Unable to connect to GlobalProtect VPN (through Okta) with ESP or HTTPS
I'm having trouble connecting to my company's VPN server with openconnect. I've tried the master branch, the 8.02 tag, and the 8.05 tag. Currently:
~/bin (master ✘)✹✭ ᐅ openconnect -v
No server specified
Usage: openconnect [options] <server>
Open client for multiple VPN protocols, version v8.05-dirty
I've tried multiple scripts to do the Okta dance, and they all seem to work. I'm not having any trouble there, but when openconnect is started with the following command line:
echo "<cookie>" | openconnect --protocol=gp --user="redacted" \
--usergroup=gateway:prelogin-cookie --csd-wrapper=/path/hipreport.sh \
--passwd-on-stdin --disable-ipv6 --background --pid-file=/var/run/gp-okta.pid \
"vpn-gateway.company.com"
About half the time I get a 512 response from login.esp, and the other half, I get the following:
Login through Okta
POST https://vpn-gateway.company.com/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=us-vpn-auth
POST https://vpn-gateway.company.com/ssl-vpn/getconfig.esp
Session will expire after 10080 minutes.
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 15 minutes.
No MTU received. Calculated 1422 for ESP tunnel
POST https://vpn-gateway.company.com/ssl-vpn/hipreportcheck.esp
POST https://vpn-gateway.company.com/ssl-vpn/hipreport.esp
HIP report submitted successfully.
Connected as 10.229.202.132, using SSL, with ESP in progress
Continuing in background; pid 22189
Failed to connect ESP tunnel; using HTTPS instead.
Got inappropriate HTTP GET-tunnel response: HTTP/1.1 400 Bad Request
POST https://vpn-gateway.company.com/ssl-vpn/logout.esp
SSL negotiation with vpn-gateway.company.com
Connected to HTTPS on vpn-gateway.company.com
Logout successful
RTNETLINK answers: No such process
RTNETLINK answers: No such process
Unknown error; exiting.
I know the gateway is configured to use ESP, and I've confirmed that the official client in Windows is using ESP. I also know that on Linux I never receive any ESP packets back from the server. 3 packets are sent on port 4501, but nothing is ever received. I did increase the timeout to 60 seconds just to make sure. No ESP packets were ever returned.
All that being said, this has worked and connected successfully exactly 1 time. I don't know what was different about that time, and it never worked again, even with the exact same configuration.
I'm at a loss at this point. I've tried so many things I couldn't begin to list them all here. Getting this VPN connection working is the last step to me being able to dump windows completely. Please help!
Thanks in advance!