[Announce] OpenConnect (-GUI) VPN client
 

Hi all,

I would like to announce a new application (well actually two), available in extras-devel.

First of all: OpenConnect, a free implementation of Cisco's AnyConnect SSL VPN, which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers.

Please note that this client cannot connect to the same VPN servers as vpnc does: those VPN concentrators use a different technology!

The original webpage for OpenConnect: http://www.infradead.org/openconnect.html
This is essentially a straight port from the original source, plus some modifications for maemo.
OpenConnect is available for Fremantle and Diablo.

The second application is OpenConnect-GUI, which is a front-end for OpenConnect (similar to vpnc-gui, from which it takes inspiration for GUI).
OpenConnect-GUI is available only in Fremantle for the moment.

Please report back for any suggestion/bug report (bugs can be reported in maemo's bugzilla).
And if someone wants to design a better looking icon, be my guest! I really suck at graphics :)

Before installing anything from extras-devel, please be sure to read the following warnings:
http://talk.maemo.org/showpost.php?p=343619&postcount=1

A screenshot of OpenConnect-GUI:

http://imgur.com/TMn54l.png

Re: [Announce] OpenConnect (-GUI) VPN client
 

Reallllly want to ty this out - but extras devel will bite my ankles off i hear... so i'll let Kathy go first :) (Such a gentleman!)

Can't wait to hear what it is like and see it in extras :)

Re: [Announce] OpenConnect (-GUI) VPN client
 

A real gentleman ;)

The only problem I see with that kind of application (and the testing of such application) is the fact that Cisco VPN/SSL concentrators are not that common, so it may take quite a while to get the application tested correctly (if at all).

Unfortunately I cannot offer temporary VPN accesses to test, so this application may be condemned to remain eternally in extras-devel (or extras-testing)

Re: [Announce] OpenConnect (-GUI) VPN client
 

Well i gave up waiting and took the leap....
Installs fine! - and i'm struggling at this point - as i think my Cisco VPN (Juniper/stylee) will not work with open connect. :(

But i have to say, looks slick, can edit settings fine :)

Re: [Announce] OpenConnect (-GUI) VPN client
 

If you don't promote it to extras-testing it won't be tested for sure. But apparently you believe that it works and want people to use it (otherwise there you wouldn't have announced it), so please promote it to extras-testing.

Re: [Announce] OpenConnect (-GUI) VPN client
 

That's a good point. I've promoted it to extras-testing

Re: [Announce] OpenConnect (-GUI) VPN client
 

Any way to add "group" to settings ? I need to select a group for exp. "student" for my university wlan.

Re: [Announce] OpenConnect (-GUI) VPN client
 

I have the same question - currently looking at Vpnc and this :| - hopefully one will work!

Re: [Announce] OpenConnect (-GUI) VPN client
 

In the present version it's not possible to add the group setting. I did not include it, since I didn't need it, but I will gladly add this option in the next release (shouldn't be that far away, and it's a straightforward addition).

What I want to point out however, is that vpnc and openconnect are not interchangeable!

vpnc works with the the Cisco VPN concentrator 3000 Series, Cisco PIX appliances and Juniper/Netscreen, by using IKE/IPSEC

openconnect works with other Cisco concentrators (see the top post of this thread), and uses SSL.

Re: [Announce] OpenConnect (-GUI) VPN client
 

I would really like the group choice added.

I'm the administrator of Cisco ASA5510 so I would be able to help debugging if needed. :-)

Re: [Announce] OpenConnect (-GUI) VPN client
 

Great! Some more testing is always welcome! I will post an update in this thread when a new version is available.

Planned features for next version:

- support for groups
- cleanup of how the passwords are passed to the underlying openconnect process.
- make the log window thumbs-pannable (at the moment it's only scrollable with the scrollbar).

In any case, I strongly encourage you to report bugs/RFEs to bugs.maemo.org, in the OpenConnect category!

Re: [Announce] OpenConnect (-GUI) VPN client
 

Looking forward to it.
Because I can't connect without groups.

RFEs? Request For Enhancements?

Re: [Announce] OpenConnect (-GUI) VPN client
 

as soon as i figure out which one i need i'll be happy - hehe

Re: [Announce] OpenConnect (-GUI) VPN client
 

Yes: RFE=Request for Enhancements

Re: [Announce] OpenConnect (-GUI) VPN client
 

Two possible ways to determine that (short of asking the sysadmin):

if your official VPN client is "Cisco Anyconnect", then OpenConnect should do the trick.
If your official VPN client is "Cisco VPN Client" (if I'm not mistaken), then vpnc should be used.

Another way (less effective): if you can open https://your-vpn-server
with a browser, there's a high probability that OpenConnect is the one you need. (please note the s in https!)

Re: [Announce] OpenConnect (-GUI) VPN client
 

There are two kinds of 'groups'. There's the 'UserGroup' which ends up as part of the URL (http://vpn.server.org/usergroup/), and then there's the group selection which can be presented as part of the XML form when the user tries to log in.

I would recommend that you use the guts of the NetworkManager auth-dialog tool which is part of openconnect. That will do all the authentication for you, handling all the forms, and then it will just output the resulting HTTP cookie which is what lets you make the connection. We pass that to openconnect with the --cookie-on-stdin option.

Feel free to use the openconnect-devel@lists.infradead.org mailing list for discussing this.

Re: [Announce] OpenConnect (-GUI) VPN client
 

dwmw2: thank you for your input: I was effectively poking around NM to see how it was done and to get some inspiration for the upcoming version.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Ahaaa you sir are a genius! :) And a gentleman

Vpnc and wpnc gui worked a treat! - superb! - but sorry i can't test your app! :(

Re: [Announce] OpenConnect (-GUI) VPN client
 

Doesn't seem to work with ASA Anyconnect client-based VPN?

The GUI says I'm connected but just sits there with 'POST' :(

Note this isn't a clientless SSL VPN where you just have access to certain office functions via a web interface, the solution is a full SSL VPN via the downloadable Anyconnect client.

Not the ASA administrator but have worked with them before and would be keen to help debug if necessary...

Re: [Announce] OpenConnect (-GUI) VPN client
 

Can you check whether it works with openconnect from the command line (perhaps on another Linux box), and if not send a bug report to the openconnect mailing list.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Any updates about the group support?

Or is there a way to add the grp setting into the openconnect.conf ?

Re: [Announce] OpenConnect (-GUI) VPN client
 

can someone help me with this error message when using openconnect gui:

Response body too large for buffer (141075 > 131072)

Re: [Announce] OpenConnect (-GUI) VPN client
 

Hello!

I would like to test the software also, but I can connect only to a VPN with groups. So actually I am unable to connect to it with this software.

Waiting for groups implementation :D

Re: [Announce] OpenConnect (-GUI) VPN client
 

Just trying to get this working on my phone, we use an alternative port number (4443 instead of 443) for Cisco SSL VPN...

Is there any way I can change the port number used by OpenConnect??

Thanks

Re: [Announce] OpenConnect (-GUI) VPN client
 

From the GUI interface this is not possible (yet). It is however possible by using the command line. I don't have the documentation at hand at the moment, so I cannot give you an immediate answer about that.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Can I edit the config file that is made by the GUI (where do I find that)?

I had hoped entering the url as xxx.xxx.com:4443 would work as in the Windows AnyConnect client.

Re: [Announce] OpenConnect (-GUI) VPN client
 

OpenConnect on an Ubuntu box connects fine using simply:

openconnect webvpn.xxx.com:4443

But when I run the same from a root SSH session on the N900 I get

getaddrinfo failed: Name or service not known
Failed to open HTTPS connection to webvpn.xxx.com:4443
Failed to obtain WebVPN cookie

Anybody know why?

Re: [Announce] OpenConnect (-GUI) VPN client
 

http://lists.infradead.org/pipermail...il/000159.html

Looks like this is a bug not fixed until 2.2, the N900 version here is 2.12...

Any plans to upgrade the version?

Re: [Announce] OpenConnect (-GUI) VPN client
 

Yes, I plan to upgrade OpenConnect in a few weeks, along with bug fixes in the GUI client.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Sounds good, would be great for me to have this work :-)

Thanks!

Re: [Announce] OpenConnect (-GUI) VPN client
 

Works perfectly with my university's SSLVPN. Good job :)

One little nitpick:
my university doesn't use DTLS, so Openconnect use SSL instead. However this creates a rather verbose error message which might confuse people.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Thank you mate,

I was confused with error message that I got... I haven't even tried to check connectivity... Silly:) Thank you, it works fine...

Re: [Announce] OpenConnect (-GUI) VPN client
 

Yes, I will pass to openconnect the required option to not use DTLS, so that the ugly error message will disappear. Unfortunately I cannot proceed differently, since the problem is tied to the OpenSSL library, which is pre-compiled by Nokia...

Re: [Announce] OpenConnect (-GUI) VPN client
 

Looking forward for this. is there any plan to include the group ID on the new release ?
Since currentyly i received a message
GROUP: [XXX|YYYY|ZZZ]: Invalid Inputs
Failed to obtain WebVPN cookir

XXX YYY ZZZ -> real group name

or anyone knows how to do this from command line ?

Re: [Announce] OpenConnect (-GUI) VPN client
 

i also face the same problem as my company require "group" for authentication.

any plan to support for group option in the next update?

Re: [Announce] OpenConnect (-GUI) VPN client
 

I wished someone would make a client like this for PPTP VPN.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Hmm I manage to find a workaround, a little bit manual though.

1. Install rootsh
2. go to terminal
3. sudo gainroot
4. openconnect <servername>
when using this command line interface, the group name is visible and i am able to connect by typing the group name, user id and password.

the problem is the DNS and the routing is not configured yet, so I need to add that manually by creating 2 scripts
1. company.sh --> for all the routing and dns
2. normal.sh -> back to use the default routing and dns

For now its sufficient since I am able to vpn to my company using this workaround.

Re: [Announce] OpenConnect (-GUI) VPN client
 

thanks. by the way, can you share on how to create the scripts for DNS and routing?

Re: [Announce] OpenConnect (-GUI) VPN client
 

Dont laugh. this is really a quick hack.


You will need to find all the IP Address that you need to access example: 10.80.3.3 , 10.80.3.1, 10.80.3.2, etc.

You will also need to know the DNS of your company (you can find it when you connecting using your windows/linux machine)


Example:
company.sh
-----------------------
cd /home/user/company
route add 10.80.3.3 dev tun0
route add 10.80.3.2 dev tun0
route add 10.80.3.1 dev tun0
cp ./resolv.conf.company /etc/resolv.conf


resolv.conf.company
---------------------------------
nameserver 10.80.3.1

resolv.conf.normal
--------------------------
nameserver 127.0.0.1


normal.sh
---------------
cd /home/user/company
route add default gw 192.168.2.1 ---> change this to your default gw
cp resolv.conf.normal /etc/resolv.conf


Once you are connected using the openconnect, (put openconnect on background),

then execute the company.sh

try microb -> you should be able to access the intranet (i will assume you have stored the ip address in the router table above)

when you are done, close your openconnect.

revert back your normal gateway and DNS.

Its a quick and dirty but it works.


I am sure there is a better way to do this. I am open for suggestion.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Hey..I am just a beginner...So can anyone help me with setting this...I am using..Open connect GUI to set things up....It asks for a VPN server, username and password....Do I have to register somewhere for all these?? Would really appreciate the reply...thanks :)