Saturday 6 September 2014

Ubuntu 14.04 - openconnect VPN and network manager

Openconnect VPN

After having reinstalled my thinkpad with Ubuntu 14.04, I noted that I could not connect to one of my client's VPN via GUI. The VPN authentication dialog simply did not pop up after clicking the VPN profile on the network manager indicator/applet. No error displayed, no useful information in syslog. The only line I could correlate with connection attempts looked like the one cited below. Note that this line in itself does not indicate any error, it is present during normal operation as well, the point here is that no other lines related to VPN were displayed at all.

Aug 31 14:43:43 gluon NetworkManager[997]: <info> VPN service 'openconnect' disappeared

The VPN itself is Cisco Anyconnect, and connecting to it via the commandline using openconnect worked fine. I use password based authentication in tandem with a hardware token generator, no client certificate involved in this configuration. All required packages are installed, and if I create another VPN profile in network manager with an invalid gateway URL, then I do get the authentication dialog displaying an error.

As this used to work properly on Ubuntu 12.10, I googled for regressions and found forum threads and this and another bug report but they have not helped to resolve my case.

To make the long story short, I found where network manager persists connection profiles, and when checking the VPN connection profile in question, I found it contained invalid file paths to certificates, which typically seem to be the result of handling the 'None' option in the wrong way.


sudo cat /etc/NetworkManager/system-connections/${VPN_PROFILE_NAME} | grep cert
usercert=/home/tibi/(null)
cacert=/home/tibi/(null)
authtype=cert
# simply delete the lines with invalid path
# and optionally set authtype=password, but actually it does not matter.

The malfunction seems to be the result of using the build-in import/export functionality. The exported connection profile simply contains (null) for the certificates if password based authentication is used, however, during import this value is simply appended to the user's home directory.


[openconnect]
Description=****
Host=vpn.****.hu
CACert=(null)
Proxy=
CSDEnable=0
CSDWrapper=
UserCertificate=(null)
PrivateKey=(null)
FSID=0

Anyway, I would have expected better visual feedback or error logging.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)