Skip to content

camouflage mode not working with Cisco Secure Client 5

Hello! Thanks for you awesome project! Unfortunately, I'm having troubles with camouflage feature and Cisco Secure Client

Description of problem:

Cisco Secure Client (AnyConnect Downloader module) does not connecting when camouflage option is enabled in the ocserv.conf

Version of ocserv used:

1.2.1

Client used:

AnyConnect macOS/Windows 5.0.04032 (aka Cisco Secure Client)

Distributor of ocserv

docker image evilbox/ocserv:1.2.1 (based on alpine:3.18.2)

How reproducible:

  1. Enable camouflage = true in config
  2. Set camouflage_secret = "1xyz"
  3. Uncomment camouflage_realm = "Restricted Content"
  4. Connect to ocserv server use Cisco Secure Client

Actual results:

Cisco client establishes a connection to ocserv

Expected results:

Cisco client does not establishes a connection to ocserv and show "Cisco Secure Client failed to establish a connection to the specified secure gateway." error

In ocserv logs I saw this:

ocserv[16289]: worker[user777]: 111.111.111.111 Detected Cisco AnyConnect
ocserv[16289]: worker[user777]: 111.111.111.111 User-agent: 'AnyConnect Windows 5.0.04032'
ocserv[16289]: worker[user777]: 111.111.111.111 Detected Cisco AnyConnect
ocserv[1]: main: added 1 points (total 2) for IP '111.111.111.111' to ban list
ocserv[16290]: main: map worker serving remote address 111.111.111.111:63239 to secmod instance 0
note: vhost:default: setting 'radius' as primary authentication method
ocserv[14]: sec-mod: received request from pid 16290 and uid 0
ocserv[14]: sec-mod: cmd [size=38] sm: sign hash
note: setting 'radius' as supplemental config option
ocserv[16290]: worker: 111.111.111.111 accepted connection
ocserv[14]: sec-mod: received request from pid 16290 and uid 65534
ocserv[14]: sec-mod: cmd [size=38] sm: sign hash
ocserv[16290]: worker: 111.111.111.111 TLS handshake completed
ocserv[16290]: worker: 111.111.111.111 sending message 'session info' to main
ocserv[1]: main:111.111.111.111:63239 main received worker's message 'session info' of 69 bytes
ocserv[16290]: worker: 111.111.111.111 User-agent: 'AnyConnect Downloader Windows 5.0.04032'
ocserv[16290]: worker: 111.111.111.111 Detected Cisco AnyConnect
ocserv[16290]: worker: 111.111.111.111 Secret not found in URL, declining...

P.S. If you need a anyconnect distrib, tell me

Edited by Dimitri Papadopoulos Orfanos