroup HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/AnyConnect-MyGroup</group-access>
ASA << ME:  HTTP/1.1 200 OK
            [...] <error id="91" param1="" param2="">Invalid host entry. Please re-enter.</error>

Notice that this time we don't tell the server group-select but simply squeeze in our group name with group-access and the HTTP request. The same negative result is provoked when adding the group name to the gateway address, i.e. using vpn.ssl.mydomain.tld/AnyConnect-MyGroup as the last line of the basic call to openconnect.

user1129682
  • 223
  • 2
  • 9