openconnect cannot connect to Anyconnect VPN group using -g

vpn openconnect

I am using openconnect to connect to a VPN. When starting the client as sudo openconnect -v -u anaphory vpn-gw1.somewhere.net, I am able to connect after entering the GROUP and Password.

# openconnect -v -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
GROUP: [Anyconnect-VPN|CLUSTER-DLCE|Clientless]:CLUSTER-DLCE
POST https://vpn-gw1.somewhere.net
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
[…]

However, when I specify that same group name on the command line, the connection fails with an “Invalid host entry” message.

# openconnect -v -g CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
Password:XML POST enabled
Invalid host entry. Please re-enter.
Failed to obtain WebVPN cookie

Do I need to do any magic to the group name, or how do I find out how to make this work?


Solution 1:

Try --authgroup instead of -g

openconnect -v --authgroup CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net

Regards

Solution 2:

As a matter of fact, the not answer given by user2000606 leads to success.

The HTTP messages sent to the ASA differ, depending on how you select a group and VPN gateways can be picky about it.

This is my basic call to openconnect

openconnect -v --printcookie --dump-http-traffic \
 --passwd-on-stdin \
 -u johnsmith \
 vpn.ssl.mydomain.tld

Issuing this command and providing my desired VPN group after being prompted results in the followin HTTP chat (I only included the seemingly relevant parts of the XML documents):

[Certificate error, I tell openconnect to continue]
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld</group-access>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/</group-access><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<auth><username>johnsmith</username><password>secret</password></auth><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK

Notice the group-select-groups and that all requests are POST / HTTP/1.1. The same result is achieved by providing --authgroup AnyConnect-MyGroup with the basic call to openconnect.

When using -g AnyConnect-MyGroup instead of --authgroup AnyConnect-MyGroup the following happens:

Me >> ASA:  POST /AnyConnect-MyGroup HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/AnyConnect-MyGroup</group-access>
ASA << ME:  HTTP/1.1 200 OK
            [...] <error id="91" param1="" param2="">Invalid host entry. Please re-enter.</error>

Notice that this time we don't tell the server group-select but simply squeeze in our group name with group-access and the HTTP request. The same negative result is provoked when adding the group name to the gateway address, i.e. using vpn.ssl.mydomain.tld/AnyConnect-MyGroup as the last line of the basic call to openconnect.

Related

Logrotate and Open Files
Scripting alternatives to Bash shell scripts
Recording Audio from Radio Stream
copy and paste in windows XP just stops working
logical sector size changes depending on whether it is attached via USB or direct SATA
Batch Script Redirection Syntax
Setting a default CPU Frequency in Ubuntu?
What is a simple, small, yet nice RSI watcher for Windows? [closed]
Virus protection for flash drives
Block all ports except SSH/HTTP in ipchains and iptables
Can I prevent a driver from being installed with windows 8.1?
How can I bridge a Verizon mobile hotspot modem/router to a Linksys router?