search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.38k stars 155 forks source link

Goes back to "Not Connected" after kerbos login #249

Open archisman-panigrahi opened 1 year ago

archisman-panigrahi commented 1 year ago

I am trying to connect to the MIT VPN. After logging in with the account details and authenticating with Duo, GlobalProtect shows "Not Connected".

2023-08-04 19:39:09.425 INFO  [3396] [GPClient::onVPNLogAvailable@518] Got extra OpenConnect args for server: us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com, <empty>
2023-08-04 19:39:09.425 INFO  [3396] [GPClient::onVPNLogAvailable@518] Start process with arugments: --protocol=gp, -u, , --cookie-on-stdin, us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com
2023-08-04 19:39:09.426 INFO  [3396] [GPClient::onVPNLogAvailable@518] Openconnect started successfully, PID=3503
2023-08-04 19:39:09.449 INFO  [3396] [GPClient::onVPNLogAvailable@518] POST https://us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com/ssl-vpn/getconfig.esp

2023-08-04 19:39:09.542 INFO  [3396] [GPClient::onVPNLogAvailable@518] Connected to 208.127.79.164:443

2023-08-04 19:39:09.625 INFO  [3396] [GPClient::onVPNLogAvailable@518] SSL negotiation with us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com

2023-08-04 19:39:10.111 INFO  [3396] [GPClient::onVPNLogAvailable@518] Connected to HTTPS on us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)

2023-08-04 19:39:10.600 INFO  [3396] [GPClient::onVPNLogAvailable@518] Invalid authentication cookie
Creating SSL connection failed
Cookie was rejected by server; exiting.

2023-08-04 19:39:10.601 INFO  [3396] [GPClient::onVPNLogAvailable@518] Openconnect process exited with code 2 and exit status NormalExit
archisman-panigrahi commented 1 year ago

This issue is not always reproducible. Sometimes it does connect successfully.

yuezk commented 1 year ago

It could be addressed in the new client on the refactor branch. You could give it a try if you interested, or wait for the release of the new client.

archisman-panigrahi commented 1 year ago

I tried the refactor branch. There, after the kerbos login, it says "Failed to login, please try again", with the following terminal output.

[2023-08-30][02:12:52][INFO][app::auth] Loaded URI: https://redacted/idp/Authn/UsernamePassword
[2023-08-30][02:12:54][INFO][app::auth] Showing window after timeout (15 seconds)
[2023-08-30][02:13:04][INFO][app::auth] Loaded URI: https://redacted/idp/profile/SAML2/Redirect/SSO?execution=__redacted__&_eventId_proceed=__redacted__
[2023-08-30][02:13:04][INFO][app::auth] Loaded URI: https://redacted/SAML20/SP/ACS
[2023-08-30][02:13:04][INFO][app::auth] Got auth data successfully, closing window
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
Unhandled network process message 'NetworkStorageManager_DisconnectFromStorageArea'
[2023-08-30][02:13:05][WARN][app::storage] Error getting value: Deserialize("Value not found")
yuezk commented 1 year ago

@archisman-panigrahi Thanks for trying it. The Error getting value: Deserialize("Value not found") is not the root cause. You encountered a problem that happens randomly. I encountered it often, and I'm still struggling with it. Retry could probably be back to normal.

By the way, could you please try this plugin https://github.com/dlenski/gp-saml-gui to see if it works for you? I would greatly appreciate your feedback. Thank you.

archisman-panigrahi commented 1 year ago

By the way, could you please try this plugin https://github.com/dlenski/gp-saml-gui to see if it works for you? I would greatly appreciate your feedback. Thank you.

I will definitely get back with this.

Meanwhile, I figured out how to connect to MIT VPN using the latest stable client (not the development version) in case us-east-g-mit-1015.gpoyosn52nnn.gw.gpcloudservice.com reverts back to not connected. Switching to another gateway works immediately.

Here are all the gateways (which I obtained from the globalprotect android app)