2

I need to connect to a Cisco VPN on Linux and at first I did this using the KDE NetworkManager plasma widget thingy. That worked fine and I'm able to connect to the VPN if I choose it from the Network Manager widget.

However, if I try using the command line things don't work (IPs and URLs have been changed to protect the innocent):

➜ ~ sudo openconnect --proxy http://proxy.mycompany.com:8080 vpn.mycompany.com:443 POST https://vpn.mycompany.com/ Attempting to connect to proxy 172.17.122.135:8080 Requesting HTTP proxy connection to vpn.mycompany.com:443 Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2' Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 445D5E14-309A-4AA2-B7AF-07CAAD5BB21D' SSL negotiation with vpn.mycompany.com Server certificate verify failed: signer not found Certificate from VPN server "vpn.mycompany.com" failed verification. Reason: signer not found Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on vpn.mycompany.com Got HTTP response: HTTP/1.0 302 Object Moved GET https://vpn.mycompany.com/ Attempting to connect to proxy 172.17.122.135:8080 Requesting HTTP proxy connection to vpn.mycompany.com:443 Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2' Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 39FA73DC-1FDD-4C4C-A1A6-5993477DD8E3' SSL negotiation with vpn.mycompany.com Server certificate verify failed: signer not found Connected to HTTPS on vpn.mycompany.com Got HTTP response: HTTP/1.0 302 Object Moved GET https://vpn.mycompany.com/+webvpn+/index.html Requesting HTTP proxy connection to vpn.mycompany.com:443 Unexpected continuation line after CONNECT response: 'Via: 1.1 SPROXY2' Unexpected continuation line after CONNECT response: 'X-WebMarshal-RequestID: 0141A4E6-1EA7-4FAE-AFA0-E56B2BC07BD1' SSL negotiation with vpn.mycompany.com Server certificate verify failed: signer not found Connected to HTTPS on vpn.mycompany.com Please enter your username and password. GROUP: [1..VPN|2..AD]:2 Auth choice "2" not valid Failed to obtain WebVPN cookie ➜ ~

I get prompted that the certificate verification failed and then I get prompted to choose the group but then everything fails with "Auth choice "2" not valid".

I've tried different options for the openconnect command. For example -g to specify the group -u to specify the username and --no-cert-check to skip the certificate check that's failing, but nothing works.

As you can see I'm using a proxy. This may have something to do with this but I'm not sure how it is (maybe?) affecting this.

I don't get how openconnect can work via the NetworkManager KDE widget but fail on the command line. Am I missing something here?

Improve this question
3
  • Connect with the KDE widget then check what were the parameters it passed to openconnect (ps axwww or check /proc/PID entries) Commented Sep 10, 2014 at 11:17
  • @gtirloni I had done that already... here is the output (again with ips and urls obfuscated): 4976 ? S 0:00 /usr/sbin/openconnect --servercert 5EEEDA5649D06EEC0697E08BEC2D52F9AC631881 --proxy proxy.mycompany.com:8080 --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 vpn.mycompany.com:443 I tried running this command in a shell and it didn't work. I assumed that was because of the --cookie-on-stdin option so I removed that and then I get exactly the same error as before (Failed to obtain WebVPN cookie). Commented Sep 10, 2014 at 13:45
  • related question openconnect cannot connect to Anyconnect VPN group using -g Commented Dec 6, 2016 at 11:08

1 Answer 1

Reset to default
6

You have got to be kidding me!!!

So the problem was that when I got presented with the following option:

Please enter your username and password. GROUP: [1..VPN|2..AD]:

I chose "2" and pressed enter! Just for fun I even tried to type in "AD" instead of using "2", still had no luck.

Just now I tried typing in "2..AD"... and that worked!

Mindbogglingly stupid "user experience"!

Improve this answer
4
  • You got presented with two choices and are upset that it only works if you pick one of them? Seriously? Commented Dec 6, 2016 at 11:05
  • 7
    From a UX perspective, those are horrible choices. It's entirely reasonable (to me) that a human would expect entering 2 to work. Commented Jan 19, 2017 at 15:59
  • @StFS: I have a similar problem, but in my case the available group names contain empty spaces. Now I am wondering how I can pass them within the openconnect-command correctly: The group names are GROUP: [tunnel Company XYZ|tunnel all]:. How should I type this? :-) Commented Aug 27, 2018 at 8:46
  • @Dave I imagine you can quote them: openconnect --authgroup='tunnel Company XYZ' .... Note however, I'm not sure whether --authgroup is the correct command line option. I'm no longer on a linux machine ;-) Commented Aug 27, 2018 at 12:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.