Openconnect and Pulse Stopped Working
I connect to a pulse VPN via
sudo openconnect --juniper {{myserver}}
and it has worked for months. This morning when I try to get in, after accepting the cert and doing username/password it just ends with
Connected to HTTPS on {{myserver}}
Got HTTP response: HTTP/1.1 400 Bad Request
Unexpected 400 result from server
Creating SSL connection failed
Is there a change I need? A workaround?
I just got this working. There is a bug reported
http://lists.infradead.org/pipermail/openconnect-devel/2016-September/003951.html
which causes the pulse server to reject clients that do not present a content header of 256 bits on certain packets. This has been fixed in the source code, but has not been compiled into the ubuntu xenial releases yet (most likely other releases). to install from source I had to:
- copy vpnc-script from the following link to /etc/vpnc/vpnc-script
http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
- chmod +x /etc/vpnc/vpnc-script
- clone the source
git://git.infradead.org/users/dwmw2/openconnect.git
- cd openconnect
git checkout v7.08
sudo apt-get install automake libtool liblz4-1 libxml2-dev openssl libssl-dev
sudo ./autogen.sh
-
sudo ./configure
You may need to add--without-openssl-version-check
to squelch a warning. sudo make
sudo make install
Then just run it from the directory you cloned into, for me:
sudo ~/code/openconnect/openconnect --juniper <server> -u <username>
I have been trying to make this work for months but I am now being given an IP address by our pulse app.
As Andrew pointed out, this is because the version of openconnect is out of date. Rather than have a self-built version of open connect, I actually added the package source for Zesty, updated just openconnect and turned off the package source. Given that I'll move to Zesty next month, this felt fairly low risk to me.