Is there a way to get the openconnect cookie from NetworkManager? e.g. using nmcli or something? or another way to get the cookie from the SSO authentication flow/nm-openconnect-auth-dialog?
I want to debug my problem connecting to my VPN. I’m using nm-openconnect-auth-dialog, it worked in the past and I think the SSO authentication flow still succeeds (I enter my MFA token etc. in WebView). I think the problem is the second phase: using the cookie to make the real VPN connection. Here’s the output of nmcli connection up SPAN/BC:
A password is required to connect to 'SPAN/BC'.
Warning: password for 'vpn.secrets.gateway' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=b85f35e3-6c6f-4688-9989-3f3e8660411b + NM_DEVICE=wlp3s0' to get more details.
… and here’s the output of journalctl --unit NetworkManager:
<info> [1764954215.7789] vpn[0x557d3a97a330,b85f35e3-6c6f-4688-9989-3f3e8660411b,"SPAN/BC"]: starting openconnect
<info> [1764954215.7796] audit: op="connection-activate" uuid="b85f35e3-6c6f-4688-9989-3f3e8660411b" name="SPAN/BC" pid=3917055 uid=1000 result="success"
<info> [1764954257.9765] manager: (vpn0): new Tun device (/org/freedesktop/NetworkManager/Devices/51)
Connected to 199.175.37.101:443
SSL negotiation with vangv601.net.gov.bc.ca
Server certificate verify failed: signer not found
Connected to HTTPS on vangv601.net.gov.bc.ca with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Creating SSL connection failed
Cookie was rejected by server; exiting.
<warn> [1764954258.1504] vpn[0x557d3a97a330,b85f35e3-6c6f-4688-9989-3f3e8660411b,"SPAN/BC"]: dbus: failure: login-failed (0)
<warn> [1764954258.1505] vpn[0x557d3a97a330,b85f35e3-6c6f-4688-9989-3f3e8660411b,"SPAN/BC"]: dbus: failure: connect-failed (1)
To isolate the problem I want to run openconnect by hand — here’s how NetworkManager composes the command: src/nm-openconnect-service.c · main · GNOME / NetworkManager-openconnect · GitLab
It calls nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_COOKIE) to get the openconnect cookie. I thought I might get that value with nmcli --fields vpn.secrets --show-secrets connection show SPAN/BC but it doesn’t contain cookie, only autoconnect, certificate:... and xmlconfig. (Does that mean the SSO authentication flow fails to get gateway, cookie, gwcert and resolve or I’m just not looking in the right place?)
I also tried nmcli --fields vpn.secrets.cookie --show-secrets connection show SPAN/BC:
Error: 'connection show': invalid field 'vpn.secrets.cookie'; allowed fields: vpn.service-type,vpn.user-name,vpn.data,vpn.secrets,vpn.persistent,vpn.timeout