Connecting via NetworkManager uses gateway IP address instead of hostname.

[beanaroo]

Hi, first of all, thank you so much for providing us with the ability to connect to Global Protect VPNs natively.

Using the CLI works like a charm. I've built this plugin and installed it (after having to move some files around. Might open a separate issue).

Connection fails with SSL verification. I presume this is because when using the GUI:

POST https://99.88.77.66/ssl-vpn/getconfig.esp
Connected to 99.88.77.66:443
SSL negotiation with 99.88.77.66
...

Where as using the CLI:

POST https://vpn.mydomain.com/ssl-vpn/getconfig.esp
Connected to 99.88.77.66:443
SSL negotiation with vpn.mydomain.com
...

I'm not sure if this is the right place to file the problem. I'm happy to move it to the appropriate issue tracker.

[beanaroo]

hmmm.... I'm not sure if my initial assumption is correct.

POST https://99.88.77.66/ssl-vpn/getconfig.esp
Connected to 99.88.77.66:443
SSL negotiation with 99.88.77.66
Server certificate verify failed: signer not found
Connected to HTTPS on 99.88.77.66
No MTU received. Calculated 1410
POST https://99.88.77.66/ssl-vpn/hipreportcheck.esp
Missing or invalid required input parameters

For CLI:

$ openconnect --protocol=gp vpn.mydomain.com -u 'DOMAIN\User.Name'

POST https://vpn.mydomain.com/ssl-vpn/login.esp
Connected to 99.88.77.66:443
SSL negotiation with vpn.mydomain.com
Connected to HTTPS on vpn.mydomain.com
GlobalProtect login returned authentication-source=vpn_auth_safenet
POST https://vpn.mydomain.com/ssl-vpn/getconfig.esp
No MTU received. Calculated 1410
POST https://vpn.mydomain.com/ssl-vpn/hipreportcheck.esp
Error: Server asked us to submit HIP report with md5sum 2a2dfb9206bea23c91252229b38f779f.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 99.88.77.11, using SSL
ESP session established with server

[dlenski]

I've built this plugin and installed it (after having to move some files around. Might open a separate issue).

You may be "first guinea pig", the first person besides me to actually build it successfully. 👍

I'm not 100% sure what's going on here, but it appears that the GUI client isn't handling the HIP report submission correctly. It must not be invoking it in the same way as the CLI client. I added the HIP report support very recently to the CLI (dlenski/openconnect@e4ef149), and I hadn't yet tested it with the NM GUI.

It appears that your GP VPN doesn't actually require submission of the HIP report, because you're saying that the VPN connectivity works fine even though the server is telling you to submit the report:

POST https://vpn.mydomain.com/ssl-vpn/hipreportcheck.esp
Error: Server asked us to submit HIP report with md5sum 2a2dfb9206bea23c91252229b38f779f.
You need to provide a --csd-wrapper argument with the HIP report submission script.

You may want to try building openconnect+libopenconnect from the most recent commit before I merged the HIP check and submission: dlenski/openconnect@89b4f41_

Does it work if you use that earlier build of liboc? If so, then I need to go dive in and figure out what's different about the GUI's invocation of the HIP report check.

[dlenski]

I figured out the problem: the NM GUI does authentication and connection in separate phases, and my HIP report support wasn't taking this into account correct.

This should be fixed with dlenski/openconnect@f9c36b4. Please rebuild liboc from there, and it should work. (Does for me…)

[beanaroo]

This is wonderful news! Sorry I couldn't respond sooner. I'll be able to confirm functionality first thing in the morning. Thank you for looking into it!

[dlenski]

@beanaroo I'm sorry but I discovered another issue with the tap-dance of authentication, connection, and HIP report submission that means it probably won't work as-is.

Try rebuilding this package with the latest commit (ab8ddf0), but I doubt this will actually be accepted by the OpenConnect bigwigs as-is… so I'll have to discuss how to solve this with them.

[beanaroo]

Hi @dlenski, I'm excited to hear the project is now included in openconnect. 🎉

I'd like to close this issue if that's okay, I am unable to reproduce the initial report. :)