search

TommyLau / docker-ocserv

Docker OpenConnect VPN Server
347 stars 238 forks source link

不能登录 返回 HTTP 401 #22

Open ly0 opened 6 years ago

ly0 commented 6 years ago

Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable Creating SSL connection failed

TommyLau commented 6 years ago

What kind of client are you using?

lacek commented 6 years ago

I got the same error on both clients:

TommyLau commented 6 years ago

Can you try the AnyConnect client instead of OpenConnect?

In the config file, it was set to compliant with Cisco AnyConnect.

lacek commented 6 years ago

I tried Windows AnyConnect Client 3.1.13015 and failed with different errors:

Update:

Changing the starting command to ocserv -c /etc/ocserv/ocserv.conf -f -d1, I got the debug log from docker container:

ocserv[1]: main[test]: 172.17.0.1:37895 new user session
ocserv[1]: main: tun.c:552: Can't open /dev/net/tun: No such device
ocserv[1]: main[test]: 172.17.0.1:37895 failed authentication attempt for user 'test'
ocserv[71]: worker: 172.17.0.1 failed cookie authentication attempt
ocserv[22]: sec-mod: temporarily closing session for test (session: JlG+Lh)
ocserv[1]: main[test]: 172.17.0.1:37895 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[72]: worker:  could not disable system calls, kernel might not support seccomp
ocserv[1]: main: 172.17.0.1:37896 user disconnected (reason: unspecified, rx: 0, tx: 0)

This is probably problem of my kernel.

Update 2:

My suspicion above should be valid. Changed to use docker daemon on a Mac, successfully launched with the same docker run command.

@ly0 You should try launch you container with the debug flag and check the log message to see if there's any hint, e.g:

docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv ocserv -c /etc/ocserv/ocserv.conf -f -d1
# try connect to trigger error
docker logs ocserv
TommyLau commented 6 years ago

tun is needed as far as I know to use ocserv, I'm using Ubuntu as the host.

And, till the last time I know, AnyConnect can only connect to port 443 (SSL) other than any other ports.

@lacek Can AnyConnect client on Mac connect to the server other than port 443 now?

Un1Gfn commented 4 years ago

@ly0 Do u have other devices connected to the server at the same time? Disconnect them and try again. There might be problems w/ multiple clients.

swanduron commented 2 years ago

Hello Tommy, I also meet this question. My VPN client is Cisco anyconnect 4.9 and I list the operation steps below:

  1. docker run
  2. connect to the server, for example, use group [All projects]
  3. if use correct username/password, the server will reject the connection request as "Connection attempt has failed"
  4. Follow point3, if using the wrong username/password, the server will notice me the username or password is incorrect
  5. Switch the group to [Exclude CN], the correct username/password will work fine
  6. Switch back to [Proxy All], the connection also works smoothly

From my view, ocserv can identify the user information from ocpasswd file. Due to the fewer log messages in docker, I can't identify more information about this case. Do you have any idea?

TommyLau commented 2 years ago

@swanduron You can mount the config file to your host, so that you can modify the config file to output more useful information.

And you could also remove group settings as a test.

Personally, I prefer using "Certificate" method other than username/password method.