Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: cliffwilliams44 on December 06, 2023, 02:23:00 AM

Title: Setting up OpenConnect
Post by: cliffwilliams44 on December 06, 2023, 02:23:00 AM
I read several articles on this but I must be missing something, I can't get this to work.

Destination is a Cisco Anyconnect VPN.

I configure the VPN with my username and password, it connects and I get my 2fa push prompt.

I do see DTLS handhske failed: 2 in the logs.
Title: Re: Setting up OpenConnect
Post by: cliffwilliams44 on December 07, 2023, 07:21:54 PM
OK, I can get this working now. The handshake error doesn't prevent traffic from working.
I have an outbound NAT from (my Lan subnet}/24 to {my corp subnet}/8 and it works. I can ping hosts inside my corporate network from a host inside my lan subnet.

Now the problem, if I reboot OPNSense, openconnect starts, I get a push notification for 2FA, It seems to connect and then I see this in the logs:

Code Select

2023-12-07T13:06:45 Notice kernel <6>ocvpn0: link state changed to DOWN


Log onto the console and issue this command:
Code Select

root@OPNsense:~ # /usr/local/etc/rc.d/opnsense-openconnect status
openconnect is not running.


If I start it manually:
Code Select

root@OPNsense:~ # /usr/local/etc/rc.d/opnsense-openconnect start
starting openconnect
DTLS handshake failed: 2
ifconfig: interface tun30000 does not exist
ocvpn0


Not it it works
Code Select

cwilliams-local@mgmntwkst:~$ ping -c3 10.46.128.254
PING 10.46.128.254 (10.46.128.254) 56(84) bytes of data.
64 bytes from 10.46.128.254: icmp_seq=1 ttl=61 time=84.0 ms
64 bytes from 10.46.128.254: icmp_seq=2 ttl=61 time=82.3 ms
64 bytes from 10.46.128.254: icmp_seq=3 ttl=61 time=86.6 ms

--- 10.46.128.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 82.280/84.282/86.590/1.772 ms


Why is this not starting properly on startup? I don't see anything in the logs that would point out what the problem is.
Title: Re: Setting up OpenConnect
Post by: cliffwilliams44 on December 08, 2023, 05:33:03 PM
OK apparently this plugin is not widely used or supported.
Opened an issue on GutHub about this.

Something kills OpenConnect in the boot process. I suspect it is somehow intentional because if you select 11) Restart all services from the console menu the system will hang after OpenConnect starts.

Would be nice if it could just be set to manual startup.

At this time it works but rather in an annoying way.

Power on OpenSense, OpenConnect starts, get DUO push notification for 2FA, system comes up but OpenConnect is stopped.
Go into System->Diagnostics->Services and start OpenConnect, get Duo push notification AGAIN and all is working.

I can live with it!
Title: Re: Setting up OpenConnect
Post by: _tribal_ on January 17, 2024, 12:36:23 AM
O, same problem - after restart openconnet not started :'(
I thought I'd misconfigured something. ::)
Text only | Text with Images