Hi all,

I would like to announce a new application (well actually two), available in extras-devel.

First of all: OpenConnect, a free implementation of Cisco's AnyConnect SSL VPN, which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers.

Please note that this client cannot connect to the same VPN servers as vpnc does: those VPN concentrators use a different technology!

The original webpage for OpenConnect: http://www.infradead.org/openconnect.html
This is essentially a straight port from the original source, plus some modifications for maemo.
OpenConnect is available for Fremantle and Diablo.

The second application is OpenConnect-GUI, which is a front-end for OpenConnect (similar to vpnc-gui, from which it takes inspiration for GUI).
OpenConnect-GUI is available only in Fremantle for the moment.

Please report back for any suggestion/bug report (bugs can be reported in maemo's bugzilla).
And if someone wants to design a better looking icon, be my guest! I really suck at graphics :)

Before installing anything from extras-devel, please be sure to read the following warnings:
http://talk.maemo.org/showpost.php?p=343619&postcount=1

A screenshot of OpenConnect-GUI:

http://imgur.com/TMn54l.png (http://imgur.com/TMn54.png)

Reallllly want to ty this out - but extras devel will bite my ankles off i hear... so i'll let Kathy go first :) (Such a gentleman!)

Can't wait to hear what it is like and see it in extras :)

A real gentleman ;)

The only problem I see with that kind of application (and the testing of such application) is the fact that Cisco VPN/SSL concentrators are not that common, so it may take quite a while to get the application tested correctly (if at all).

Unfortunately I cannot offer temporary VPN accesses to test, so this application may be condemned to remain eternally in extras-devel (or extras-testing)

A real gentleman ;)

The only problem I see with that kind of application (and the testing of such application) is the fact that Cisco VPN/SSL concentrators are not that common, so it may take quite a while to get the application tested correctly (if at all).

Unfortunately I cannot offer temporary VPN accesses to test, so this application may be condemned to remain eternally in extras-devel (or extras-testing)

Well i gave up waiting and took the leap....
Installs fine! - and i'm struggling at this point - as i think my Cisco VPN (Juniper/stylee) will not work with open connect. :(

But i have to say, looks slick, can edit settings fine :)

A real gentleman ;)

The only problem I see with that kind of application (and the testing of such application) is the fact that Cisco VPN/SSL concentrators are not that common, so it may take quite a while to get the application tested correctly (if at all).

Unfortunately I cannot offer temporary VPN accesses to test, so this application may be condemned to remain eternally in extras-devel (or extras-testing)

If you don't promote it to extras-testing it won't be tested for sure. But apparently you believe that it works and want people to use it (otherwise there you wouldn't have announced it), so please promote it to extras-testing.

That's a good point. I've promoted it to extras-testing

Any way to add "group" to settings ? I need to select a group for exp. "student" for my university wlan.

Any way to add "group" to settings ? I need to select a group for exp. "student" for my university wlan.

I have the same question - currently looking at Vpnc and this :| - hopefully one will work!

In the present version it's not possible to add the group setting. I did not include it, since I didn't need it, but I will gladly add this option in the next release (shouldn't be that far away, and it's a straightforward addition).

What I want to point out however, is that vpnc and openconnect are not interchangeable!

vpnc works with the the Cisco VPN concentrator 3000 Series, Cisco PIX appliances and Juniper/Netscreen, by using IKE/IPSEC

openconnect works with other Cisco concentrators (see the top post of this thread), and uses SSL.

I would really like the group choice added.

I'm the administrator of Cisco ASA5510 so I would be able to help debugging if needed. :-)

I would really like the group choice added.

I'm the administrator of Cisco ASA5510 so I would be able to help debugging if needed. :-)

Great! Some more testing is always welcome! I will post an update in this thread when a new version is available.

Planned features for next version:

- support for groups
- cleanup of how the passwords are passed to the underlying openconnect process.
- make the log window thumbs-pannable (at the moment it's only scrollable with the scrollbar).

In any case, I strongly encourage you to report bugs/RFEs to bugs.maemo.org, in the OpenConnect category!

Looking forward to it.
Because I can't connect without groups.

RFEs? Request For Enhancements?

In the present version it's not possible to add the group setting. I did not include it, since I didn't need it, but I will gladly add this option in the next release (shouldn't be that far away, and it's a straightforward addition).

What I want to point out however, is that vpnc and openconnect are not interchangeable!

vpnc works with the the Cisco VPN concentrator 3000 Series, Cisco PIX appliances and Juniper/Netscreen, by using IKE/IPSEC

openconnect works with other Cisco concentrators (see the top post of this thread), and uses SSL.

as soon as i figure out which one i need i'll be happy - hehe

RFEs? Request For Enhancements?

Yes: RFE=Request for Enhancements

as soon as i figure out which one i need i'll be happy - hehe

Two possible ways to determine that (short of asking the sysadmin):

if your official VPN client is "Cisco Anyconnect", then OpenConnect should do the trick.
If your official VPN client is "Cisco VPN Client" (if I'm not mistaken), then vpnc should be used.

Another way (less effective): if you can open https://your-vpn-server
with a browser, there's a high probability that OpenConnect is the one you need. (please note the s in https!)

Planned features for next version:

- support for groups
- cleanup of how the passwords are passed to the underlying openconnect process.
- make the log window thumbs-pannable (at the moment it's only scrollable with the scrollbar).

In any case, I strongly encourage you to report bugs/RFEs to bugs.maemo.org, in the OpenConnect category!

There are two kinds of 'groups'. There's the 'UserGroup' which ends up as part of the URL (http://vpn.server.org/usergroup/), and then there's the group selection which can be presented as part of the XML form when the user tries to log in.

I would recommend that you use the guts of the NetworkManager auth-dialog tool which is part of openconnect. That will do all the authentication for you, handling all the forms, and then it will just output the resulting HTTP cookie which is what lets you make the connection. We pass that to openconnect with the --cookie-on-stdin option.

Feel free to use the openconnect-devel@lists.infradead.org mailing list for discussing this.

dwmw2: thank you for your input: I was effectively poking around NM to see how it was done and to get some inspiration for the upcoming version.

Two possible ways to determine that (short of asking the sysadmin):

if your official VPN client is "Cisco Anyconnect", then OpenConnect should do the trick.
If your official VPN client is "Cisco VPN Client" (if I'm not mistaken), then vpnc should be used.

Another way (less effective): if you can open https://your-vpn-server
with a browser, there's a high probability that OpenConnect is the one you need. (please note the s in https!)

Ahaaa you sir are a genius! :) And a gentleman

Vpnc and wpnc gui worked a treat! - superb! - but sorry i can't test your app! :(

Doesn't seem to work with ASA Anyconnect client-based VPN?

The GUI says I'm connected but just sits there with 'POST' :(

Note this isn't a clientless SSL VPN where you just have access to certain office functions via a web interface, the solution is a full SSL VPN via the downloadable Anyconnect client.

Not the ASA administrator but have worked with them before and would be keen to help debug if necessary...

Doesn't seem to work with ASA Anyconnect client-based VPN?

The GUI says I'm connected but just sits there with 'POST' :(


Can you check whether it works with openconnect from the command line (perhaps on another Linux box), and if not send a bug report to the openconnect mailing list.

Any updates about the group support?

Or is there a way to add the grp setting into the openconnect.conf ?

can someone help me with this error message when using openconnect gui:

Response body too large for buffer (141075 > 131072)

Hello!

I would like to test the software also, but I can connect only to a VPN with groups. So actually I am unable to connect to it with this software.

Waiting for groups implementation :D

Just trying to get this working on my phone, we use an alternative port number (4443 instead of 443) for Cisco SSL VPN...

Is there any way I can change the port number used by OpenConnect??

Thanks

From the GUI interface this is not possible (yet). It is however possible by using the command line. I don't have the documentation at hand at the moment, so I cannot give you an immediate answer about that.

Can I edit the config file that is made by the GUI (where do I find that)?

I had hoped entering the url as xxx.xxx.com:4443 would work as in the Windows AnyConnect client.

OpenConnect on an Ubuntu box connects fine using simply:

openconnect webvpn.xxx.com:4443

But when I run the same from a root SSH session on the N900 I get

getaddrinfo failed: Name or service not known
Failed to open HTTPS connection to webvpn.xxx.com:4443
Failed to obtain WebVPN cookie

Anybody know why?

http://lists.infradead.org/pipermail/openconnect-devel/2010-April/000159.html

Looks like this is a bug not fixed until 2.2, the N900 version here is 2.12...

Any plans to upgrade the version?

http://lists.infradead.org/pipermail/openconnect-devel/2010-April/000159.html

Looks like this is a bug not fixed until 2.2, the N900 version here is 2.12...

Any plans to upgrade the version?

Yes, I plan to upgrade OpenConnect in a few weeks, along with bug fixes in the GUI client.

Yes, I plan to upgrade OpenConnect in a few weeks, along with bug fixes in the GUI client.

Sounds good, would be great for me to have this work :-)

Thanks!

Works perfectly with my university's SSLVPN. Good job :)

One little nitpick:
my university doesn't use DTLS, so Openconnect use SSL instead. However this creates a rather verbose error message which might confuse people.

Works perfectly with my university's SSLVPN. Good job :)

One little nitpick:
my university doesn't use DTLS, so Openconnect use SSL instead. However this creates a rather verbose error message which might confuse people.

Thank you mate,

I was confused with error message that I got... I haven't even tried to check connectivity... Silly:) Thank you, it works fine...

Yes, I will pass to openconnect the required option to not use DTLS, so that the ugly error message will disappear. Unfortunately I cannot proceed differently, since the problem is tied to the OpenSSL library, which is pre-compiled by Nokia...

Yes, I plan to upgrade OpenConnect in a few weeks, along with bug fixes in the GUI client.

Looking forward for this. is there any plan to include the group ID on the new release ?
Since currentyly i received a message
GROUP: [XXX|YYYY|ZZZ]: Invalid Inputs
Failed to obtain WebVPN cookir

XXX YYY ZZZ -> real group name

or anyone knows how to do this from command line ?

Looking forward for this. is there any plan to include the group ID on the new release ?
Since currentyly i received a message
GROUP: [XXX|YYYY|ZZZ]: Invalid Inputs
Failed to obtain WebVPN cookir

XXX YYY ZZZ -> real group name

or anyone knows how to do this from command line ?

i also face the same problem as my company require "group" for authentication.

any plan to support for group option in the next update?

I wished someone would make a client like this for PPTP VPN.

i also face the same problem as my company require "group" for authentication.

any plan to support for group option in the next update?

Hmm I manage to find a workaround, a little bit manual though.

1. Install rootsh
2. go to terminal
3. sudo gainroot
4. openconnect <servername>
when using this command line interface, the group name is visible and i am able to connect by typing the group name, user id and password.

the problem is the DNS and the routing is not configured yet, so I need to add that manually by creating 2 scripts
1. company.sh --> for all the routing and dns
2. normal.sh -> back to use the default routing and dns

For now its sufficient since I am able to vpn to my company using this workaround.

Hmm I manage to find a workaround, a little bit manual though.

1. Install rootsh
2. go to terminal
3. sudo gainroot
4. openconnect <servername>
when using this command line interface, the group name is visible and i am able to connect by typing the group name, user id and password.

the problem is the DNS and the routing is not configured yet, so I need to add that manually by creating 2 scripts
1. company.sh --> for all the routing and dns
2. normal.sh -> back to use the default routing and dns

For now its sufficient since I am able to vpn to my company using this workaround.

thanks. by the way, can you share on how to create the scripts for DNS and routing?

thanks. by the way, can you share on how to create the scripts for DNS and routing?

Dont laugh. this is really a quick hack.


You will need to find all the IP Address that you need to access example: 10.80.3.3 , 10.80.3.1, 10.80.3.2, etc.

You will also need to know the DNS of your company (you can find it when you connecting using your windows/linux machine)


Example:
company.sh
-----------------------
cd /home/user/company
route add 10.80.3.3 dev tun0
route add 10.80.3.2 dev tun0
route add 10.80.3.1 dev tun0
cp ./resolv.conf.company /etc/resolv.conf


resolv.conf.company
---------------------------------
nameserver 10.80.3.1

resolv.conf.normal
--------------------------
nameserver 127.0.0.1


normal.sh
---------------
cd /home/user/company
route add default gw 192.168.2.1 ---> change this to your default gw
cp resolv.conf.normal /etc/resolv.conf


Once you are connected using the openconnect, (put openconnect on background),

then execute the company.sh

try microb -> you should be able to access the intranet (i will assume you have stored the ip address in the router table above)

when you are done, close your openconnect.

revert back your normal gateway and DNS.

Its a quick and dirty but it works.


I am sure there is a better way to do this. I am open for suggestion.

Hey..I am just a beginner...So can anyone help me with setting this...I am using..Open connect GUI to set things up....It asks for a VPN server, username and password....Do I have to register somewhere for all these?? Would really appreciate the reply...thanks :)

Hey..I am just a beginner...So can anyone help me with setting this...I am using..Open connect GUI to set things up....It asks for a VPN server, username and password....Do I have to register somewhere for all these?? Would really appreciate the reply...thanks :)


If your company is using cisco ssl,then you need openconnect. You will know what to do when you run openconnect.

If your company is using cisco ssl,then you need openconnect. You will know what to do when you run openconnect.

I just wanna use it at home....Can't I do that?? Or may be use some other application...

I just wanna use it at home....Can't I do that?? Or may be use some other application...

Try OpenVpn

Hi there, I´m new to Maemo, and I´m trying to configure the VPN. but when I used the -csd-user option, and run the program, it says >> Invalid user <user>.

And when i don´t use the --csd-user, it´says that i should.

At first I was using the GUI, but it was giving me the error about having to use the --csd-user option, so now i´m trying directly from the terminal, since i didn´t know how to edit the GUI.

Thanks..

Any news on the group function for openconnect?
I badly need it!

Me too... :(

very good and simple program BUT there is no group function, so atm the gui is useless to me.

so please implement that feature!

Is there any chance of a custom switch field where one can add custom switches that are run by openconnect.

ok i got it NEARLY working; in xterm enter:
root
openconnect --authgroup=GROUP --user=yourmom@youruni.com --passwd=yourmumspass thesiteyougetviapcthatanyconnectclient.com

but then it's not working, even disabling dtls via --no-dtls does not work.

any ideas? :confused:

Hello everybody,

since I achieved a connection with the network of my Universty through OpenConnect, I'm experiencing DNS issues with MicroB. I can't stablish any Kind of connection successfuly (WiFi, GPRS, 3G). The N900 conects to the to the network but I cannot access any Webpage. It seems that OpenConnect changed something on the Code. I tried this solution http://talk.maemo.org/showthread.php?p=891595 but that didn't work. I'de be very thankful for any Help

Cheers

some more feedback

- on the OpenConnect GUI. When entering both userID and password and trying to connect to the created profile, it continuously say "no server specified".
Can you include (in the log window) also the complete Openconnect command invocation string to see what might be wrong? Easier in troubleshooting.

As a double check, when using the command line I can make a proper connection so I know my parameters are correct.

As requested before, can you also provide a custom input field for extra switches (as the --no-dtls)?

Which post-connection script is being used by default by the GUI ? I'm using the /etc/vpnc/vpnc-script in my command line string but I only have that file (I guess) because I also installed the vpnc package. Maybe the previous post also has to do with the proper setup (or absence) of the post-connect script?

On the command itself, is it possible to upgrade the version to 2.26, the currently supplied version 2.12 works but is already a year old, if you update the gui, make you can as well put the most recent version of the main code in as well.

Lots of thanks for the work so far, it opened up my access to the office network without laptop. I don't know if that's always such a great idea though :D

At least it give me choices now where to do what. And the possibility to do my labour claim straight on my N900, wherever I am, at a Friday noon ... yeah ! That will save me a few mails from my manager !!

just noticed something, the upgrade of the OpenConnect command itself can potentially also solve the request people have needing to use the UserGroup feature :

OpenConnect v2.20 — 2010-01-04
* Allow server to be specified with https:// URL, including port and pathname (which Cisco calls 'UserGroup')

From http://www.infradead.org/openconnect.html

Just a thought for an quick-fix... :)

well, good ideas, but lorelei isn't working here anymore (it is a pitty, when you got someone making good software, he stops).
here is the howto on linux machines (http://fara.cs.uni-potsdam.de/index.php?page=UniWLAN) (but, as i am from germany, it is german)

but back to topic:
we ve got a vpn at our uni, which is using the anyconnect client on win7 and vista, so i thought openconnect should do the job.
but it isn't; so, what am i doing wrong?
also taking out the no-dtls command and/or the no-ipv6 didn't work.

Nokia-N900:~# openconnect --authgroup=WLAN --user=myuser@uni-potsdam.de --passwd=mypass --disable-ipv6 --verbose --no-dtls wlanvpn.uni-potsdam.de
Attempting to connect to wlanvpn.uni-potsdam.de
SSL negotiation with wlanvpn.uni-potsdam.de
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET wlanvpn.uni-potsdam.de/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 05 Nov 2010 06:56:33 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
SSL negotiation with wlanvpn.uni-potsdam.de
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET wlanvpn.uni-potsdam.de/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
Fixed options give
POST wlanvpn.uni-potsdam.de/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:B551FD33CB3F3223E18C427CB8C5B9DE82B374BA&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
X-Transcend-Version: 1
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 141.89.47.249
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 141.89.65.1
X-CSTP-NBNS: 141.89.64.56
X-CSTP-Lease-Duration: 86400
X-CSTP-Session-Timeout: 86400
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: wlan.rz.uni-potsdam.de
X-CSTP-Keep: true
X-CSTP-Homepage: http://www.uni-potsdam.de
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: E5E1DA7A8AAD06099E9C4C45572E182BAB8FCB92A7FA38155E FA506917418A07
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 141.89.47.249, using SSL
Did no work; sleeping for 20000 ms...
Send CSTP Keepalive
Did no work; sleeping for 10000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
Got CSTP DPD response
Did no work; sleeping for 20000 ms...
Send CSTP Keepalive
Did no work; sleeping for 10000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
Got CSTP DPD response
Did no work; sleeping for 20000 ms...
^CSend BYE packet: Client received SIGINT
Nokia-N900:~#


thanks for every help!

well, good ideas, but lorelei isn't working here anymore (it is a pitty, when you got someone making good software, he stops).


Well, I'm not completely away...last few months I was more in lurking mode with no time to interact...

Honestly I don't know as of now if I will ever have the time to continue working on openconnect+gui, since I have concentrate myself more on Erminig (Google calendar sync). There are also other issues that I can't disclose for the moment, which will prevent me working efficiently on OpenConnect.

-lorelei

Well, I'm not completely away...last few months I was more in lurking mode with no time to interact...

ah, damn that wasn't the answer i was hoping for ;)
(but it is good, that the maemo community hasn't lost someone with skills)

it would probably take too much time updating the maemoversion? :o
(yes of course it would, but there is still a little hope)

i am using <spam URL removed> by pure USA vpn ip service this is secure and reliable i recommend this much better.........

Possible, but I don't see the point, since:

1) I don't see any Maemo client
2) How does it solve the problem for those logging on corporate/academic network that have to use their VPN concentrators?

Is this some kind of advertisement for purevpn?

lol it has to be, just look at the name... what a damn bad try of advertising...

doesn't look very secure and reliable if advertising in
a) wrong forum (its maemo, *****)
b) forums in general

can the source for openconnect-gui be shared ? I would like to modify it to include the extra fields/options and the full commandline as executed inb the debugwindow. i really would like to make this gui useful for me :)
tnx

@Netweaver
http://repository.maemo.org/extras-devel/pool/fremantle/free/source/o/openconnect-gui/

thanks. My first attempt is attached (version 0.5-7) :)

Changelog :
openconnect-gui (0.5-7) unstable; urgency=low
* [ENHANCEMENT] added extra field ("free_option") in the profile for the openconnect command invocation, to allow adding new option such as --authgroup=GROUP
* [ENHANCEMENT] add by default the "--no-dtls" option due to bug in Nokia supplied openssl libs
* [BUGFIX] properly escaped the password field to allow all kind of characters

Note that due to the way the arguments are parsed, only one extra option is possible.

this is my first coding effort in Maemo/scratchbox, it's no more then an intelligent cut-paste-change exercise for now. But the end-result sure helps me and might help other people as well.

I might try to port the latest version of openconnect (2.2x), apply the same kind of mods/logic as the maemo-fied 2.12 version. But that's something for later :)
Also, for the future, the GUI might need a rewrite in Qt Quick ... but that's still a (few) bridge(s) to far, one step at a time is good enough for me :)

I don't have a garage account yet and I've never submitted anything to the autobuilder so that's another hurdle to take.
Also, there's no need for me to fork this piece of work, I rather work together with Lorelei to get my patches into the original garage code.

Please test and see if it does what you want. Open to all suggestions/bug reports/requests.

i ll test it tomorrow... thanks for the work!

edit: i didn't :o
but looking good, now i made an alert to remind me testing the new stuff :D

some updates:
I patched and compiled the latest version of openconnect 2.26 and it works!

BUT (there's always a but ...)

I need some help here. I'm still on PR1.2 (lazy, I know) and the SDK is on PR1.3. When I'm building the DEB file, it receives a dependency of libssl >=0.9.8m.

So it doesn't install on mine,as I have a version 0.9.8e from PR1.2.
But when looking in details at my libssl package in FAP, I see there's now a 0.9.8n version available. I upgraded to that one (it also upgraded openssl alongside) and as expected, it now accepts and installs my new openconnect 2.26 DEB.

Can people check if libssl 0.9.8n is indeed the version supplied with PR1.3 ?

First hurdle taken.

Then, when connecting via the openconnect-gui, using the 2.26 version (no other changes), I'm getting a nice error log message about the server certificate not being verifiable due to missing local issuer certificate and asking if I want to accept the certificate anyway. Of course, the openconnect-gui doesn't handle this user input situation.

When running openconnect in xterm, I can enter 'yes' and it connects fine to my VPN server, all fine, as planned.

I think I can also override this check when calling the openconnect command, executed by the openconnect-gui, so there is no user issue with this. It might be a bit less safe. But not less safe than when using the current 2.12 solution, as that one doesn't care at all about the server certificate anyway :)
Do people like this proposed (eyes closed) behaviour ?

The very good thing about the new openssl 0.9.8n version is the fact it seems to allows DTLS :) No need for the default option (--no-dtls) anymore. Yes !!
This should allow performance gains in dropped packets environments, like 3G connections :D

Of course further testing should happen, as there were some other strange messages on screen, about a dead peer. The connection is made fine though, data routed through the VPN.
I'll look into that issue if proven troublesome for some.

So if people confirm the version in PR1.3 and the preferred wanted behaviour concerning the accepting of the server certificate, I can make then make the required changes and get a new GUI version out.

For people who want to follow along, here's the latest, working openconnect 2.26 DEB.

Again, all requests/info is welcome. if time permits, I'll work on them :)

ps. I really need to get my stuff in garage now, getting it properly registered and using autobuild !
Maybe when I have a version of both packages, where people are happy with...

ps2. Maybe I can create my own openconnect VPN status applet, such as the one from VPNC :D

hi i am using pr1.3 and xterm gives me this
(btw your new version of openconnect installs flawlessly)
Nokia-N900:~# apt-cache showpkg openssl
Package: openssl
Versions:
0.9.8n-1+maemo4+0m5 (/var/lib/apt/lists/downloads.maemo.nokia.com_fremantle_ssu_mr0_._Pack ages) (/var/lib/dpkg/status)
Description Language:
File: /var/lib/apt/lists/downloads.maemo.nokia.com_fremantle_ssu_mr0_._Pack ages
MD5: 977022bc5545601176b69704acc5df9b


Reverse Depends:
ssl-cert,openssl 0.9.8g-9
libval-threads,openssl
libval-threads,openssl
libval-threads,openssl
gsoap,openssl
libnet-ssleay-perl,openssl
libval-threads,openssl
libval-threads,openssl
libval-threads,openssl
openvpn,openssl
openvpn,openssl
mp-fremantle-generic-pr,openssl 0.9.8n-1+maemo4+0m5
libssl0.9.8,openssl 0.9.6-2
maemosec-certman-common-ca,openssl
as-daemon-0,openssl
Dependencies:
0.9.8n-1+maemo4+0m5 - libc6 (2 2.5.0-1) libssl0.9.8 (2 0.9.8m-1) zlib1g (2 1:1.2.1) ca-certificates (0 (null)) ssleay (3 0.9.2b)
Provides:
0.9.8n-1+maemo4+0m5 -

thanks. That confirms already the version.

On the dtls side, it seems I've been cheering too quickly. It looks as if it's starting in dtls mode (via xterm) but when there's a network glitch, it gets a write error and it reconfigures the vpn link into SSL. So either the openssl in PR1.3 is still (partly) broken in terms of dtls support, or there is something else wrong. Anyhow, my latest gui has the --no-dtls still as a default option so no problem there.

also, in my latest gui, to avoid the servercheck, you can enter the --no-cert-check as the free option in the gui/profile, then everything connects fine, no errors/user input request anymore.
Of course it kills the possibility of specifying the usergroup in there, temporarily.

So if I don't hear objections, I'll create a new GUI, also containing this --no-cert-check option as a default.

Can people also test their connectivity, straight from xterm and via the gui ? Just wondering if the open issues people had improved by my porting of the latest version.

ok, here is my xterm output:
okia-N900:~# openconnect --no-dtls --no-cert-check --user=xxxxxxx@uni-potsdam.de --verbose --authgroup=SSLVPN wlanvpn.uni-potsdam.de
Attempting to connect to 172.16.3.251:443
SSL negotiation with wlanvpn.uni-potsdam.de
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET https://wlanvpn.uni-potsdam.de/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 31 Jan 2011 13:49:57 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
SSL negotiation with wlanvpn.uni-potsdam.de
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET https://wlanvpn.uni-potsdam.de/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Password:
POST https://wlanvpn.uni-potsdam.de/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:B551FD33CB3F3223E18C427CB8C5B9DE82B374BA&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 141.89.46.156
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 141.89.65.1
X-CSTP-NBNS: 141.89.64.56
X-CSTP-Lease-Duration: 86400
X-CSTP-Session-Timeout: 86400
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: uni-potsdam.de
X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0
X-CSTP-Split-Exclude: 172.16.0.0/255.240.0.0
X-CSTP-Split-Exclude: 10.0.0.0/255.0.0.0
X-CSTP-Keep: true
X-CSTP-Homepage: http://www.uni-potsdam.de
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 4851F68A3FD4C98655174380154AAA55E329D3AAA7D479477E 6DC24791E555C8
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 141.89.46.156, using SSL
No --script argument provided; DNS and routing are not configured
No work to do; sleeping for 20000 ms...
Send CSTP Keepalive
No work to do; sleeping for 10000 ms...
Send

another problem is that i cannot enter my password, i have to open a new xterm and copy the password from there.

via the gui it wasn't possible, because i need the group feature (authgroup), so it stopped at selfsigned cert or the wrong group.

nevertheless thanks for continuing the work on openconnect!

Hi Sirpaul,
I think you're pretty close, at least on the commandline. For the gui version I need to make a change in the code. I'll try to do that asap.

You forgot to include the script, as the openconnect program wants to tell you:
No --script argument provided; DNS and routing are not configured

This was probably your problem already with the previous version 2.12, if I recall well. At least now I know (a bit) where to look :D

This is a -technically- working commandline for me, you only need to add the proper Authgroup parameter and you'll be good to go, all on one line of course ... :

openconnect --script=/usr/share/openconnect/vpnc-script --user=jacksparrow@ilovemaemo.com --passwd=blablabla --background --syslog --no-deflate --no-cert-check vpn.ilovemaemo.com

The "--background --syslog --no-deflate" part is optional for me. For you, just add the authgroup=abc and replace the proper variables and you're fine. You were just missing the reference to the script (borrowed from the vpnc package) which sets up all default routes etc ...

I'll start changing the gui code now, maybe by tomorrow I'l have a more flexible way of entering default (cross-profile) parameters. brrr, it's getting a bit more real now :)

What's the issue with the entering of the password in the 2.26 version ? My password (all kind of chars) is accepted fine, in gui and straight in xterm?

The maemo version of Openconnect (already as of 2.12) has a feature NOT found in the official openconnect version: the possiblity to add the password straight on the command prompt. That's how the gui works ...

OMG it is working!!!!!
never thought it would ever be going to happen...
THANKS! you ve made my month!
(lol, did not even think, that i was that close...)

i just added the passwd option, it worked pretty well.
connectivity works fine, but i am just using it for some minutes.
(atm i am using my unis vpn!).

EDIT
i ve tested more and it still works good.
i had one problem when the connection was a bit strange, but a reboot did it; besides that, i haven't spotted any errors.

Thanks. I have uploaded the openconnect and openconnect-gui into extras-devel. This is my first upload, the building went fine. I'm not an experienced Debian package maintainer so bare with me when things might not be 100% according to the book.

The gui package uploaded in the repository differs from the .DEB as I already posted in this thread only in the 2nd default parameter, the one to disable server cert verification. The openconnect package itself is the same as the .DEB included by me in this thread.

'Normal' people should get an upgrade notice in FAP, early adopters who installed already the thread versions, might have to do a --reinstall (or remove & install) to get the latest repository versions.

Please let me know how things are going.

The "real" flexible way of entering 'random' cross-profile params will take a bit longer. That's why I released this quick fix for the gui. It will be enough (I think) for at least 80% of all N900 openconnect users :)

the gui is now working flawlessly for me, after entering the authgroup parameter.

BUT i had an issue that after several times connecting to wlan + connecting to the vpn via gui openconnect was not starting via gui neither via xterm; a reboot solved iit for the moment. but dont know how to re-do it. (but thats something i can live with) ;)

mmmm, a bit lost on the possible reason for the non-starting openconnect. I haven't seen this odd behaviour yet.

When it happens, can you provide me here a full log from the xterm, using the --verbose parameter as well?
I can then have a look (positive thinking) if I can see something weird.

If not, I might have to take it upstream, to the openconnect devs, fur further investigation.

Thanks for testing and glad you like it so far. With all the storms around Nokia/Microsoft/Meego now, we can only try to make our N900 as good as possible and prolong it's life, as I don't think there's a real alternative yet :)

hi it is me again.
openconnect was working fine for me (for months!), but then i closed the gui and after a restart my internet was gone; there was no internet (connecting went fine) neither via wlan / vpn nor 3g.
so i reflashed and restored my settings which led to that error again.

now after a new flash without restoring settings openconnect gives the dead peer error you wrote about above (which is really strange cause i havent seen that error before).

so i cannot connect to the internet via the vpn. is there a workaround to get internet? btw thanks for your great work!

here is my log with verbose:
Nokia-N900:~# openconnect --script=/usr/share/openconnect/vpnc-script --user=user@uni-potsdam.de --no-dtls --authgroup=WLAN --verbose wlanvpn.uni-potsdam.de
Attempting to connect to wlanvpn.uni-potsdam.de
SSL negotiation with wlanvpn.uni-potsdam.de
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET wlanvpn.uni-potsdam.de/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 19 Apr 2011 07:36:05 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
SSL negotiation with wlanvpn.uni-potsdam.de
Connected to HTTPS on wlanvpn.uni-potsdam.de
GET wlanvpn.uni-potsdam.de/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
Fixed options give
Please enter your username and password.
Password:
POST wlanvpn.uni-potsdam.de/+webvpn+/index.html

Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 141.89.47.48
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 141.89.65.1
X-CSTP-NBNS: 141.89.64.56
X-CSTP-Lease-Duration: 86400
X-CSTP-Session-Timeout: 86400
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: wlan.rz.uni-potsdam.de
X-CSTP-Keep: true
X-CSTP-Homepage: http://www.uni-potsdam.de
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 644B1FD152298979A2D7593714C76
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 141.89.47.48, using SSL
Did no work; sleeping for 19000 ms...
Send CSTP Keepalive
Did no work; sleeping for 10000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
Sending uncompressed data packet of 58 bytes
Did no work; sleeping for 7000 ms...
Sending uncompressed data packet of 58 bytes
Did no work; sleeping for 2000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
Sending uncompressed data packet of 81 bytes
Did no work; sleeping for 12000 ms...
Sending uncompressed data packet of 81 bytes
Did no work; sleeping for 7000 ms...
Sending uncompressed data packet of 576 bytes
Did no work; sleeping for 4000 ms...
Sending uncompressed data packet of 58 bytes
Did no work; sleeping for 2000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
CSTP Dead Peer Detection detected dead peer!

Damn!
Internet's broken again!
First my config: newly flashed device, pr1.3 with Titan's Kernel.
Programs installed: rootsh; openconnect and the belonging gui.

First i tried the version the repositories gave me (gui was without free option and openconnect itself 2.12). Gave me the message above (previous post).
The actual versions of the gui (the one missing the --no-cert-check option) and openconnect gave me the same result.

And now my internet is completely messed up. So i cannot enter any websites, even xterm fails to ping anything. And openconnect as well.

The only thing i did was trying to get internet access via vpn and from time to time shut the vpn-connection down by closing xterm and connecting to 3g.

and now i cannot even use wifi nor 2g / 3g to get internet access. (although it connects pretty fine, but i am not getting any data)

any help appreciated!

funny this happens to you after a reflash to PR1.3. I also had to flash last week Mon, as I was on a Frankenstein PR1.2 - PR1.3 - CSSU - custom mix and I had a problem with the Qt libs and PySafe. Funny enough only that one :D

Anyway, after a clean reflash and restore (reinstall all applications, incl. OpenConnect), I again can use PySafe and I can still use the VPN via OpenConnect.

I took the repository versions, as I wanted to stay as close to the repositories as possible, for now, to ease the pain when having to re-flash.

But all works fine. Apart from some HTTPS authentication issues in a java application AFTER the vpn connects but that must be an IBM/SSL/JVM thing as it started happening way before my reflash.

I did notice before that the OpenConnect process was quite unhappy and sometimes killing network access when not properly closed. Requiriing a reboot. After a few times up/down it also became more unstable. I was a light user myself, as it was merely an emergency access, when there was no laptop around.

In terms of routing, I also always wanted to connect to the Internet OUTSIDE the vpn, as it was a lot faster. But I can see the need to go through the VPN when being in an restrictive country (Eg. China or other political restricted countries).

I'm on the bench since today, so I can devote some time to it, before I find a new project somewhere. I'll have to fix my SB development environment though as I messed it up big time trying to get an environment capable of compiling Chromium ... :(

To be Continued.

Damn!
Internet's broken again!
First my config: newly flashed device, pr1.3 with Titan's Kernel.
Programs installed: rootsh; openconnect and the belonging gui.

First i tried the version the repositories gave me (gui was without free option and openconnect itself 2.12). Gave me the message above (previous post).
The actual versions of the gui (the one missing the --no-cert-check option) and openconnect gave me the same result.

And now my internet is completely messed up. So i cannot enter any websites, even xterm fails to ping anything. And openconnect as well.

The only thing i did was trying to get internet access via vpn and from time to time shut the vpn-connection down by closing xterm and connecting to 3g.

and now i cannot even use wifi nor 2g / 3g to get internet access. (although it connects pretty fine, but i am not getting any data)

any help appreciated!

Check /etc/resolv.conf for proper entries. Often times, this file isn't updated when connecting or disconnecting to/from the tunnel node and is left with internal hosts.

@ hawaii
thanks for the idea; i got (of course, now i have got no problems in connecting):
nameserver 127.0.0.1
(opened via vi)

@ Netweaver
wonderful, it would be good if you could investigate that error. :)

and i checked today: got the same error with openconnect (2.25 from squeeze repo i think) and easy debian running on my phone; so it may be a problem related to my uni's vpn and not openconnect?

I get exactly the same error with my uni's (Uni Magdeburg) vpn.
I will try the same version of openconnect on my laptop today to see if it is a problem of the vpn.

Ok, I get the same error on my notebook with all versions of openconnect i tested, it must be a problem of the vpn.

thx for trying it; did you try openconnect 3.x as well?
how long are you havin that error? cause my openconnect stopped working after a few weeks past semesterstart.

i'll write my "zeik" today :D

good luck with talking to your uni VPN admins ... My IBM access VPN using OpenConnect still works fine. Touch wood...

And I'm back on a project, not a lot of bench time was granted this time. I guess I should be grateful for my utilization...

I tested the newest version (3.02) and the one from the extras repo (2.26) on my laptop. The error was the same for the two versions.

strange...
of course, my admin was convinced that the error should be on my side.
but what are we doing wrong?
i was doing the same things as everytime.

so why should an error always repeat on different machines AND different networks and still be related to that machine?
and if it is a problem connected to openconnect (even the newest version) why aren't there more threads about dead peer detection?

@flocke000 do you get internetaccess before the dead peer is detected?

My IBM VPN access via OpenConnect still works fine, even after reflashing, installing power47 and CSSU. I whished I could replicate your behaviour but I can't ... all is still fine with connecting and tunneling :(

Maybe register here and ask the question, after all they are the real developers behind OpenConnect :
http://lists.infradead.org/mailman/listinfo/openconnect-devel

CSTP Dead Peer Detection detected dead peer!

It would be so much more useful if we could have this conversation on the openconnect-devel mailing list.

The 'dead peer' message above means that the server did not respond to our 'ping'. The HTTPS connection to the server seems to have stopped working. When this happens, openconnect should *reconnect* to the server. Does it not?

Can you run tcpdump (filtered for port 443 on the vpn server) and show the traffic while this happens? And show the output of '/sbin/route -n' while you ought to be connected. Please don't post them here; send mail to the openconnect-devel@lists.infradead.org list.

DTLS seems to be working here...


Nokia-N900:~# echo $COOKIE | /usr/bin/openconnect --cookie-on-stdin --script /usr/share/openconnect/vpnc-script --servercert 2C1104B703504606AB12813AFC315438B94F85BB $SERVER -v
Attempting to connect to x.x.x.x:443
SSL negotiation with x.x.x.x
Connected to HTTPS on x.x.x.x
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.255.12.105
X-CSTP-Netmask: 255.255.252.0
X-CSTP-DNS: 10.248.2.1
X-CSTP-DNS: 10.19.1.12
X-CSTP-Lease-Duration: 172800
X-CSTP-Session-Timeout: 172800
X-CSTP-Idle-Timeout: 43200
X-CSTP-Disconnected-Timeout: 43200
X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255
X-CSTP-Keep: true
X-CSTP-Rekey-Time: 86400
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 15
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Content-Encoding: deflate
X-DTLS-Session-ID: 3BABE19A744F1298EFCFF084CC7268333C27FBA5C1727D56BE 1D550C42F1C9E7
X-DTLS-Port: 443
X-DTLS-Keepalive: 15
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 86400
X-CSTP-MTU: 1266
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
CSTP connected. DPD 30, Keepalive 15
DTLS option X-DTLS-Session-ID : 3BABE19A744F1298EFCFF084CC7268333C27FBA5C1727D56BE 1D550C42F1C9E7
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 15
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 86400
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS connected. DPD 30, Keepalive 15
Connected tun0 as 10.255.12.105, using SSL + deflate
No work to do; sleeping for 14000 ms...
No work to do; sleeping for 14000 ms...
Established DTLS connection
No work to do; sleeping for 14000 ms...
Sent DTLS packet of 64 bytes; SSL_write() returned 65
No work to do; sleeping for 2000 ms...
Received DTLS packet 0x00 of 131 bytes
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 83 bytes; SSL_write() returned 84
...


I object to using the --no-cert-check option; please don't do that. Instead, use the --servercert option to tell OpenConnect what the server's cert fingerprint *should* be. Then it doesn't need to validate it against the full CA trust chain.

Also, you shouldn't need to patch OpenConnect to accept a password on the command line. You can already just 'echo $PASSWORD | openconnect --passwd-on-stdin', and then the password doesn't sit around visible in ps(1) for the entire lifetime of the VPN session.

In fact, though, you shouldn't be giving the username/group/password/etc to OpenConnect at all. If you look at the command line above, that's basically what we should be doing. The *GUI* can handle the authentication, then all it needs to give openconnect is the server's address and cert, and the cookie.

The problem is solved!

First of all give dwmw2 a big thanks! for the solution.

The problem was that the rouing wasn't configured properly because iproute was missing:

Regarding to dmwm2, iproute should be in extras-testing, so steps 1-3 will not be needed!

1. Enable the Kluenter-Repo on your device (via Standard AppMan):
Catalog name: kluenter
Web Address: http://maemo.kluenter.de/packages
Distribution: fremantle
Components: main

2. Wait till the updating is done and close AppMan.

3. You may need to restart (or wait?) your device if 4. does not work (e.g. something is "locked")

4. via xterm enter:
root and
apt-get install iproute
5. Openconnect works now fine!

I think iproute is in extras-testing too?

The issue is a bug in vpnc-script. It assumes that after the VPN is set up, the route to the VPN server should be via the same gateway as your old default route. But in your case, the VPN server is actually *on* your local subnet, not the other side of the gateway.

When it's using iproute, it gets it right, but the old version using /sbin/route has this bug. If someone wants to fix it *properly*, that would be appreciated...

Hmm, does anyone have any idea what to do next? I tried openconnect from extras-testing and from extras-devel. Both give me same kind of output (below, IP-address changed). I think the reason is "Server certificate verify failed: unable to get local issuer certificate", but I don't really know what to do now. I tried to google, but didn't find anything useful for my problem. Something to do with certs, but how to fix it?

So this is when I try with openconnect 2.26 from my N900, when I use openconnect 3.13 from home, it works ok. Anyone know if there is openconnect 3.13 compiled for N900?



openconnect --authgroup=anyconnect --user=testuser vpntest.testaddr.com:443 --verbose --disable-ipv6 --script=/etc/vpnc/vpnc-script
Attempting to connect to 12.123.12.123:443
SSL negotiation with vpntest.testaddr.com
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "vpntest.testaddr.com" failed verification.
Reason: unable to get local issuer certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpntest.testaddr.com
GET https://vpntest.testaddr.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 24 Oct 2011 06:19:34 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
SSL negotiation with vpntest.testaddr.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on vpntest.testaddr.com
GET https://vpntest.testaddr.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:testuser
Password:
POST https://vpntest.testaddr.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:testuser
Password:
POST https://vpntest.testaddr.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:

Okay...this is a pretty dirty hack, but working.

This is somewhat off topic, sorry for that, but just in case someone needs the information...I managed to got openconnect working by finding a binary of openconnect 3.12 compiled to some embedded ARM device and then I just made following links:


ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.1.0.0
ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.1.0.0
ln -s /usr/lib/libz.so.1 /usr/lib/libz.so


and now I have a working VPN connection from N900 to my office.

How difficult would it be to get openconnect
running on Harmattan ?
I would love to see it running on the N9, but I am new to Maemo/Meego development, and I cannot really estimate how much knowledge and work it would need.


Thanks, mweiss38