search

Gilks / hostscan-bypass

Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements
247 stars 46 forks source link

AnyConnect client doesn't want to connect to Hostscan Bypass script #14

Closed NTMan closed 4 years ago

NTMan commented 4 years ago

AnyConnect client doesn't want to connect to Hostscan Bypass script. Instead, I get an error message: AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

# /opt/cisco/anyconnect/bin/vpn
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc.  All Rights Reserved.

  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
VPN> connect 192.168.1.68:2100
connect 192.168.1.68:2100
  >> contacting host (192.168.1.68:2100) for login information...
  >> notice: Contacting 192.168.1.68:2100.
  >> warning: Connection attempt has failed.
  >> error: AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
  >> state: Disconnected

VPN> version
version
Cisco AnyConnect Secure Mobility Client (version 4.8.03052) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc.  All Rights Reserved.

VPN>

AnyConnectLocalPolicy.zip

$ sudo go run hostscan-bypass.go -l 192.168.1.68 -p 2100 -r vpn.tensor.ru:501 -s
[sudo] password for mikhail: 
[*] Listening for AnyConnect client connection..
[*] Accepted from: 192.168.1.67:51576
[*][0] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:53610->91.213.144.15:501: read: connection reset by peer
[*] Accepted from: 192.168.1.67:51800
[*][1] Connected to server: 91.213.144.15:501
read tcp 192.168.1.68:56554->91.213.144.15:501: read: connection reset by peer
Gilks commented 4 years ago

Untrusted connections are blocked by default. I've never used the AnyConnect client for linux. I assume there's a section in one of the config files that allow untrusted connections. Check out the blog post. Is there a graphical version for linux? If so, it may be the same steps as seen in the blog.

NTMan commented 4 years ago

You means uncheck option "Block connections to untrusted servers"? Yes, I already tried to connect without this option, but same error message here.

Screenshots

![Screenshot from 2020-07-28 04-40-22](https://user-images.githubusercontent.com/200750/88602929-3ff1d180-d08d-11ea-8d40-7209b8e0edbf.png) ![Screenshot from 2020-07-28 04-41-22](https://user-images.githubusercontent.com/200750/88602937-44b68580-d08d-11ea-9b74-346b800814cc.png)

I even tried to connect from AnyConnect mobile client but the client shows the same error message.

Screenshots

![Screenshot_20200728_043822_com cisco anyconnect vpn android avf](https://user-images.githubusercontent.com/200750/88603226-c9090880-d08d-11ea-9048-0638db8ffe9d.jpg) ![Screenshot_20200728_044817_com cisco anyconnect vpn android avf](https://user-images.githubusercontent.com/200750/88603424-53516c80-d08e-11ea-94e9-a52d4cec3d8f.jpg)

alexandru-2016 commented 4 years ago

I have the same error. Allowing untrusted connections in the settings did not help.

Gilks commented 4 years ago

This is an AnyConnect client problem. This is not a hostscan-bypass issue.

If troubleshooting the certificate error has yielded no results then I would recommend using Let's Encrypt and putting a legitimate certificate on a domain you own. That will remove the need to connect to an untrusted host.

alexandru-2016 commented 4 years ago

I'm not sure if the untrusted server is the problem, perhaps cisco is now able to determine that there is a man in the middle attack happening.

Gilks commented 4 years ago

I assure you it is because of an untrusted certificate. That's what this error is in reference to:

error: AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

Gilks commented 4 years ago

Any update on this issue?

NTMan commented 4 years ago

I assure you it is because of an untrusted certificate.

And, how to use trusted certificate? Without hostscan bypass proxy script Android AnyConnect client connected without described error.

Gilks commented 4 years ago

It makes sense that you can connect directly to the ASA with Android because the certificate is being verified properly. Users on OS X were describing a similar issue. It has to do with the fact that your system is not respecting the AnyConnect option to connect to untrusted sources.

The cert/key arguments can be seen with the -h command.

Usage of /tmp/go-build751505018/b001/exe/hostscan-bypass:
  -c string
        Use a config file (set TLS ect) - Commandline params overwrite config file
  -cert string
        Use a specific certificate file
  -client-cert string
        Read client certificate from file.
  -client-key string
        Read client key from file. If only client-cert is given, the key and cert will be read from the same file.
  -l string
        Local address to listen on
  -o string
        Output name for CSD hostscan bypass
  -p int
        Local Port to listen on
  -r string
        Remote Server address host:port
  -s    Create a TLS Proxy
exit status 2

So to specify a cert/key: sudo go run hostscan-bypass.go -l 0.0.0.0 -p 443 -r yourserver.com:443 -s -client-cert cert.pem -client-key key.pem