Pulse Secure protocol - authentication: CLI works, but SSL connection in GUI fails with 'Invalid ESP setup'
Dear developers,
This is my first time reporting such an error, so please be lenient towards me.
My issue might be related to issue #57, or completely unrelated.
Unfortunately I am also lacking the expertise to decide whether my issue is related to either issue #379 or merge-request !331.
Here is my situation:
CLI [successful]:
I am able to connect to our university's Pulse Secure VPN server using the command line interface:
sudo openconnect -b --protocol=nc --user='username'@'domain' https://'domain'
- output:
GET https://'domain'
Connected to 'ip-address-range'
SSL negotiation with 'domain'
Connected to HTTPS on 'domain'
Got HTTP response: HTTP/1.1 302 Found
GET https://'domain'/dana-na/auth/url_default/welcome.cgi
SSL negotiation with 'domain'
Connected to HTTPS on 'domain'
frmLogin
password:'password'
POST https://'domain'/dana-na/auth/url_default/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET https://'domain'/dana-na/auth/url_default/welcome.cgi?p=failed
frmLogin
username:'username'
password:'password'
POST https://'domain'/dana-na/auth/url_default/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET https://'domain'/dana/home/starter0.cgi?check=yes
Connected as 'ip-address', using SSL, with ESP in progress
Continuing in background; pid 15174
ESP session established with server
GUI [unsuccessful]
On the other hand, I am unable to establish the same connection using graphical user interface [GUI] of the nm-applet or network-manager-openconnect-gnome, as accessed via nm-connection-editor:
I made sure to install the dependencies:
:~$ sudo apt-get update && sudo apt-get upgrade
:~$ sudo apt-get --reinstall install openconnect vpnc-scripts network-manager-openconnect network-manager-openconnect-gnome python3-gi gir1.2-webkit2-4.0
I then specified the following parameters in the network-manager-openconnect-gnome GUI:
- name: 'vpn-name'
- protocol: Pulse Connect Secure
- gateway: 'domain' [without trailing https://]
- everything else: not specified / left blank
Upon launching the VPN via the nm-applet, and connecting to the gateway in the GUI popup, I am asked for username and password, which I provided. The GUI closes before I can have a proper look at the logs. But I get a glimpse of the password in clear; which is weird, as I wouldn't have expected the password to be logged in any readable way... Anyhow, I am presented with a notify-send error message of gnome-shell.
Inspecting the logs; I highlighted suspicious lines:
:~$ tail -l /var/log/syslog
- output:
Jun 4 21:36:52 'session-user'-desktop NetworkManager[58729]: [1654371412.2211] audit: op="connection-add" uuid="'connection-UUID'" name="'vpn-name'" pid=59920 uid=1000 result="success"
Jun 4 21:37:16 'session-user'-desktop NetworkManager[58729]: [1654371436.8135] audit: op="connection-activate" uuid="'connection-UUID'" name="'vpn-name'" pid=59920 uid=1000 result="success"
Jun 4 21:37:16 'session-user'-desktop gnome-shell[1920]: JS ERROR: TypeError: item is undefined#012setActiveConnections/<@resource:///org/gnome/shell/ui/status/network.js:1523:17#012setActiveConnections@resource:///org/gnome/shell/ui/status/network.js:1520:24#012_syncVpnConnections@resource:///org/gnome/shell/ui/status/network.js:1867:26
Jun 4 21:37:16 'session-user'-desktop NetworkManager[58729]: [1654371436.8194] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: Started the VPN service, PID 61641
Jun 4 21:37:16 'session-user'-desktop NetworkManager[58729]: [1654371436.8302] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: Saw the service appear; activating connection
Jun 4 21:37:17 'session-user'-desktop gnome-shell[2431]: Could not create transient scope for PID 61665: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 61665 does not exist.
Jun 4 21:37:21 <session-user'-desktop NetworkManager[58729]: [1654371441.4214] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN connection: (ConnectInteractive) reply received
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.4250] manager: (vpn0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.4356] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN plugin: state changed: starting (3)
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Connected to 'ip-address-range'
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: SSL negotiation with 'ip-address'
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Server certificate verify failed: signer not found
Jun 4 21:37:21 'session-user'-desktop systemd-udevd[61675]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Connected to HTTPS on 'ip-address'
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Got HTTP response: HTTP/1.1 101 Switching Protocols
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Unexpected IF-T/TLS packet when expecting configuration.
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Invalid ESP setup
Jun 4 21:37:21 'session-user'-desktop NetworkManager[61674]: Creating SSL connection failed
Jun 4 21:37:21 'session-user'-desktop openconnect[61674]: Insufficient configuration found
Jun 4 21:37:21 'session-user'-desktop gnome-shell[1920]: Removing a network device that was not added
Jun 4 21:37:21 'session-user'-desktop gnome-shell[2431]: Removing a network device that was not added
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.6105] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN plugin: failed: connect-failed (1)
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.6105] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN plugin: failed: connect-failed (1)
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.6105] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN plugin: state changed: stopping (5)
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.6106] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN plugin: state changed: stopped (6)
Jun 4 21:37:21 'session-user'-desktop NetworkManager[58729]: [1654371441.6133] vpn-connection[0x55b59396c0a0,'connection-UUID',"'vpn-name'",0]: VPN service disappeared
My system is configured like such:
- Operating System: Ubuntu 20.04.01 LTS; Linux desktop 5.13.0-44-generic #49~20.04.1-Ubuntu [x86_64]
- NetworkManager configuration file for the VPN connection in question:
:~$ sudo cat /etc/NetworkManager/system-connections/'vpn-name'.nmconnection
- output:
[connection]
id='vpn-name'
uuid='connection-UUID'
type=vpn
autoconnect=false
permissions=user:'session-user':;
[vpn]
authtype=password
autoconnect-flags=0
certsigs-flags=0
cookie-flags=2
enable_csd_trojan=no
gateway='domain'
gateway-flags=2
gwcert-flags=2
lasthost-flags=0
pem_passphrase_fsid=no
prevent_invalid_cert=no
protocol=pulse
stoken_source=disabled
xmlconfig-flags=0
service-type=org.freedesktop.NetworkManager.openconnect
[vpn-secrets]
lasthost='domain'
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
[proxy]
I am wondering if I made a beginner's mistake and simply failed to specify a CA certificate,
which for some weird reason would not be required from the command line..?
Help would be much appreciated,
Cheers