Ivanti Server 22.5R1 no longer works properly with protocol=nc
Hi,
We are currently in the process of migrating from our current Pulse Secure Appliance (v9.1R18.1) to a new Ivanti Secure Appliance (v22.5R1).
The following use case works without any problems after the migration to the new appliance:
Username + Password with --protocol=pulse
and --protocol=nc --no-dtls
However, the following use case fails:
$ sudo openconnect --script=/etc/vpnc/vpnc-script \
--certificate=/xxx/xxx/802.1x/$(hostname -s).pem \
--sslkey=/xxx/xxx/802.1x/$(hostname -s).key \
--protocol=nc \
--no-dtls \
-vvv \
--dump-http-traffic \
--authgroup REALM_xxx_xxx_xxx_xxx \
--form-entry=frmLogin:username="" \
--form-entry=frmLogin:password="" "https://vpn-gateway/xxx"
Left Pulse Secure Appliance and right Ivanti Secure Appliance:
What could be the reason? Is the --protocol=nc
now too old?
Unfortunately, --protocol=pulse
is generally not functional with client certificates. This was already the case on our Pulse Secure Appliance and is unfortunately also the case on the new Ivanti Secure Appliance. We therefore use --protocol=nc --no-dtls
for this purpose, which is currently no longer possible
dominik@host1:~$ sudo openconnect --script=/etc/vpnc/vpnc-script \
--certificate=/xxx/xxx/802.1x/$(hostname -s).pem \
--sslkey=/xxx/xxx/802.1x/$(hostname -s).key \
--protocol=pulse \
--authgroup REALM_xxx_xxx_xxx_xxx "https://vpn-gateway/xxx"
Connected to xx.xxx.xxx.xx:443
Using client certificate 'HOST1'
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Failed to complete authentication
dominik@host1:~$