Active Topics
-
Maemo repository (13)
to Community by nieldk - 1 day, 1 hr ago -
Error after installing Leste on sdcard (18)
to Maemo 7 / Leste by Maemish - 3 days, 1 hr ago -
Maemo 20th Anniversary (4)
to Brainstorm by teroyk - 4 days, 20 hrs ago -
Nokia Booklet 3G (RX-75) Drivers (64)
to Alternatives by teroyk - 4 days, 20 hrs ago - more...
|
2011-05-10
, 18:48
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#82
|
My IBM VPN access via OpenConnect still works fine, even after reflashing, installing power47 and CSSU. I whished I could replicate your behaviour but I can't ... all is still fine with connecting and tunneling 
Maybe register here and ask the question, after all they are the real developers behind OpenConnect :
http://lists.infradead.org/mailman/l...nconnect-devel
Maybe register here and ask the question, after all they are the real developers behind OpenConnect :
http://lists.infradead.org/mailman/l...nconnect-devel
| The Following User Says Thank You to Netweaver For This Useful Post: | ||
|
|
2011-05-11
, 21:48
|
|
Posts: 5 |
Thanked: 5 times |
Joined on Jan 2010
|
#83
|
Originally Posted by sirpaul
It would be so much more useful if we could have this conversation on the openconnect-devel mailing list.
Code:CSTP Dead Peer Detection detected dead peer!
The 'dead peer' message above means that the server did not respond to our 'ping'. The HTTPS connection to the server seems to have stopped working. When this happens, openconnect should *reconnect* to the server. Does it not?
Can you run tcpdump (filtered for port 443 on the vpn server) and show the traffic while this happens? And show the output of '/sbin/route -n' while you ought to be connected. Please don't post them here; send mail to the openconnect-devel@lists.infradead.org list.
| The Following User Says Thank You to dwmw2 For This Useful Post: | ||
|
|
2011-05-11
, 22:01
|
|
Posts: 5 |
Thanked: 5 times |
Joined on Jan 2010
|
#84
|
DTLS seems to be working here...
I object to using the --no-cert-check option; please don't do that. Instead, use the --servercert option to tell OpenConnect what the server's cert fingerprint *should* be. Then it doesn't need to validate it against the full CA trust chain.
Also, you shouldn't need to patch OpenConnect to accept a password on the command line. You can already just 'echo $PASSWORD | openconnect --passwd-on-stdin', and then the password doesn't sit around visible in ps(1) for the entire lifetime of the VPN session.
In fact, though, you shouldn't be giving the username/group/password/etc to OpenConnect at all. If you look at the command line above, that's basically what we should be doing. The *GUI* can handle the authentication, then all it needs to give openconnect is the server's address and cert, and the cookie.
Code:
Nokia-N900:~# echo $COOKIE | /usr/bin/openconnect --cookie-on-stdin --script /usr/share/openconnect/vpnc-script --servercert 2C1104B703504606AB12813AFC315438B94F85BB $SERVER -v Attempting to connect to x.x.x.x:443 SSL negotiation with x.x.x.x Connected to HTTPS on x.x.x.x Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 10.255.12.105 X-CSTP-Netmask: 255.255.252.0 X-CSTP-DNS: 10.248.2.1 X-CSTP-DNS: 10.19.1.12 X-CSTP-Lease-Duration: 172800 X-CSTP-Session-Timeout: 172800 X-CSTP-Idle-Timeout: 43200 X-CSTP-Disconnected-Timeout: 43200 X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 X-CSTP-Keep: true X-CSTP-Rekey-Time: 86400 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 15 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Content-Encoding: deflate X-DTLS-Session-ID: 3BABE19A744F1298EFCFF084CC7268333C27FBA5C1727D56BE1D550C42F1C9E7 X-DTLS-Port: 443 X-DTLS-Keepalive: 15 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 86400 X-CSTP-MTU: 1266 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false CSTP connected. DPD 30, Keepalive 15 DTLS option X-DTLS-Session-ID : 3BABE19A744F1298EFCFF084CC7268333C27FBA5C1727D56BE1D550C42F1C9E7 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 15 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 86400 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS connected. DPD 30, Keepalive 15 Connected tun0 as 10.255.12.105, using SSL + deflate No work to do; sleeping for 14000 ms... No work to do; sleeping for 14000 ms... Established DTLS connection No work to do; sleeping for 14000 ms... Sent DTLS packet of 64 bytes; SSL_write() returned 65 No work to do; sleeping for 2000 ms... Received DTLS packet 0x00 of 131 bytes No work to do; sleeping for 2000 ms... Sent DTLS packet of 83 bytes; SSL_write() returned 84 ...
Also, you shouldn't need to patch OpenConnect to accept a password on the command line. You can already just 'echo $PASSWORD | openconnect --passwd-on-stdin', and then the password doesn't sit around visible in ps(1) for the entire lifetime of the VPN session.
In fact, though, you shouldn't be giving the username/group/password/etc to OpenConnect at all. If you look at the command line above, that's basically what we should be doing. The *GUI* can handle the authentication, then all it needs to give openconnect is the server's address and cert, and the cookie.
|
|
2011-05-14
, 09:17
|
|
Posts: 90 |
Thanked: 44 times |
Joined on Aug 2010
|
#85
|
The problem is solved!
First of all give dwmw2 a big thanks! for the solution.
The problem was that the rouing wasn't configured properly because iproute was missing:
Regarding to dmwm2, iproute should be in extras-testing, so steps 1-3 will not be needed!
1. Enable the Kluenter-Repo on your device (via Standard AppMan):
Catalog name: kluenter
Web Address: http://maemo.kluenter.de/packages
Distribution: fremantle
Components: main
2. Wait till the updating is done and close AppMan.
3. You may need to restart (or wait?) your device if 4. does not work (e.g. something is "locked")
4. via xterm enter:
and
5. Openconnect works now fine!
Last edited by sirpaul; 2011-05-15 at 11:12.
First of all give dwmw2 a big thanks! for the solution.
The problem was that the rouing wasn't configured properly because iproute was missing:
Regarding to dmwm2, iproute should be in extras-testing, so steps 1-3 will not be needed!
1. Enable the Kluenter-Repo on your device (via Standard AppMan):
Catalog name: kluenter
Web Address: http://maemo.kluenter.de/packages
Distribution: fremantle
Components: main
2. Wait till the updating is done and close AppMan.
3. You may need to restart (or wait?) your device if 4. does not work (e.g. something is "locked")
4. via xterm enter:
Code:
root
Code:
apt-get install iproute
Last edited by sirpaul; 2011-05-15 at 11:12.
|
|
2011-05-14
, 23:03
|
|
Posts: 5 |
Thanked: 5 times |
Joined on Jan 2010
|
#86
|
I think iproute is in extras-testing too?
The issue is a bug in vpnc-script. It assumes that after the VPN is set up, the route to the VPN server should be via the same gateway as your old default route. But in your case, the VPN server is actually *on* your local subnet, not the other side of the gateway.
When it's using iproute, it gets it right, but the old version using /sbin/route has this bug. If someone wants to fix it *properly*, that would be appreciated...
The issue is a bug in vpnc-script. It assumes that after the VPN is set up, the route to the VPN server should be via the same gateway as your old default route. But in your case, the VPN server is actually *on* your local subnet, not the other side of the gateway.
When it's using iproute, it gets it right, but the old version using /sbin/route has this bug. If someone wants to fix it *properly*, that would be appreciated...
| The Following User Says Thank You to dwmw2 For This Useful Post: | ||
 |
|
2011-10-24
, 06:19
|
|
Posts: 28 |
Thanked: 58 times |
Joined on Jan 2010
|
#87
|
Hmm, does anyone have any idea what to do next? I tried openconnect from extras-testing and from extras-devel. Both give me same kind of output (below, IP-address changed). I think the reason is "Server certificate verify failed: unable to get local issuer certificate", but I don't really know what to do now. I tried to google, but didn't find anything useful for my problem. Something to do with certs, but how to fix it?
So this is when I try with openconnect 2.26 from my N900, when I use openconnect 3.13 from home, it works ok. Anyone know if there is openconnect 3.13 compiled for N900?
Last edited by jvesiluoma; 2011-10-24 at 06:22.
So this is when I try with openconnect 2.26 from my N900, when I use openconnect 3.13 from home, it works ok. Anyone know if there is openconnect 3.13 compiled for N900?
Code:
openconnect --authgroup=anyconnect --user=testuser vpntest.testaddr.com:443 --verbose --disable-ipv6 --script=/etc/vpnc/vpnc-script Attempting to connect to 12.123.12.123:443 SSL negotiation with vpntest.testaddr.com Server certificate verify failed: unable to get local issuer certificate Certificate from VPN server "vpntest.testaddr.com" failed verification. Reason: unable to get local issuer certificate Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on vpntest.testaddr.com GET https://vpntest.testaddr.com/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Mon, 24 Oct 2011 06:19:34 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with vpntest.testaddr.com Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on vpntest.testaddr.com GET https://vpntest.testaddr.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Username:testuser Password: POST https://vpntest.testaddr.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Username:testuser Password: POST https://vpntest.testaddr.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Username:
__________________
JMV
www.jmv.fi
"Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together...."
JMV
www.jmv.fi
"Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together...."
Last edited by jvesiluoma; 2011-10-24 at 06:22.
|
|
2011-10-25
, 07:00
|
|
Posts: 28 |
Thanked: 58 times |
Joined on Jan 2010
|
#88
|
Okay...this is a pretty dirty hack, but working.
This is somewhat off topic, sorry for that, but just in case someone needs the information...I managed to got openconnect working by finding a binary of openconnect 3.12 compiled to some embedded ARM device and then I just made following links:
and now I have a working VPN connection from N900 to my office.
This is somewhat off topic, sorry for that, but just in case someone needs the information...I managed to got openconnect working by finding a binary of openconnect 3.12 compiled to some embedded ARM device and then I just made following links:
Code:
ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.1.0.0 ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.1.0.0 ln -s /usr/lib/libz.so.1 /usr/lib/libz.so
__________________
JMV
www.jmv.fi
"Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together...."
JMV
www.jmv.fi
"Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together...."
|
|
2011-11-01
, 16:43
|
|
Posts: 1 |
Thanked: 0 times |
Joined on Oct 2011
@ switzerland
|
#89
|
How difficult would it be to get openconnect
running on Harmattan ?
I would love to see it running on the N9, but I am new to Maemo/Meego development, and I cannot really estimate how much knowledge and work it would need.
Thanks, mweiss38
running on Harmattan ?
I would love to see it running on the N9, but I am new to Maemo/Meego development, and I cannot really estimate how much knowledge and work it would need.
Thanks, mweiss38
of course, my admin was convinced that the error should be on my side.
but what are we doing wrong?
i was doing the same things as everytime.
so why should an error always repeat on different machines AND different networks and still be related to that machine?
and if it is a problem connected to openconnect (even the newest version) why aren't there more threads about dead peer detection?
@flocke000 do you get internetaccess before the dead peer is detected?