Configure Linux OpenConnect towards Clavister NetWall

Last modified on 5 Mar, 2021. Revision 15
This is a quick start guide on how to configure the open source OpenConnect client towards a Clavister NetWall.
Up to date for
cOS Core 13.00.09
 
Supported since
cOS Core 13.00.09
Status OK
Author
Mattias Nordlund


What is OpenConnect?

OpenConnect is both a protocol and open source project for creating SSL VPN clients that are compatible with multiple types of remote SSL VPN servers. Such clients are compatible with the Clavister OneConnect Interface feature in Clavister cOS Core. More details about the protocol can be found at http://www.infradead.org/openconnect/. This guide covers how to connect using the CLI client included in the OpenConnect project.

Installing the OpenConnect client

Install OpenConnect according to whether Linux or Unix is being used. Pre-compiled binaries are available for Debian, Ubuntu, Fedora. For other operating systems like NetBSD, FreeBSD and Solaris, it can be compiled from the source code or using NetBSD pkgsrc.

Connecting using the OpenConnect client

Connect to Clavister NetWall by typing openconnect https://hostname in a shell.

Note: The hostname entered must be the same as either the Common Name (CN) or one of the Subject Alternative Name (SAN) of the certificate used by the OneConnect interface in cOS Core.

Connection Example

root@linux:~# openconnect https://myvpn.mydomain.tld
POST https://myvpn.mydomain.tld
Connected to 192.0.2.10:443
SSL negotiation with myvpn.mydomain.tld
Server certificate verify failed: signer not found

Certificate from VPN server "myvpn.mydomain.tld" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:PUNgII37RWw2NGMqumSkqDAfQBPPKaIUuVJYT8FneeY=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on myvpn.mydomain.tld
XML POST enabled
Please enter your username
Username:user
POST https://myvpn.mydomain.tld/auth
Please enter your password
Password:
POST https://myvpn.mydomain.tld/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 30, Keepalive 32400
Connected as 172.28.1.200, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-128-GCM).



Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
IKEv2 partial split tunneling with Windows and local user database (Simplified).
27 Jan, 2023 ikev2 windows vpn routing splittunneling
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Missing fonts when installing EasyAccess 4.0.2
30 Mar, 2021 linux easyaccess
Partial split tunneling when using Windows L2TP/IPsec
27 Jan, 2023 ipsec core windows vpn l2tp
Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core



Tagssslvpnopenconnectoneconnectlinuxcore