OpenConnect and Cisco Firepower AnyConnect
From OISecWiki
Since a recent update in Cisco Firepower (7.2.4.1) OpenConnect would no longer connect to a AnyConnect VPN.
This is due to TLS1.3 being announced as a functionality by the Firepower, but when connecting this will generate errors. This is due to the DTLS handshake is not agreeing anymore. According to a comment on the openconnect bugtracker it might be the following:
"I suspect we need the RFC9266 thing. In the short term, probably best to limit ourselves to TLSv1.2 if STRAP is being used."
A quick work around[1]is the following
mv /usr/sbin/openconnect /usr/sbin/openconnect-bin
Create a new file /usr/sbin/openconnect
#!/bin/sh /usr/sbin/openconnect-bin "$@" --gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1"
chmod +x /usr/sbin/openconnect
Now it will work again.
This issue has been fixed last week in the openconnect sources[2], now we wait for a ubuntu/debian package.