GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard

Published 20 hours ago verified publisher icon yuezk

gp.conf syntax

Open ysiivan opened this issue 3 years ago • 8 comments
trafficstars

I can connect with command line openconnect with the following command from a shell script

echo "$password" |
    	sudo openconnect \
    		--protocol=gp \
    		$access_point \
    		--user=mydomain\\myuser \
    		--certificate ~/work/paloalto/mycert.pem \
    		--servercert pin-sha256:y4vQpQl/w0NPJ4eKY11kC3jvg6Dvx0FzxYArz4/X6x0= \
    		--script 'vpn-slice 10.0.0.0/8 10.171.63.202 myvm1 mydev1 myub18 --domain mydomain.mydomain2.com'

1.4.4 compiled from sources fails to connect. Log doesn't tell me much

2022-05-19 15:03:22.146 ERROR [4022] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://<redacted>/ssl-vpn/login.esp, Unknown error

Seems no matter what I type for user/password I get the above. The settings screen tells me that settings are now in /etc/gpservice/gp.conf. Created that file and tried different combinations (including with only --certiface and --servercert options) of the command line params syntax. No change.

So, what's the gp.conf syntax? If gpclient is a GUI driving openconnect how do I make it call openconnect the same way like I do from command line?

ysiivan avatar May 19 '22 22:05 ysiivan

Append all the parameters to openconnect-args=

Tokens with spaces can be surrounded by double quotes; three consecutive double quotes represent the quote character itself.

https://doc.qt.io/qt-5/qprocess.html#splitCommand

yuezk avatar May 21 '22 03:05 yuezk

@ysiivan The configuration support multi-line, your configuration can be configured as below:

openconnect-args=--certificate ~/work/paloalto/mycert.pem
        --servercert pin-sha256:y4vQpQl/w0NPJ4eKY11kC3jvg6Dvx0FzxYArz4/X6x0=
        --script "vpn-slice 10.0.0.0/8 10.171.63.202 myvm1 mydev1 myub18 --domain mydomain.mydomain2.com"

yuezk avatar May 21 '22 12:05 yuezk

@yuezk Made no difference. Login from command line is fine, doesn't work from gpclient.

2022-05-27 15:08:38.175 ERROR [46261] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://<my gateway>/ssl-vpn/login.esp, Unknown error

ysiivan avatar May 27 '22 22:05 ysiivan

Has the custom parameter worked before with gpclient, or did it just get broken when switching to /etc/gpservice/gp.conf?

BTW, I'm not clear about the authentication workflow when using --certificate parameter. Do you still need to input the credentials when you use the OpenConnect command with the --certificate parameter?

yuezk avatar May 29 '22 09:05 yuezk

Has the custom parameter worked before with gpclient, or did it just get broken when switching to /etc/gpservice/gp.conf?

Never tried gpclient before the gp.conf change.

Do you still need to input the credentials when you use the OpenConnect command with the --certificate parameter?

Yes

ysiivan avatar May 31 '22 20:05 ysiivan

Does https://github.com/dlenski/gp-saml-gui work for you?

yuezk avatar Jun 01 '22 14:06 yuezk

I'm not dealing with SAML

ysiivan avatar Jun 02 '22 01:06 ysiivan

I see. I didn't handle the certificate in this client, that could be the reason why it doesn't work for you.

yuezk avatar Jun 06 '22 10:06 yuezk