Ivanti/Pulse aborts after authentication with Bad IF-T/TLS packet when expecting configuration (#617) · Issues · OpenConnect VPN projects / OpenConnect

Ivanti/Pulse aborts after authentication with Bad IF-T/TLS packet when expecting configuration

First things first: This is a similar issue as reported in #98 but apparently not the same as it occurs for me with v9.12. I currently use two Ivanti vpns for work. One works fine with openconnect, while the other aborts after authentication with the message `Bad IF-T/TLS packet when expecting configuration`. The main difference between the vpns seems to be a huge proxy pac file being provided in the vpn which does not work. Sadly I do not know the exact versions of Ivanti used, but both vpns seem to be the same version. The full output is over 2000 lines, that is why I only include snippets here. Since redacting hex dumps is a bit a pain, I opted not to attach the full redacted 2000 lines. If the original output is required for debugging, I am happy to provide it directly to a developer. This is the openconnect version I tested with (on MacOS): ``` $ openconnect --version OpenConnect version v9.12 Using GnuTLS 3.8.0. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/local/etc/vpnc/vpnc-script ``` And this is part of the output: ``` $ sudo openconnect --user=MYUSER --protocol=pulse MYVPNSERVER/macos --dump-http-traffic -vvv Password: Attempting to connect to server YYY.YYY.YYY.YYY:443 Connected to YYY.YYY.YYY.YYY:443 SSL negotiation with MYVPNSERVER Connected to HTTPS on MYVPNSERVER with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM) [...] Pulse password auth request, code 0x01 Enter user credentials: Password: > 0000: 00 00 55 97 00 00 00 06 00 00 00 5c 00 00 00 04 |..U........\....| > 0010: 00 0a 4c 01 02 03 00 48 fe 00 0a 4c 00 00 00 01 |..L....H�..L....| > 0020: 00 00 0d 6d 80 00 00 15 00 00 05 83 XX XX XX XX |...m........MYUS| > 0030: XX XX XX XX XX 00 00 00 00 00 00 4f 40 00 00 21 |ERXXX......O@..!| > 0040: 02 00 00 19 fe 00 0a 4c 00 00 00 02 02 02 0c XX |....�..L.......X| > 0050: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00 |XXXXXXXXXXXXXXX.| Read 112 bytes of IF-T/TLS record < 0000: 00 00 55 97 00 00 00 05 00 00 00 70 00 00 01 f9 |..U........p...�| < 0010: 00 0a 4c 01 01 04 00 5c fe 00 0a 4c 00 00 00 01 |..L....\�..L....| < 0020: 00 00 0d 65 80 00 00 50 00 00 05 83 00 00 0d 66 |...e...P.......f| < 0030: 80 00 00 14 00 00 05 83 30 30 30 30 30 30 30 30 |........00000000| < 0040: 00 00 0d 67 80 00 00 19 00 00 05 83 XX XX 2e XX |...g........XX.X| < 0050: XX XX 2e XX XX 2e XX XX XX 4a 38 50 00 00 0d 68 |XX.XX.XXXJ8P...h| < 0060: 80 00 00 14 00 00 05 83 00 00 00 00 64 70 63 47 |............dpcG| AVP 0x583/0xd65: 00 00 0d 66 80 00 00 14 00 00 05 83 30 30 30 30 30 30 30 30 00 00 0d 67 80 00 00 19 00 00 05 83 XX XX 2e XX XX XX 2e XX XX 2e XX XX XX 4a 38 50 00 00 0d 68 80 00 00 14 00 00 05 83 00 00 00 00 64 70 63 47 Pulse session limit, 1 sessions AVP 0x583/0xd66: '00000000' AVP 0x583/0xd67: 'XX.XXX.XX.XXX' AVP 0x583/0xd68: 00 00 00 00 64 70 63 47 Session limit reached. Choose session to kill: - 00000000 from XX.XXX.XX.XXX at Fr, 26 Mai 2023 09:44:07 CEST Session: [00000000]:00000000 > 0000: 00 00 55 97 00 00 00 06 00 00 00 34 00 00 00 05 |..U........4....| > 0010: 00 0a 4c 01 02 04 00 20 fe 00 0a 4c 00 00 00 01 |..L.... �..L....| > 0020: 00 00 0d 69 80 00 00 14 00 00 05 83 30 30 30 30 |...i........0000| > 0030: 30 30 30 30 |0000| Read 264 bytes of IF-T/TLS record < 0000: 00 00 55 97 00 00 00 05 00 00 01 08 00 00 01 fa |..U............�| < 0010: 00 0a 4c 01 01 05 00 f4 fe 00 0a 4c 00 00 00 01 |..L....��..L....| < 0020: 00 00 0d 53 80 00 00 2c 00 00 05 83 62 38 37 34 |...S...,....b874| < 0030: 35 31 65 35 64 30 37 37 39 64 33 37 62 33 31 30 |51e5d0779d37b310| < 0040: 38 63 65 66 33 30 30 36 39 61 31 64 00 00 0d 8b |8cef30069a1d....| < 0050: 80 00 00 1c 00 00 05 83 37 38 64 61 66 38 36 33 |........78daf863| < 0060: 63 38 38 35 34 30 62 64 00 00 0d 8d 80 00 00 10 |c88540bd........| < 0070: 00 00 05 83 6e 65 75 78 00 00 0d 5c 80 00 00 10 |....neux...\....| < 0080: 00 00 05 83 00 00 a8 c0 00 00 0d 54 80 00 00 21 |......��...T...!| < 0090: 00 00 05 83 YY YY YY 2e YY YY YY 2e YY YY YY 2e |....YYY.YYY.YYY.| < 00a0: YY YY YY 2f 6d 61 63 6f 73 00 00 00 00 00 0d 55 |YYY/macos......U| < 00b0: 80 00 00 2c 00 00 05 83 31 64 38 61 61 32 37 31 |...,....1d8aa271| < 00c0: 61 64 33 64 66 36 30 33 61 34 31 32 31 36 39 64 |ad3df603a412169d| < 00d0: 30 66 36 33 37 62 33 65 00 00 0d 6b 80 00 00 10 |0f637b3e...k....| < 00e0: 00 00 05 83 00 00 00 10 00 00 0d 75 80 00 00 10 |...........u....| < 00f0: 00 00 05 83 00 00 00 00 00 00 0d 57 80 00 00 10 |...........W....| < 0100: 00 00 05 83 00 00 00 00 |........| AVP 0x583/0xd53: 'b87451e5d0779d37b3108cef30069a1d' AVP 0x583/0xd8b: '78daf863c88540bd' AVP 0x583/0xd8d: 'neux' AVP 0x583/0xd5c: 00 00 a8 c0 AVP 0x583/0xd54: 'YYY.YYY.YYY.YYY/macos' AVP 0x583/0xd55: '1d8aa271ad3df603a412169d0f637b3e' AVP 0x583/0xd6b: 00 00 00 10 AVP 0x583/0xd75: 00 00 00 00 AVP 0x583/0xd57: 00 00 00 00 > 0000: 00 00 55 97 00 00 00 06 00 00 00 20 00 00 00 06 |..U........ ....| > 0010: 00 0a 4c 01 02 05 00 0c fe 00 0a 4c 00 00 00 01 |..L.....�..L....| Read 24 bytes of IF-T/TLS record < 0000: 00 00 55 97 00 00 00 07 00 00 00 18 00 00 01 fb |..U............�| < 0010: 00 0a 4c 01 03 05 00 04 |..L.....| Read 16384 bytes of IF-T/TLS record < 0000: 00 00 0a 4c 00 00 00 01 00 00 5c 1e 00 00 01 fc |...L......\....�| < 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| < 0020: 2e 20 f0 00 00 00 00 00 00 00 5c 0e 2c 00 00 0d |. �.......\.,...| < 0030: 03 00 00 00 40 25 00 01 01 2e 00 01 08 10 00 00 |....@%..........| < 0040: 00 07 00 00 10 00 00 ff ff 0a 00 00 00 0a ff ff |.......��.....��| < 0050: ff 07 00 00 10 00 00 ff ff 06 29 01 00 06 29 01 |�......��.)...).| < 0060: ff 07 00 00 10 00 00 ff ff 06 29 c7 00 06 29 c7 |�......��.)�..)�| < 0070: ff 07 00 00 10 00 00 ff ff 35 fa 00 00 35 fa ff |�......��5�..5��| < 0080: ff 07 00 00 10 00 00 ff ff 50 9e 18 00 50 9e 19 |�......��P...P..| < 0090: ff 07 00 00 10 00 00 ff ff 50 9e 07 00 50 9e 07 |�......��P...P..| < 00a0: ff 07 00 00 10 00 00 ff ff 51 07 cb 00 51 07 cb |�......��Q.�.Q.�| < 00b0: ff 07 00 00 10 00 00 ff ff 52 d2 da 00 52 d2 da |�......��R��.R��| < 00c0: ff 07 00 00 10 00 00 ff ff c1 c0 e7 8e c1 c0 e7 |�......��.��| < 00d0: 8e 07 00 00 10 00 00 ff ff c3 8d 9d fd c3 8d 9d |.......��..��..| < 00e0: fd 07 00 00 10 00 00 ff ff 14 17 23 d8 14 17 23 |�......��..#�..#| < 00f0: d8 07 00 00 10 00 00 ff ff 0a 5b 96 2b 0a 5b 96 |�......��.[.+.[.| < 0100: 2b 07 00 00 10 00 00 ff ff 0a 5b a8 19 0a 5b a8 |+......��.[�..[�| < 0110: 19 07 00 00 10 00 00 ff ff 0a 5b 87 04 0a 5b 87 |.......��.[...[.| < 0120: 04 07 00 00 10 00 00 ff ff 0a 30 cd 92 0a 30 cd |.......��.0�..0�| < 0130: 92 07 00 00 10 00 00 ff ff a1 3e d5 91 a1 3e d5 |.......��>�.�>�| < 0140: 91 00 00 5a dd 03 00 00 00 40 00 00 01 00 40 01 |...Z�....@....@.| < 0150: 00 01 00 40 1f 00 01 00 40 20 00 01 00 40 21 00 |...@....@ ...@!.| < 0160: 01 00 40 05 00 04 00 00 05 78 00 03 00 04 35 fa |..@......x....5�| < 0170: 1c aa 00 03 00 04 35 fa 2c aa 40 06 00 0d XX XX |.�....5�,�@...CO| < 0180: XX XX XX XX XX XX XX XX XX XX 00 40 07 00 04 00 |MPANY1.COM.@....| < 0190: 00 00 01 40 19 00 01 01 40 1a 00 01 00 40 24 00 |...@....@....@$.| < 01a0: 01 01 40 17 00 04 00 00 00 0f 40 0f 00 02 00 00 |..@.......@.....| < 01b0: 40 10 00 02 00 05 40 11 00 02 00 03 40 12 00 04 |@.....@.....@...| < 01c0: 00 00 04 b0 40 13 00 04 00 00 00 00 40 14 00 04 |...�@.......@...| < 01d0: 00 00 00 01 40 15 00 04 00 00 00 00 40 16 00 02 |....@.......@...| < 01e0: 11 94 40 17 00 04 00 00 00 0f 40 18 00 04 00 00 |..@.......@.....| < 01f0: 00 3c 00 01 00 04 35 fa bf 38 00 02 00 04 ff ff |.<....5�8....��| < 0200: ff ff 40 0b 00 04 0a c8 c8 c8 40 23 00 37 68 74 |��@....��@#.7ht| < 0210: 74 70 3a 2f 2f 70 61 63 2d 69 6e 74 2e 64 65 2e |tp://pac-int.de.| < 0220: XX XX XX XX XX XX XX XX XX XX XX XX XX XX 3a 33 |COMPANY002.com:3| < 0230: 31 33 32 2f 63 68 2f 70 72 6f 78 79 2d 72 61 73 |132/ch/proxy-ras| < 0240: 2e 70 61 63 00 40 09 59 b2 2f 2f 20 56 65 72 73 |.pac.@.Y�// Vers| < 0250: 69 6f 6e 3a 20 31 35 2e 30 33 2e 32 30 32 32 20 |ion: 15.03.2022 | < 0260: 2d 20 43 30 30 32 38 35 39 32 30 31 0a 2f 2f 20 |- C002859201.// | < 0270: 41 43 48 54 55 4e 47 3a 20 44 69 65 73 65 73 20 |ACHTUNG: Dieses | < 0280: 46 69 6c 65 20 77 69 72 64 20 66 c3 bc 72 20 64 |File wird für d| < 0290: 69 65 20 6e 65 75 65 20 41 6e 79 20 43 6f 6e 6e |ie neue Any Conn| < 02a0: 65 63 74 20 55 73 65 72 20 28 56 50 4e 29 20 47 |ect User (VPN) G| < 02b0: 50 4f 20 65 69 6e 67 65 73 65 74 7a 74 0a 0a 66 |PO eingesetzt..f| < 02c0: 75 6e 63 74 69 6f 6e 20 46 69 6e 64 50 72 6f 78 |unction FindProx| < 02d0: 79 46 6f 72 55 52 4c 28 75 72 6c 2c 20 68 6f 73 |yForURL(url, hos| [...] Bad IF-T/TLS packet when expecting configuration: < 0000: 00 00 0a 4c 00 00 00 01 00 00 5c 1e 00 00 01 fc |...L......\....�| < 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| < 0020: 2e 20 f0 00 00 00 00 00 00 00 5c 0e 2c 00 00 0d |. �.......\.,...| < 0030: 03 00 00 00 40 25 00 01 01 2e 00 01 08 10 00 00 |....@%..........| [...] Creating SSL connection failed Unknown error; exiting. ``` I redacted my username with MYUSER, the vpn server with MYVPNSERVER the server ip with YYY.YYY.YYY.YYY my ip with XX.XXX.XX.XXX and about everything else with X. I also tried the same vpn endpoint with `--protocol=nc` which gave a slightly different error at the same kind of package: ``` $ sudo openconnect --user=MYUSER --protocol=nc MYVPNSERVER/macos --dump-http-traffic -vvv [...] > POST /dana/js?prot=1&svc=4 HTTP/1.1 > Connection: close > Host: MYVPNSERVER > User-Agent: Open AnyConnect VPN Agent v9.12 > Cookie: DSSIGNIN=url_XXXXXXXXXXX; DSSignInURL=/macos; DSBrowserID=XXXXXXXXXXXXXXXXXXXXX; id=state_XXXXXXXXXXXXXXXXXXXXXX; DSMOBILEID=x; DSASSERTREF=x; DSID=XXXXXXXXXXXXXXXXXXX; DSDID=XXXXXXXXXXXXXXXX; DSFirstAccess=1685087388; DSLastAccess=1685087389 > NCP-Version: 3 > Content-Length: 256 > Got HTTP response: HTTP/1.1 200 OK Content-type: application/octet-stream Pragma: no-cache NCP-Version: 3 Set-Cookie: DSLastAccess=1685087389; path=/; Secure Connection: close X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 > 0000: 1b 00 00 04 00 00 00 0e 00 XX XX XX XX XX XX XX |.........MYHOST0| > 0010: XX 2e 6c 6f 63 61 6c bb 01 00 00 00 00 |4.local�.....| Read 3 bytes of SSL record < 0000: 01 00 00 |...| Read 16384 bytes of SSL record Invalid packet waiting for KMP 301 < 0000: 31 5b 00 00 00 00 00 00 01 2d 01 00 00 00 00 00 |1[.......-......| < 0010: 00 00 00 00 5b 1d 00 03 00 00 00 ee 00 01 00 00 |....[......�....| < 0020: 00 01 00 00 02 00 00 00 01 00 00 03 00 00 00 08 |................| < 0030: 0a 00 00 00 ff 00 00 00 00 03 00 00 00 08 06 29 |....�..........)| < 0040: 01 00 ff ff ff 00 00 03 00 00 00 08 06 29 c7 00 |..��........)�.| < 0050: ff ff ff 00 00 03 00 00 00 08 35 fa 00 00 ff ff |��.......5�..��| < 0060: 00 00 00 03 00 00 00 08 50 9e 18 00 ff ff fe 00 |........P...��.| < 0070: 00 03 00 00 00 08 50 9e 07 00 ff ff ff 00 00 03 |......P...��...| < 0080: 00 00 00 08 51 07 cb 00 ff ff ff 00 00 03 00 00 |....Q.�.��.....| < 0090: 00 08 52 d2 da 00 ff ff ff 00 00 03 00 00 00 08 |..R��.��.......| [...] ``` With `--protocol=pulse` the same package type `2e 20 f0` as in #98 is provided, but for some reason it throws an error. I also noticed the same `5 P P Q R` pattern returned with the problematic config in both pulse and nc protocols. Sadly I am not familiar with C so I am unable to contribute to the code directly, but please let me know If I can help otherwise. It would be great, if this issue can be fixed or worked around.

issue