Palo Alto Networks GlobalProtect: "Trojan (CSD) Wrapper Script" not working
Problem description
CDS wrapper is ignored when connecting using NetworkManager. When using the CLI openconnect client, the CDS wrapper script works correctly.
Step to reproduce
- set the path to the CDS script inside the field "Trojan (CSD) Wrapper Script" of the VPN configuration
- establish a new VPN connection
Expected result
When the connection is established, openconnect should send the HIP report using the specified script.
Actual result
After the connection is established, no HIP report is sent to the gateway.
This is confirmed by the openconnect logs on the journal:
journalctl -u NetworkManager --since "1 hour ago"
ago 05 14:54:25 myhostname NetworkManager[1490]: <info> [1596632065.9913] audit: op="connection-activate" uuid="35098365-e069-4ca2-8905-4fb2455eefda" name="GlobalProtect" pid=61989 uid=1000 result="success"
ago 05 14:54:25 myhostname NetworkManager[1490]: <info> [1596632065.9938] vpn-connection[0x5636046e0370,35098365-e069-4ca2-8905-4fb2455eefda,"PAYBACK GlobalProtect",0]: Started the VPN service, PID 63052
ago 05 14:54:26 myhostname NetworkManager[1490]: <info> [1596632066.0033] vpn-connection[0x5636046e0370,35098365-e069-4ca2-8905-4fb2455eefda,"PAYBACK GlobalProtect",0]: Saw the service appear; activating connection
ago 05 14:54:51 myhostname NetworkManager[1490]: <info> [1596632091.1142] vpn-connection[0x5636046e0370,35098365-e069-4ca2-8905-4fb2455eefda,"PAYBACK GlobalProtect",0]: VPN connection: (ConnectInteractive) reply received
ago 05 14:54:51 myhostname NetworkManager[1490]: <info> [1596632091.1184] vpn-connection[0x5636046e0370,35098365-e069-4ca2-8905-4fb2455eefda,"PAYBACK GlobalProtect",0]: VPN plugin: state changed: starting (3)
ago 05 14:54:51 myhostname openconnect[63108]: POST https://82.0.0.4/ssl-vpn/getconfig.esp
ago 05 14:54:51 myhostname openconnect[63108]: Connected to 82.0.0.4:443
ago 05 14:54:51 myhostname openconnect[63108]: SSL negotiation with 82.0.0.4
ago 05 14:54:51 myhostname openconnect[63108]: Server certificate verify failed: signer not found
ago 05 14:54:51 myhostname openconnect[63108]: Connected to HTTPS on 82.0.0.4 with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
ago 05 14:54:51 myhostname openconnect[63108]: Session will expire after 1440 minutes.
ago 05 14:54:51 myhostname openconnect[63108]: Tunnel timeout (rekey interval) is 180 minutes.
ago 05 14:54:51 myhostname openconnect[63108]: Idle timeout is 180 minutes.
ago 05 14:54:51 myhostname openconnect[63108]: No MTU received. Calculated 1422 for ESP tunnel
ago 05 14:54:51 myhostname openconnect[63108]: POST https://82.0.0.4/ssl-vpn/hipreportcheck.esp
ago 05 14:54:51 myhostname openconnect[63108]: WARNING: Server asked us to submit HIP report with md5sum aa0c268f5f3d8ae3be064c8c670e4c5b.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
ago 05 14:54:51 myhostname openconnect[63108]: Connected as 10.0.0.78, using SSL, with ESP in progress
ago 05 14:54:51 myhostname openconnect[63108]: SIOCSIFMTU: Operation not permitted
Additional info
Toggling "Allow security scanner trojan (CSD) does not seem to make any difference
The CLI openconnect client works fine (the HIP reports are sent correctly):
sudo openconnect --protocol=gp --usergroup gateway domain.com -u rleinardi --certificate /etc/pki/mycerts/lpnb3705.pem --csd-wrapper=/home/rleinardi/scripts/hipreport.sh --dump-http-traffic
Operating system and openconnect version
openconnect version:
openconnect --version
OpenConnect version v8.10
Using GnuTLS 3.6.14. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
$ dnf info NetworkManager-openconnect.x86_64
Last metadata expiration check: 3:20:28 ago on mer 5 ago 2020, 12:02:17.
Installed Packages
Name : NetworkManager-openconnect
Version : 1.2.6
Release : 3.fc32
Architecture : x86_64
Size : 2.2 M
Source : NetworkManager-openconnect-1.2.6-3.fc32.src.rpm
Repository : @System
From repo : fedora
operating system
$ lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: Fedora
Description: Fedora release 32 (Thirty Two)
Release: 32
Codename: ThirtyTwo