Package: network-manager-openconnect Version: 1.2.2-1 Severity: normal I have set up a openconnect vpn in network manager but it is failing. When I try the vpn connection directly using openconnect from the command line it works. It looks like there is a problem with network-manager-openconnect.
When I run openconnect from the command line, this is what I get: # openconnect -c /home/brente/.cisco/certificates/client/brente.pem -k /home/brente/.cisco/certificates//client/private/brente.key --csd-user brente --csd-wrapper /usr/share/ibm-config-NetworkManager-openconnect/ohsd.py --no- xmlpost sasvpn.pok.ibm.com GET https://sasvpn.pok.ibm.com/ Attempting to connect to server 129.33.253.74:443 Using client certificate 'BRENT S. ELMER' SSL negotiation with sasvpn.pok.ibm.com Connected to HTTPS on sasvpn.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://sasvpn06.pok.ibm.com/ Attempting to connect to server 129.33.253.80:443 SSL negotiation with sasvpn06.pok.ibm.com Connected to HTTPS on sasvpn06.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://sasvpn06.pok.ibm.com/+webvpn+/index.html SSL negotiation with sasvpn06.pok.ibm.com Connected to HTTPS on sasvpn06.pok.ibm.com GET https://sasvpn06.pok.ibm.com/CACHE/sdesktop/install/binaries/sfinst SSL negotiation with sasvpn06.pok.ibm.com Connected to HTTPS on sasvpn06.pok.ibm.com GET https://sasvpn06.pok.ibm.com/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... Open Honor System Desktop: gateway ACCEPTED our response GET https://sasvpn06.pok.ibm.com/+CSCOE+/sdesktop/wait.html SSL negotiation with sasvpn06.pok.ibm.com Connected to HTTPS on sasvpn06.pok.ibm.com Got HTTP response: HTTP/1.1 302 Moved Temporarily GET https://sasvpn06.pok.ibm.com/+webvpn+/index.html SSL negotiation with sasvpn06.pok.ibm.com Connected to HTTPS on sasvpn06.pok.ibm.com Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected tun0 as 9.85.165.126, using SSL + lzs Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1). When I run nmcli from the command line, using the connection set up in networkmanager, this is what I get: $ nmcli c up 'IBM Secure Access Service' A password is required to connect to 'IBM Secure Access Service'. Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file' and nmcli cannot ask without '--ask' option. Error: Connection activation failed: no valid VPN secrets. I should not have to use --ask because I am using a certificate instead. Anyhow, this is what I get when I add --ask: $ nmcli --ask c up 'IBM Secure Access Service' POST https://sasvpn.pok.ibm.com/ Attempting to connect to server 129.33.253.74:443 SSL negotiation with sasvpn.pok.ibm.com Connected to HTTPS on sasvpn.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved POST https://sasvpn02.pok.ibm.com/ Attempting to connect to server 129.33.253.76:443 SSL negotiation with sasvpn02.pok.ibm.com Connected to HTTPS on sasvpn02.pok.ibm.com Server requested SSL client certificate; none was configured POST https://sasvpn02.pok.ibm.com/ XML response has no "auth" node GET https://sasvpn.pok.ibm.com/ Attempting to connect to server 129.33.253.74:443 SSL negotiation with sasvpn.pok.ibm.com Connected to HTTPS on sasvpn.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://sasvpn02.pok.ibm.com/ Attempting to connect to server 129.33.253.76:443 SSL negotiation with sasvpn02.pok.ibm.com Connected to HTTPS on sasvpn02.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://sasvpn02.pok.ibm.com/+webvpn+/index.html SSL negotiation with sasvpn02.pok.ibm.com Connected to HTTPS on sasvpn02.pok.ibm.com GET https://sasvpn02.pok.ibm.com/CACHE/sdesktop/install/binaries/sfinst Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan. This facility is disabled by default for security reasons, so you may wish to enable it. Failed to obtain WebVPN cookie Error: openconnect failed with status 1 A password is required to connect to 'IBM Secure Access Service'. Gateway (vpn.secrets.gateway): A password is required to connect to 'IBM Secure Access Service'. Cookie (vpn.secrets.cookie): A password is required to connect to 'IBM Secure Access Service'. Gateway certificate hash (vpn.secrets.gwcert): Error: Connection activation failed: no valid VPN secrets. Here is the contents of /etc/NetworkManager/system-connections/IBM Secure Access Service [connection] id=IBM Secure Access Service uuid=2355cea5-f08a-46fc-9901-58f95414711c type=vpn autoconnect=false permissions= secondaries= [vpn] authtype=cert autoconnect-flags=0 cacert=/usr/share/ibm-config-NetworkManager-openconnect/ibm-vpn-ca-bundle.pem certsigs-flags=0 cookie-flags=2 csd_wrapper=/usr/share/ibm-config-NetworkManager-openconnect/ohsd.py enable_csd_trojan=yes gateway=sasvpn.pok.ibm.com gateway-flags=2 gwcert-flags=2 lasthost-flags=0 pem_passphrase_fsid=no stoken_source=disabled usercert=/home/brente/.cisco/certificates/client/brente.pem userkey=/home/brente/.cisco/certificates/client/private/brente.key xmlconfig-flags=0 service-type=org.freedesktop.NetworkManager.openconnect [ipv4] dns-search=s81c.com;ibm.com; method=auto never-default=true [ipv6] addr-gen-mode=eui64 dns-search= ip6-privacy=0 method=auto It doesn't look like networkmanager is even trying to use the certificate. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.5.161003 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages network-manager-openconnect depends on: ii adduser 3.115 ii libc6 2.24-5 ii libglib2.0-0 2.50.1-1 ii libnm0 1.4.2-2 ii network-manager 1.4.2-2 ii openconnect 7.06-2+b2 network-manager-openconnect recommends no packages. network-manager-openconnect suggests no packages. -- no debconf information
