25

I am using openconnect to connect to a VPN. When starting the client as sudo openconnect -v -u anaphory vpn-gw1.somewhere.net, I am able to connect after entering the GROUP and Password.

# openconnect -v -u anaphory vpn-gw1.somewhere.net […] XML POST enabled Please enter your username and password. GROUP: [Anyconnect-VPN|CLUSTER-DLCE|Clientless]:CLUSTER-DLCE POST https://vpn-gw1.somewhere.net Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 […]

However, when I specify that same group name on the command line, the connection fails with an “Invalid host entry” message.

# openconnect -v -g CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net […] XML POST enabled Please enter your username and password. Password:XML POST enabled Invalid host entry. Please re-enter. Failed to obtain WebVPN cookie

Do I need to do any magic to the group name, or how do I find out how to make this work?

Improve this question
2

2 Answers 2

Reset to default
34

Try --authgroup instead of -g

openconnect -v --authgroup CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net

Regards

Improve this answer
3
  • this worked for me Commented Jan 4, 2018 at 5:13
  • @AndyS and @stambata: Thanks for your kind help! How can I use this command if the group name contains empty spaces between words, for example a group name like: "tunnel Company XYZ"? I can not write either authgroup=tunnel Company XYZ nor `authgroup="tunnel Company XYZ". Do you know how to solve this? Commented Aug 27, 2018 at 8:30
  • @AndyS and @stambata: Just for additional information, the group names are provided in the user prompt in that way: GROUP: [tunnel Company XYZ|tunnel all]: - How can I type this into the openconnect-command? Commented Aug 27, 2018 at 8:48
4

As a matter of fact, the not answer given by user2000606 leads to success.

The HTTP messages sent to the ASA differ, depending on how you select a group and VPN gateways can be picky about it.

This is my basic call to openconnect

openconnect -v --printcookie --dump-http-traffic \ --passwd-on-stdin \ -u johnsmith \ vpn.ssl.mydomain.tld

Issuing this command and providing my desired VPN group after being prompted results in the followin HTTP chat (I only included the seemingly relevant parts of the XML documents):

[Certificate error, I tell openconnect to continue] Me >> ASA: POST / HTTP/1.1 [...]<group-access>https://vpn.ssl.mydomain.tld</group-access> ASA << ME: HTTP/1.1 200 OK Me >> ASA: POST / HTTP/1.1 [...]<group-access>https://vpn.ssl.mydomain.tld/</group-access><group-select>AnyConnect-MyGroup</group-select> ASA << ME: HTTP/1.1 200 OK Me >> ASA: POST / HTTP/1.1 [...]<auth><username>johnsmith</username><password>secret</password></auth><group-select>AnyConnect-MyGroup</group-select> ASA << ME: HTTP/1.1 200 OK

Notice the group-select-groups and that all requests are POST / HTTP/1.1. The same result is achieved by providing --authgroup AnyConnect-MyGroup with the basic call to openconnect.

When using -g AnyConnect-MyGroup instead of --authgroup AnyConnect-MyGroup the following happens:

Me >> ASA: POST /AnyConnect-MyGroup HTTP/1.1 [...]<group-access>https://vpn.ssl.mydomain.tld/AnyConnect-MyGroup</group-access> ASA << ME: HTTP/1.1 200 OK [...] <error id="91" param1="" param2="">Invalid host entry. Please re-enter.</error>

Notice that this time we don't tell the server group-select but simply squeeze in our group name with group-access and the HTTP request. The same negative result is provoked when adding the group name to the gateway address, i.e. using vpn.ssl.mydomain.tld/AnyConnect-MyGroup as the last line of the basic call to openconnect.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.