9

I connect to a pulse VPN via

sudo openconnect --juniper {{myserver}}

and it has worked for months. This morning when I try to get in, after accepting the cert and doing username/password it just ends with

Connected to HTTPS on {{myserver}}
Got HTTP response: HTTP/1.1 400 Bad Request
Unexpected 400 result from server
Creating SSL connection failed

Is there a change I need? A workaround?

Feasoron
  • 231
  • 2
  • 7

2 Answers2

7

I just got this working. There is a bug reported

http://lists.infradead.org/pipermail/openconnect-devel/2016-September/003951.html

which causes the pulse server to reject clients that do not present a content header of 256 bits on certain packets. This has been fixed in the source code, but has not been compiled into the ubuntu xenial releases yet (most likely other releases). to install from source I had to:

  • copy vpnc-script from the following link to /etc/vpnc/vpnc-script http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
  • chmod +x /etc/vpnc/vpnc-script
  • clone the source git://git.infradead.org/users/dwmw2/openconnect.git
  • cd openconnect
  • git checkout v7.08
  • sudo apt-get install automake libtool liblz4-1 libxml2-dev openssl libssl-dev
  • sudo ./autogen.sh
  • sudo ./configure You may need to add --without-openssl-version-check to squelch a warning.
  • sudo make
  • sudo make install

Then just run it from the directory you cloned into, for me: sudo ~/code/openconnect/openconnect --juniper <server> -u <username>

I have been trying to make this work for months but I am now being given an IP address by our pulse app.

Andrew Meyer
  • 253
  • 1
  • 4
  • I've followed your instructions but dns is not set correctly. Any suggestions? – Dror Cohen Mar 10 '17 at 06:13
  • It may be possible that the pulse server is not sending the dns information to you or that openconnect does not understand the information it is given. (taken from my openconnect dialogue) WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. It may also be possible that Network Manager or dnsmasqe are interfering with the published dns settings. It is a common issue with openvpn that the linux device does not pick up and use the dns servers without an update to resolvconf – Andrew Meyer Mar 10 '17 at 18:06
  • Dror I noticed that I have the same problem and got around it by manually editing my /etc/dnsmasq.conf and adding server=/TLD/dns-server-1-ip statements. not the most elegant solution, but it worked for me and my usecase – Andrew Meyer Apr 19 '17 at 16:11
  • 4
    This issue was fixed in their 7.08 release, so instead of pulling down the bleeding edge source code from Github, you could download the stable 7.08 release and compile. http://www.infradead.org/openconnect/changelog.html – Elliot B. Aug 22 '17 at 04:49
  • I'd add `git checkout v7.08` to freeze the above instructions for OpenConnect 7.08 (or grab the official 7.08 tarball). – HenrikB Nov 11 '17 at 20:36
4

As Andrew pointed out, this is because the version of openconnect is out of date. Rather than have a self-built version of open connect, I actually added the package source for Zesty, updated just openconnect and turned off the package source. Given that I'll move to Zesty next month, this felt fairly low risk to me.

Feasoron
  • 231
  • 2
  • 7