You are not logged in.

Pages: 1

#1 2016-06-24 13:32:48

Abaddon
Member
From: Poland
Registered: 2004-05-03
Posts: 249

Openconnect doesn't work with DTLS

I try to connect to Cisco's WEBVPN using openconnect. Connection is successful, I tun0 is created and configured with proper ip/mask, DNS is set in resolv.conf and routes are properly added.

Openconnect says:

Connected tun0 as 192.168.55.59, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).

Unfortunately no traffic passes tun0. Tcpdump shows packets that I send on tun0, but there is no answer. Everything works when I disable dtls (--no-dtls), but then it's VPN encapsulated in HTTPS which is rather slow. I tried official Cisco Anyconnect client on Windows and it seems that it has no issues with DTLS.

Any ideas?

Gnome - The weakest link!
Linux, *not* GNU/Linux!

Offline

#2 2016-06-28 03:59:53

Elizine
Member
From: United Kingdom
Registered: 2015-10-07
Posts: 39
Website

Re: Openconnect doesn't work with DTLS

The program openconnect connects to Cisco "AnyConnect" VPN servers, which use standard TLS and DTLS protocols for data transport.

The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow - by using a certificate, or password or SecurID, etc. Having authenticated, the user is rewarded with an HTTP cookie which can be used to make the real VPN connection.

The second phase uses that cookie in an HTTPS CONNECT request, and data packets can be passed over the resulting connection. In auxiliary headers exchanged with the CONNECT request, a Session-ID and Master Secret for a DTLS connection are also exchanged, which allows data transport over UDP to occur.

Use WebVPN cookie. COOKIE, fetch webvpn cookie only; don’t connect and print webvpn cookie before connecting.

Hope this will help you.

Cloud Hosting Solutions

Offline

#3 2016-07-01 14:31:30

Abaddon
Member
From: Poland
Registered: 2004-05-03
Posts: 249

Re: Openconnect doesn't work with DTLS

I tried that:

openconnect -s /etc/vpnc/vpnc-script https://vpn.domain:8443 --pfs --disable-ipv6 --no-proxy --no-cert-check --verbose --cookieonly

This printed cookie which I used in second step:

openconnect -s /etc/vpnc/vpnc-script https://vpn.domain:8443 --pfs --disable-ipv6 --no-proxy --no-cert-check --verbose -C COOKIE_FROM_PREVIOUS_STEP

I got connected but result is the same as previously. Opneconnect says that DTLS connection is established but traffic doesn't go through.

Gnome - The weakest link!
Linux, *not* GNU/Linux!

Offline

Pages: 1

Board footer

Powered by FluxBB