Add GlobalProtect protocol

[Haldamir82]

Hi, thanks for your work.
It would be great if this could be added to openconnect.
There's already a working project: https://github.com/dlenski/openconnect (It works in Linux)
Thanks.

[horar]

Hi @Haldamir82 , thanks for you request.
It will be great to add next protocol. Just we have to be careful, we don't want break existing functionality...

At this time, the GUI app is linked against upstream 'openconnect' project from original author/repo. So, at first, you should trigger a request to merge new protocol functionality made by @dlenski into original upstream openconnect and then we can start working on implementing this into openconnect-gui

(I will add this feature into "unlikely to be added..." milestone, but if something change or someone want to contribute to this, we are open to discuss this topic :-) )

[dlenski]

Hi @horar, there is already some support for other protocols in the official releases of OpenConnect (Juniper Network Connect, --protocol=nc) as of v7.05 or so.

However, @dwmw2 requested I add the following, in order to support GUI wrappers and other users of OpenConnect: http://lists.infradead.org/pipermail/openconnect-devel/2016-December/004106.html

However, I think I do need to lumber you with an additional hurdle
before we merge your new protocol after 7.08 — let's add a new API to
check whether libopenconnect supports a given protocol, or to enumerate
the protocols it supports. Currently it's just a hard-coded "if it's
7.05 or newer, it supports Juniper too", and I don't think we want that
to continue. Let's do something explicit instead, and things like
NetworkManager-openconnect can base their decisions on that.

I've contributed a set of patches to add this to the API (see http://lists.infradead.org/pipermail/openconnect-devel/2017-January/004163.html), but it hasn't yet been merged upstream.

If/when this is merged upstream, it should be straightforward to get a list of the supported protocols and their features using openconnect_get_supported_protocols().

[horar]

Good, I was afraid this feature will stay forked :-)

[dlenski]

@horar, this might be a bit premature, because it hasn't yet been approved for the official OpenConnect release, but I thought you might like the heads-up...

I've added support to network-manager-openconnect for the new API to enumerate the supported protocols. This commit for the Linux Gnome GUI shows how it's done:
dlenski/network-manager-openconnect@ad424f2

Basically, you use openconnect_get_supported_protocols to list the protocols, and provide a dropdown to select the appropriate one 😁

[izauddin]

Hi,

Any timeline that we can see GlobalProtect support in Network Manager / OpenConnect ?. Manage to sucessfully connect to my company vpn using Dan openconnect with gp protocol. But it a hassel to manage a few VPN connection without a single interface.

[horar]

Hi @izauddin , this project is just about Qt GUI app based on of David's openconnect library/tool.

May be, @dlenski , do you have more info about actual status? I see some of your work was already accepted into upstream project. If you think the project is ready, I can try to integrate it into this GUI app. And I can make a drop of test packages after new year (January/February?).

[hjaltioj]

I would be happiest man on earth if openconnect-nm gets GlobalConnect protocol, now my company changes vpn from cisco to palo alto :)

[dlenski]

@horar wrote:

May be, @dlenski , do you have more info about actual status? I see some of your work was already accepted into upstream project. If you think the project is ready, I can try to integrate it into this GUI app. And I can make a drop of test packages after new year (January/February?).

Here's a rough summary:

• The (very simple) API for enumerating the supported protocols was merged upstream in 40802e4.
• None of the GlobalProtect-specific code has been merged (yet) into the official master. However, I've been pretty careful to ensure that GlobalProtect-specific code in my mainline-integration gpst branch is compatible with the official API in all respects. The GlobalProtect code handles authentication forms using the same API, calls the vpnc-script for routing setup using the same API, etc. etc. In other words, if you do openconnect_set_protocol(vpninfo, "gp") in the front end, everything that Just Works™ with AnyConnect/Juniper should Just Work™ for globalprotect too.
• I've already tested the integration with the NetworkManager GUI under Linux in my network-manager-openconnect and the patch for using the get_supported_protocols API has been merged upstream as well.

So if you want to test building openconnect-gui with my gpst branch, I think GlobalProtect should work smoothly with no further effort on your part… and if it doesn't, I'll make it a priority to resolve any new issues that you run into.

[hjaltioj]

Is there any news on globalprotect protocol?

[horar]

Yeap, it's in plan. I will try put it together with this GUI after 1.5.3 release.

[horar]

after quick look; there is no problem to integrate it into GUI on macOS, it may work. But Windows OS i.e. mingw is not supported. There is required some work on porting network stuff to mingw system (winsocks2 etc) ... reported here dlenski/openconnect#90

[dlenski]

@horar, good point. The problem reported with Windows build looks to be a relatively simple one with choosing the correct header files for the IP/ICMP structures.

I hope the reporter can figure it out fairly quickly;

[dnlglsn]

I would also like to say that I would love to get the GlobalProtect VPN support in the GUI. My company uses GP and I am writing a tutorial on getting connected to their network on Linux. It looks much better to install via apt-get instead of from a forked repo, and is easier for the general user to use a GUI instead of the command line to connect.

I really like the work you've done so far, so keep it up! I hope things can get fixed and merged upstream quickly so more users can use these great tools.

[dlenski]

We now have at least one report of a successful Windows build where everything is fully-functional, including ESP. (See this comment and follow-ups by @bhank on dlenski/openconnect#90.) I made a couple subsequent tweaks to allow it to compile cleanly based on @bhank's feedback.

@horar, anything else that I should do to ease the integration of GP support into openconnect-gui?

[horar]

thanks, just compiled on msys@mingw; I will try to continue with work on GUI in next days and come back with some test version...

[horar]

Just a note - you need openconnect library with GP-protocol support i.e. openconnect snapshot build or next release v7.08+)

[dlenski]

Hooray!

Could you tell me which commit you are building off of? Did you need to make any additional patches?

I should have mentioned this sooner, but my gpst-squash branch is the cleaned-up version for mainline integration, whereas the default globalprotect branch is the sloppy one with individual messy commits for every little change.

[horar]

By default, the GUI project is building agains last released version of openconnect (v7.08). But it's possible to cheet the build scripts.... (ehm, not yet well documented... it's on my todo list).

I see, there is some progress, discussion in mailing list, but for now I made few days ago a build against your globalprotect-win32 build (hash: e401991f).

All my demo packages (openconnect 32/64 + gui 64) are located here: http://bit.ly/2D7QEi2

I don't have access to GP server. If you can try it - pls. let me know if something more is needed in GUI, thaks. When I have to move to other branch, pls. let me known...

[jmichler]

Hi Horar,
I just tried your build, openconnect --version:
OpenConnect version v7.08-270-ge401991f
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

Let me first explain my results while testing on linux (latest git "master" from dlenski on ubuntu 17.10): There I can access some target-hosts only after passing --csd-wrapper=hipreport.sh. Beside from that it is working great.

On Windows I see:

• in the UI I cannot select "global protect" as the protocol (well "so what" for now)
• In the command-line I run:
  openconnect.exe --protocol=gp --user=XXXX --script=vpnc-script.js vpn.XXXXX
  I have the following problems:
  -- There seem to be DTLS errors "Set up DTLS failed; using SSL instead": On my linux-vm dtls is working. So it is for a second VPN server on Cisco Anyconnect using the same openconnect client on windows. But that shouldn't be so bad
  -- Then I have after some seconds after the vpnc-connect-script went through:
  GPST Dead Peer Detection detected dead peer!
  => Which then initiates a re-connect
  -- Finaly I don't see to have a way to pass --csd-wrapper on windows? Furthermore there is no hipreport.js or so?

I'll be happy to share more details privately, but since the VPN server is not mine I cannot past logs here

[horar]

Hi @jmichler , thank you for updates

1. UI - I'm sorry, my fault; just re-uploaded correct GUI package (u should see v1.5.3-14 in About-dlg)
2. about DTLS errors; @dlenski could look at it; thanks (I should link other branch from your openconnect?)
3. I'm not aware about csd-wrapper script support for openconnect project on windows then no UI support :/

[jmichler]

Hi,
regarding 3: I'm currently not referring to the UI but to the command-line. The linux version has that parameter and as far as I'm seeing this in the global-protect case this is not a binary but just a way to produce a small XML file that is then uploaded. So that makes sense under windows as well and should be possible to add, shouldn't it?

[horar]

@jmichler , yes, yes, that's clear for me. Short answer - this project is about GUI; can't help you. Long answer: OpenConnect project development is on mentioned site You can check discussion in that mailing list or ask for support there. Building and bundling openconnect.exe to GUI installer is just add-on value that may help us identify the source of issues.

[dlenski]

@jmichler: as @horar says, there is no support whatsoever for running CSD/TNCC/HIP scripts on Windows in any version of openconnect currently.

Please report issues with the underlying GP protocol support over at dlenski/openconnect.

I see, there is some progress, discussion in mailing list, but for now I made few days ago a build against your globalprotect-win32 build (hash: e401991f).

I just merged the globalprotect-win32 branch into the main globalprotect branch (main development and bug-squashing line), so hopefully Windows users can build successfully from that!

[horar]

@dlenski yes, it's compiling in mingw@msys2 environment.

I upload packages here, hash: de11cab4. Testers can use them or install gui v1.5.3-14 and just replace openconnect stuff in installed folder (pls. check about-dlg in GUI).

[blastagator]

@horar - when using your compilation with GP support, after connecting the software crashes on Win10. Tried 32 and 64 bit versions, no immediately evident error in the logs.

[horar]

@blastagator thanks for update, this binary build is little-bit old; I will try to assemble fresh build from actual source code for upcomming release on the weekend...

[patchon]

Hi Dan,

Again, let me start of by saying how great this project is. Truly fantastic how we got this opensource client working with the proprietary palo alto global protect vpn. I've been running this now ever since dlenski/openconnect#25 got merged. Never had a single problem with it.

The (very simple) API for enumerating the supported protocols was merged upstream in 40802e4.

Awesome!

None of the GlobalProtect-specific code has been merged (yet) into the official master. However, I've been pretty careful to ensure that GlobalProtect-specific code in my mainline-integration gpst branch is compatible with the official API in all respects. The GlobalProtect code handles authentication forms using the same API, calls the vpnc-script for routing setup using the same API, etc. etc. In other words, if you do openconnect_set_protocol(vpninfo, "gp") in the front end, everything that Just Works™ with AnyConnect/Juniper should Just Work™ for globalprotect too.

Is there a timeline on this (is there anything that blocking that this merge would happen) ? Because this, again, would be really, really neat.

I've already tested the integration with the NetworkManager GUI under Linux in my network-manager-openconnect and the patch for using the get_supported_protocols API has been merged upstream as well.

I've been testing this integration, since running Fedora 27, and it works exactly as one would expect. Is there anything stopping the NetworkManager-team (or whoever who is responsible for the NetworkManager-openconnect-packagin) from mergin this as well (can I help with something here, I've been patching this manually in Fedora 27, 28 and today actually 29 - so I can confirm it works as expected 😄) ?

Again, landing the global protect support upstream as well as the enumeration of supported protocols in the networkmanager-openconnect package would be truly, truly awesome. No need for any manual compiling / patching etc.

I will say it once more, this work is truly fantastic and this is exactly why I love working with open source.
Kudos 🏆

[dlenski]

Thanks, @patchon! Did you mean to post this on dlenski/openconnect?

Is there a timeline on this (is there anything that blocking that this merge would happen) ? Because this, again, would be really, really neat.

GlobalProtect support was merged upstream a couple months ago… but no 8.0 release has been made yet. I suspect that @dwmw2 is waiting for me to stop sending him a trickle of further patches/tweaks, as well as not looking forward to the torrent of downstream bugs that might come up with a new release.

I'd guess that the NetworkManager folks and @horar here at openconnect-gui are all waiting for the OpenConnect 8.0 release in order to release their own builds with multi-proto support. (By the way, I also incorporated multi-proto support into the Android port over at dlenski/ics-openconnect… works great 😎)

[patchon]

Thanks, @patchon! Did you mean to post this on dlenski/openconnect?

Hehe, well maybe I should have - I just posted it here since it had to do with the gui =)

GlobalProtect support was merged upstream a couple months ago… but no 8.0 release has been made yet. I suspect that @dwmw2 is waiting for me to stop sending him a trickle of further patches/tweaks, as well as not looking forward to the torrent of downstream bugs that might come up with a new release.

Ah cool, I didn't know (maybe I should have checked more thoroughly).

I'd guess that the NetworkManager folks and @horar here at openconnect-gui are all waiting for the OpenConnect 8.0 release in order to release their own builds with multi-proto support.

Gotcha !

(By the way, I also incorporated multi-proto support into the Android port over at dlenski/ics-openconnect… works great )

Hehe, well I wish I could have said the same. Just tried it and it "forced closed" just after connect. Not sure if you (or who gets the logs) got my logs. Not sure about what kind of data that that is sent here and / if I want to send them ?

[horar]

@patchon if you like test last head version of gui with last openconnect; then you can try snapshot build from start of september (v1.5.3-52-devel)

[blastagator]

I also continue to get the force close just after connect (using GP protocol). This is on the latest snapshot.

[semitkin]

Tested v1.5.3-54-devel downloaded from here - it still crashes after entering username and password on Win10.

Thank you for working on it!

[dropsonic]

Still doesn't work on Android.

[sergiopatino]

Is there a MacOS test release available?

[horar]

@dropsonic hey, android version is out of this repo; please notify relevant maintainer
@sergiopatino just now, there are no macOS snapshots, you can build it from source code...