search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.4k stars 157 forks source link

GlobalProtect Version Compatibility Issue: Requires Version 6.1.4 or Higher #427

Open khaerunsituncu opened 2 months ago

khaerunsituncu commented 2 months ago

Describe the bug I encountered an issue where my application requires a version higher than 6.1

Expected behavior I am receiving a warning message indicating that I need to ensure a compatible GlobalProtect version (6.1.4 or above).

Logs

[2024-09-19T01:01:06Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T01:01:06Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

Environment:

yuezk commented 2 months ago

Looks like the VPN server checked the client version. Currently, the client uses 6.0.1-19 to simulate the GP client. But you can customize the version by following:

khaerunsituncu commented 2 months ago

After I changed the client version I still got the same error, is there still a way I can connect to global protect ?

yuezk commented 2 months ago

Can I have the full logs after changing the client version? So I can ensure we didn't miss anything.

khaerunsituncu commented 2 months ago

sudo -E gpclient connect --user-agent 'PAN GlobalProtect/6.3.0-33' --browser default xxxxxxxxxxxxxxx  ✔ [sudo] password for khaerun: [2024-09-19T04:32:00Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16) [2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:32:02Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16) [2024-09-19T04:32:02Z INFO gpapi::process::browser_authenticator] Launching the default browser... [2024-09-19T04:32:02Z INFO gpauth::cli] Please continue the authentication process in the default browser [2024-09-19T04:32:02Z INFO gpauth::cli] Listening authentication data on port 35793 [2024-09-19T04:32:02Z INFO gpauth::cli] If it hangs, please check the logs at /tmp/gpcallback.log for more information [2024-09-19T04:33:07Z INFO gpauth::cli] Received the browser authentication data from the socket [2024-09-19T04:33:07Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback [2024-09-19T04:33:07Z INFO gpauth::cli] Authentication completed [2024-09-19T04:33:07Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:08Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways... [2024-09-19T04:33:08Z INFO gpclient::connect] Connecting to the only available gateway: xxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [2024-09-19T04:33:08Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:09Z INFO openconnect::ffi] openconnect version: v9.12 [2024-09-19T04:33:09Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:09Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script [2024-09-19T04:33:09Z INFO openconnect::ffi] OS: linux [2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_USER: 1000 [2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_WRAPPER: (null) [2024-09-19T04:33:09Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 [2024-09-19T04:33:09Z INFO openconnect::ffi] MTU: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] DISABLE_IPV6: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] NO_DTLS: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] POST https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to xxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] SSL negotiation with xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to HTTPS on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with ciphersuite (TLS1.2)-(xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [2024-09-19T04:33:11Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T04:33:11Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

yuezk commented 2 months ago

Thanks for the logs. The client version seems applied to all the places I can come up with. Did this client work before?

khaerunsituncu commented 2 months ago

On Windows it can connect but on Manjaro this is the first time I've tried it

yuezk commented 2 months ago

It is the first time I encountered the Please ensure the compatible GlobalProtect version is: 6.1.4 or above error.

Can you run it with sudo gpclient connect <portal> --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows. This may not work, but we can give it a try.

khaerunsituncu commented 2 months ago

sudo gpclient connect *** --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows [sudo] password for khaerun: [2024-09-19T14:39:16Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16) [2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:39:17Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16) [2024-09-19T14:39:17Z INFO gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.3.0-33

(gpauth:78330): WARNING : 22:39:17.525: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing. [2024-09-19T14:39:17Z INFO gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 [2024-09-19T14:39:17Z INFO gpauth::auth_window] Load the SAML request as HTML... [2024-09-19T14:39:17Z INFO gpauth::auth_window] Loaded uri: about:blank [2024-09-19T14:39:17Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:17Z INFO gpauth::auth_window] No headers found in response [2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:17Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window in 1 second(s) [2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window cancelled [2024-09-19T14:39:19Z INFO gpauth::authwindow] Loaded uri: https://l**********m/fc743075-93ed-4a5c-82c0-ca5eac914220/saml2?SAMLRequest=l**********%3D&RelayState=**7&SigAlg=h**6&Signature=b**%3D [2024-09-19T14:39:19Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:19Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:19Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:19Z INFO gpauth::auth_window] Raise window in 1 second(s) [2024-09-19T14:39:21Z INFO gpapi::utils::window] Window not raised: Failed to raise window: GlobalProtect Login [2024-09-19T14:39:38Z INFO gpauth::auth_window] Loaded uri: https://i**********d/isam/sps/auth [2024-09-19T14:39:38Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:38Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:38Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:48Z INFO gpauth::auth_window] Loaded uri: https://i**********d/mga/sps/authsvc?PolicyId=u**********1&Target=h**********h [2024-09-19T14:39:48Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:48Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:48Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:52Z INFO gpauth::auth_window] Loaded uri: https://i**********d/mga/sps/authsvc?StateId=x**********Y&operation=v**********y [2024-09-19T14:39:52Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:52Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:52Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:58Z INFO gpauth::auth_window] Loaded uri: https://i**********d/isam/sps/auth [2024-09-19T14:39:58Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:58Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:58Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:00Z INFO gpauth::auth_window] Loaded uri: https://l**********m/login.srf [2024-09-19T14:40:00Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:00Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:00Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://l**********m/kmsi [2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://c**********m/sp/acs [2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:04Z WARN gpauth::auth_window] Failed to load uri: https://s**********d/SAML20/SP/ACS with error: Load request cancelled [2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: https://s**********d/SAML20/SP/ACS [2024-09-19T14:40:04Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:04Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:04Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:04Z INFO gpauth::auth_window] Found gpcallback from html... [2024-09-19T14:40:04Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback [2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: globalprotectcallback:cas-as=1&un**w [2024-09-19T14:40:04Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways... [2024-09-19T14:40:05Z INFO gpclient::connect] Connecting to the only available gateway: *** [2024-09-19T14:40:05Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO openconnect::ffi] openconnect version: v9.12 [2024-09-19T14:40:05Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script [2024-09-19T14:40:05Z INFO openconnect::ffi] OS: win [2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_USER: 1000 [2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_WRAPPER: (null) [2024-09-19T14:40:05Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 [2024-09-19T14:40:05Z INFO openconnect::ffi] MTU: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] DISABLE_IPV6: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] NO_DTLS: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] POST **** [2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to * [2024-09-19T14:40:05Z INFO openconnect::ffi] SSL negotiation with ** [2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to HTTPS on ** with ciphersuite (TLS1.2)-(**** [2024-09-19T14:40:05Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T14:40:05Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

yuezk commented 2 months ago

@khaerunsituncu I'm afraid I cannot provide enough help for this problem based on the error message. Since the official Windows client works, it is possible to make this client work as well. However, I need to inspect the network trace sent by the Windows client, but this is not feasible due to security concerns.

So, you may need to contact your IT admin to see if they have some configuration to limit the GlobalProtect client version.

khaerunsituncu commented 2 months ago

how to install a ca.pem certificate?

yuezk commented 2 months ago

You can pass it via the --certificate <path to ca> parameter.

khaerunsituncu commented 2 months ago

image Hi, I managed to connect to the Ubuntu virtual box, is there a possibility that OpenConnect doesn't support Global Protect version 6.2 yet? and needs to be updated

or openconnet can't simulate the GP version

I'm too lazy to change the Manjaro distro to Ubuntu

yuezk commented 2 months ago

Perhaps. GlobalProtect VPN server is a black box to us, it may not work if the server side has some modifications or configurations. Currently, my VPN portal does not have the problem. It’s hard to troubleshoot without analyzing the network traffic of the official client.