Since upgrading to Ubuntu 8.10 (Intrepid) I had been having trouble with my SSL VPN connectivity. Rather than sit down and figure it out I chose to fire up a virtual box instance of 8.04 and use it to get work done. Finally, tonight, I hit the tipping point and decided to figure this out. First I discovered debug mode with the SSL client. You can enable it on the command line by running
# startct -d
That will put a log in /var/log/AvConnect.log with lots of debugging goodness. The first thing I noticed was a fun error that looked kinda like this:
XGSSL::Connect() DoHandShake Failed!!!
Obviously enough, this led me to believe that this was a problem with the ssl handshake.
So, I decided at this point to inspect the guts of the Aventail client. Seemed simple enough, a few shell scripts (startct,stopct,uninstall) and some perl (cctel.pl) and then there’s this mysterious binary, AvConnect. I decided to look deeper and found this..
# file /usr/local/Aventail/AvConnect
/usr/local/Aventail/AvConnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
Looks like it uses shared libs, let’s see where it’s linking..
# ldd /usr/local/Aventail/AvConnect
linux-gate.so.1 => (0xb8008000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7fd4000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7e93000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7d3c000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7d16000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bb8000)
/lib/ld-linux.so.2 (0xb8009000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb4000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b9e000)
Did a bit more digging by running some tests with OpenSSL.
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# openssl s_client -CAfile /etc/ssl/certs/Entrust_Root_Certification_Authority.pem -connect <myvpnhost>:443 -showcerts
Which seemed to work fine..
So, puzzled I compared the openssl package on my 8.04 VM to what I had installed, shockingly they matched.
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
Taking a shot in the dark I decided to upgrade my local install of openssl from source. Fairly run of the mill install..
# wget http://openssl.org/source/openssl-0.9.8i.tar.gz
# tar zxvfm openssl-0.9.8i.tar.gz
To get the shared objects, you’ll want to run configure like so:
# cd openssl-0.9.8i
# ./config shared
Now, do the magic..
# make && make test
Install it in the default location /usr/local/ssl
# sudo make install
Then, you’ll want to update your links in /usr/lib to point at the new shared objects.
# sudo ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so
# sudo ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so
# sudo rm /usr/lib/libcrypto.so.0.9.7
# sudo ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0.9.7
# sudo rm /usr/lib/libssl.so.0.9.7
# sudo ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0.9.7
Then test it out by running startct and you should be able to connect as usual. I have yet to figure out why the ssl handshake fails with the packaged version of openssl, so if anyone has any clue about that or has a smarter work around, please let me know :)
This is, of course, not the recommended action for people new to Linux/Ubuntu and I provide no guarantee that it will work for you. I just wished to provide a possible work around for anyone having the same issue googling around aimlessly.
Enjoy
EDIT: More comprehensive shuffling of lib links per comments and observations below. Thanks devodl and js!
Comments
I tried this on Xubuntu (Intrepid) hoping to be able to connect. I am getting the same error you are and so far, we’re the only two who seem to have this issue.
Compiling seemed to go well and I didn’t have any error messages.
When I tried to remove the link to the old libssl.so I was told it didn’t exist. Paying no mind, I created a new symlink anyway, but there was no change (I still could not connect).
Also, my files were installed in /usr/local/ssl/lib/ instead of /usr/local/ssl/libs/. I made this change when trying to do the symlink, but it still did not help.
I moved and copied some symlinks around to try to get it to point at the new libssl install, and even tried to remove and reinstall Aventail, but to no avail. Not quite sure what I did now, but Aventail won’t even start up at this point, as it’s not getting past the initialization of SSL.
Do you have any other ideas? Do you think it has anything to do with being on Xubuntu? It’s essentially the same system setup. I might do a full Ubuntu Intrepid install to see if it helps. I was trying for a light and fast VPN system, which is why I chose Xubuntu.
Sorry it took so long to reply! Been quite busy at work preparing for the holiday and lost track here.
First off, you caught a typo in by blog which is now corrected. You will link from
/usr/local/ssl/lib/libssl.sonot/usr/local/ssl/libs/libssl.so. Thanks for that!Now, take a look at this:
lrwxrwxrwx 1 root root 18 2008-07-07 21:45 /usr/lib/libssl.so.0.9.7 -> /usr/lib/libssl.so
lrwxrwxrwx 1 root root 34 2008-11-20 21:19 /usr/lib/libssl.so -> /usr/local/ssl/lib/libssl.so.0.9.8
You can see that the link to the ssl shared lib resolves to
/usr/local/ssl/lib/libssl.so.0.9.8. Can you verify that’s the case with your install?We can troubleshoot from there.
Thanks!
Thanks for your help. Although not necessary, I ended up deleting everything relating to /usr/lib/libssl and /usr/lib/libcrypt, reinstalling anything in Synaptic that had libssl in it, following your instructions to build and install openssl-0.9.8i, and then created the symlinks from libssl.so.0.9.7 to libssl.so as you mentioned in your reply above. I also had to do that for libcrypto.so.0.9.7 (link to libcrypt.so) since I had deleted it.
After those links were set up, Aventail worked like a charm! Thanks again for your helpful post!
Awesome, glad I could help!
Thanks to both Benjamin and js
Even though I installed openssl-0.9.8i startct still failed. The note from js about libcrypto completed the solution.
Summary of my changes:
1 — Install openssl-0.9.8i
2 — Change links in /usr/lib as follows:
I’m glad we were able to get something working well between us all! I’m implementing this solution on another machine this morning, actually :)
Benjamin (and everyone who has contributed on this), I came across this blog after struggling for several hours with the configuration for Aventail connect on Intrepid. I used devodl’s adjustments to the process and it worked flawlessly. Thanks to everyone who documented their experience here.
—B.V.
I recently installed Ubuntu 8.10 on a cheap Toshiba laptop and the only thing I couldn’t get to work properly was the Aventail VPN client. Thank you so much for taking the time to publish your experience. I wasn’t able to find anything else on the internet to help get it working. I wasn’t getting a SSL handshake failure, just failed to connect. After the upgrade of ssl .9.8, everything is now working. Thanks again for the help.
Brian
Could anyone mention whether they were using 32bit or 64bit OSs?
Double post… sorry
I’m using 32 bit OS.
Brian
I installed on 32bit ubuntu 8.10
As an aside I was able to run Aventail on Vista 64bit but…only by using a Beta version of Aventail that was provided by my IT department.
I’m not sure if there is a 64bit version of Aventail for Linux.
I’m 32 bit as well. I’m not sure that they make a 64bit client for Linux.
On a side note, I just upgraded my aventail client today (Our internal IT guys upgraded the appliance last night). It was very simple. I log into the Realm “Tunnel Client Download For Any OS”. This gives you the option to install the new client, wants to you authenticate as root to install it from the browser, or allow you to download, in which case you can do this:
I’m using the Aventail 8.90.290 client on a 64 bit install of CentOS5. Works fine there.
Also I got this to work under Fedora 10 with the same change everyone else had to do with the openssl recompile. Curiously I couldn’t use any of the newer versions of openssl (openssl-0.9.8i & openssl-0.9.8k) didn’t work. I had to go with 0.9.8.i.
@Benjamin: Can you explain how you were able to download the 10.x version of the client. Did it do this automatically when you logged in with the 8.9 client or did you do something else?
@Benjamin: I figured out what I think you were talking about in terms of getting the latest version of the software. I tried putting the hostname of the sslvpn server in a browser and logging in and it took me to a console page where I can download software and some other interesting things. Pretty cool.
many thanks for that great help :-)
I recently came across an updated version of Aventail 9.03.015 at work that fixes this problem as well.
Guys,
Just wanted to toss in a thank you. I was seeing this problem since upgrading to Kubuntu 9.04. Installing openssl 0.9.8i and the symlinks fixed it for me as well.
Thanks,
I just had this problem on Mandriva 2009.1, it was working ok and one day I was going to connect to the vpn and couldn’t, having the same handshake error. It turned out to be a problem with the libopenssl-devel package. Uninstalled it and problem fixed.
Thanks,
openssl-0.9.8i worked for me.
But first I tried openssl-0.9.8k, which did not!
Hi Benjamin, thanks for making the Aventail Connect work!
However I run into a problem, I have correctly connected to the vpn host and authenticad. I have a tun0 device and some servers are added to my routes.
I am on a WLAN (192.168.0.x) and my VPN network is 192.168.119.x, both with submask 255.255.255.0. I cannot connect to the servers in the VLAN. Is there also some firewallsetting in Ubuntu that I have to configure?
Hi ,
I know this is little bit differnt that what has been discussed about, however I am also trying to use the Aventail on ubuntu and faing below issue. Any kind of help is really appreciable. Please read below
I want to automate the connection of Aventail, that means incase the connection breaks in between (due to network dis-order), it should be able to re connect. For this purpose, I want to connect the Aventail using command prompt. However I am facing issues while using –l command. I need to use login option 2.TECH Untrusted.
AVENTAIL CONNECT
Connecting…
Connected
SELECT LOGIN GROUP
1.TECH Trusted 2.TECH Untrusted 3.To Cancel
I tried to use many options like –l ‘2’ , –l ‘2.TECH Untrusted’ , -l “TECH Untrusted”, “2.TECH Untrusted” , “Untrusted”, however for every time it says,
AVENTAIL CONNECT
Connecting… Error: Connection Failed.
Please help me to use the –l option.
Thanks in advance Anand
Thank you, thank you, thank you, thank you!!!!!!!
Hi…
First of all, I’d like to thank Benjamin for making this useful post. I’ve got aventail working on 9.04. However, after a recent upgrade to 9.10, this no longer works. Looking at aventail log (/var/log/AvConnect.log), it seems that some command no longer works..
ERROR 11/28/2009 18:4:46 — route_manip rOpt[HTML_REMOVED] failed error[HTML_REMOVED] WARN 11/28/2009 18:4:46 — XGRouter::FlashRoutes in-failed for dst<203.44.186.0> gw<10.40.3.30> mask<255.255.0.0> WARN 11/28/2009 18:8:2 — XGSSL::DecryptRecv() SSL_read error<2> syserror[HTML_REMOVED] m_rTout<210>
WARN 11/28/2009 18:8:2 — VPN Down…
Btw, I can still connect, but when I tried to ping the remote machines (i.e. any address) on the other end, it simply doesnt work.. :(
Any clue?
Thanks again..
Comment form for «Ubuntu (Intrepid) and Aventail SSL VPN Client»