DTLS1.2/cisco asa
OpenConnect version v8.02-1+deb10u1 connects with success to cisco asa via TLS Ciphersuite : DHE-RSA-AES256-GCM-SHA384 the reported ciphersite differs , sha512 instead of 384 ?
Sep 28 15:07:11 risasrv01-qs openconnect[41148]: CSTP Ciphersuite: (TLS1.2)-(DHE-CUSTOM2048)-(RSA-SHA512)-(AES-256-GCM)
dtls1.2 should be work with DHE-RSA-AES256-GCM-SHA384 too but
Sep 28 15:07:11 risasrv01-qs openconnect[41148]: Connected as 10.56.65.168, using SSL,** with DTLS disabled**
On both sides no hint why
openconnect --protocol=anyconnect --disable-ipv6 --certificate=/etc/ipsec.d/acerts/peerssl.pem --sslkey=/etc/ipsec.d/private/peerKeyssl.pem --user=risasrv01-qs --cafile=/etc/ipsec.d/cacerts/caCert.pem https://vpn20.qs.dvDMZ.de/ssl-prov --syslog --no-xmlpost --pfs
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: POST https://192.168.106.5/+webvpn+/index.html
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: SSL negotiation with 192.168.106.5
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Connected to HTTPS on 192.168.106.5
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Got HTTP response: HTTP/1.1 200 OK
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Strict-Transport-Security: max-age=31536000; includeSubDomains
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-Content-Type-Options: nosniff
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-XSS-Protection: 1
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-Frame-Options: SAMEORIGIN
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Transfer-Encoding: chunked
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Content-Type: text/xml; charset=utf-8
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Cache-Control: no-store
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpn=<elided>; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:01432EEED5685D610B94E5BE40261E29B7298B65&sh:2591BC3BF517C7E924FFC6A142408AD6253DFF3F&m:dart%2Cnvm%2Cumbrella&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fcontractor.xml&fh:A9940778D26586105C7DBBBC3585504091E7F649; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpnx=gu:feedback@%2Fprofiles%2Fnofeedback.xml%2Cnvm@%2Fprofiles%2Fnvm.xml%2Cumbrella@%2Fprofiles%2FFilipTest.xml&gh:D7A4B892E858F855A1DF6DBE7D8B36CE07C0D516%2CDEFDFC7E257D5BF99F29F9739CF5B51A430D2A3D%2C480207545B0223B76CF00AE0F1CA3C0176A76CDC
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Set-Cookie: webvpnaac=1; path=/; secure
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-Transcend-Version: 1
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: HTTP body chunked (-2)
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Got CONNECT response: HTTP/1.1 200 OK
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Version: 1
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Address: 10.56.65.168
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Netmask: 255.255.255.128
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-DNS: 10.245.67.3
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-DNS: 10.245.67.4
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Lease-Duration: 48000
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Session-Timeout: 48000
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Session-Timeout-Alert-Interval: 60
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Session-Timeout-Remaining: 48000
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Idle-Timeout: 1800
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Disconnected-Timeout: 1800
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Default-Domain: dnet.qs.datev.de
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Split-Include: 10.245.0.0/255.255.0.0
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Keep: true
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Tunnel-All-DNS: true
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Rekey-Time: 900
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Rekey-Method: new-tunnel
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-DPD: 3600
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Keepalive: 30
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-MSIE-Proxy-Lockdown: true
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Smartcard-Removal-Disconnect: true
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-MTU: 1367
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Routing-Filtering-Ignore: false
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Quarantine: false
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-Disable-Always-On-VPN: false
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: X-CSTP-TCP-Keepalive: true
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: CSTP connected. DPD 3600, Keepalive 30
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: CSTP Ciphersuite: (TLS1.2)-(DHE-CUSTOM2048)-(RSA-SHA512)-(AES-256-GCM)
Sep 28 15:35:52 risasrv01-qs openconnect[41431]: Connected as 10.56.65.168, using SSL, with DTLS disabled