OpenConnect and Cisco Firepower AnyConnect

From OISecWiki

Since a recent update in Cisco Firepower (7.2.4.1) OpenConnect would no longer connect to a AnyConnect VPN.

This is due to TLS1.3 being announced as a functionality by the Firepower, but when connecting this will generate errors. This is due to the DTLS handshake is not agreeing anymore. According to a comment on the openconnect bugtracker it might be the following:

"I suspect we need the RFC9266 thing. In the short term, probably best to limit ourselves to TLSv1.2 if STRAP is being used."

A quick work around[1]is the following

mv /usr/sbin/openconnect /usr/sbin/openconnect-bin

Create a new file /usr/sbin/openconnect

#!/bin/sh
 
/usr/sbin/openconnect-bin "$@" --gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1"
chmod +x /usr/sbin/openconnect

Now it will work again.

This issue has been fixed last week in the openconnect sources[2], now we wait for a ubuntu/debian package.