Home / server / Questions / 771645
In Process
Anaphory
Asked: 2016-04-21 01:04:04 +0800 CST

openconnect cannot connect to Anyconnect VPN group using -g

  • 772

I am using openconnect to connect to a VPN. When starting the client as sudo openconnect -v -u anaphory vpn-gw1.somewhere.net, I am able to connect after entering the GROUP and Password.

# openconnect -v -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
GROUP: [Anyconnect-VPN|CLUSTER-DLCE|Clientless]:CLUSTER-DLCE
POST https://vpn-gw1.somewhere.net
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
[…]

However, when I specify that same group name on the command line, the connection fails with an “Invalid host entry” message.

# openconnect -v -g CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
Password:XML POST enabled
Invalid host entry. Please re-enter.
Failed to obtain WebVPN cookie

Do I need to do any magic to the group name, or how do I find out how to make this work?

vpn openconnect

2 Answers

  1. Try --authgroup instead of -g

    openconnect -v --authgroup CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net

    Regards

    • 32

  2. As a matter of fact, the not answer given by user2000606 leads to success.

    The HTTP messages sent to the ASA differ, depending on how you select a group and VPN gateways can be picky about it.

    This is my basic call to openconnect

    openconnect -v --printcookie --dump-http-traffic \
 --passwd-on-stdin \
 -u johnsmith \
 vpn.ssl.mydomain.tld

    Issuing this command and providing my desired VPN group after being prompted results in the followin HTTP chat (I only included the seemingly relevant parts of the XML documents):

    [Certificate error, I tell openconnect to continue]
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld</group-access>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/</group-access><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK
Me >> ASA:  POST / HTTP/1.1
            [...]<auth><username>johnsmith</username><password>secret</password></auth><group-select>AnyConnect-MyGroup</group-select>
ASA << ME:  HTTP/1.1 200 OK

    Notice the group-select-groups and that all requests are POST / HTTP/1.1. The same result is achieved by providing --authgroup AnyConnect-MyGroup with the basic call to openconnect.

    When using -g AnyConnect-MyGroup instead of --authgroup AnyConnect-MyGroup the following happens:

    Me >> ASA:  POST /AnyConnect-MyGroup HTTP/1.1
            [...]<group-access>https://vpn.ssl.mydomain.tld/AnyConnect-MyGroup</group-access>
ASA << ME:  HTTP/1.1 200 OK
            [...] <error id="91" param1="" param2="">Invalid host entry. Please re-enter.</error>

    Notice that this time we don't tell the server group-select but simply squeeze in our group name with group-access and the HTTP request. The same negative result is provoked when adding the group name to the gateway address, i.e. using vpn.ssl.mydomain.tld/AnyConnect-MyGroup as the last line of the basic call to openconnect.

    • 4