Tag Archives: cisco vpn

Cisco VPN with Certificate Authentication on Ubuntu

Leave a reply
A quick web search on the subject reveals the Cisco VPN client for  Linux kinda sucks. Installing and configuring it is a pain and often problematic and sometimes it causes kernel panics/system lock-ups. Nevertheless, it is (as far as I can tell, anyway) needed if you have to authenticate to the VPN with certificates. Here’s how it’s done.
First, update your system:
  • sudo apt-get update && sudo apt-get dist-upgrade
  • Then, download the Linux Cisco VPN client.
  • Download this patch. BTW: I did not write this patch and though I am sure it will not harm your machine or data since I use it myself, use it at your own risk.
  • Unpack the client source code:
  • tar -xvzf vpnclient-linux-x86_64-4.8.02.0030-k9.tar.gz
  • Copy the patch file to the VPN client install directory:
  • cp vpnclient-linux.2.6.31.diff vpnclient
  • Apply the patch:
  • cd vpnclient
  • patch < vpnclient-linux.2.6.31.diff
  • sudo touch /usr/src/linux-headers-2.6.[whatever-version-you're-using]-generic/include/linux/autoconf.h
  • Run the install script:
  • sudo ./vpn_install
  • The VPN client should now be installed and you should not have gotten any errors during the compile.
  • Start the VPN client service:
  • sudo /etc/init.d/vpnclient_init start
  • Copy your PCF files (Cisco VPN profiles) to /etc/opt/cisco-vpnclient/Profiles/
  • If you have any VPN connections that do not use certificates, now is a good time to try them.
  • To connect to a VPN with Cisco  VPN client:
  • vpnclient connect profilename (where profilename is the file name before the “.pcf” bit.
  • Make sure that works. If it doesn’t troubleshoot until you get that part working before proceeding.
  • Copy the certificate (pfx file) to to /etc/opt/cisco-vpnclient/Certificates/
  • Import your certificate:
  • cisco_cert_mgr -U -op import
  • Then follow the prompts.
  • After importing, ensure the certificate appears in your certificate store:
  • cisco_cert_mgr -U -op list
  • If your certificate doesn’t appear in that list, try again, noting any errors.
  • Try connecting to your VPN with certificates now.
  • vpnclient connect profilename (where profilename is the file name before the “.pcf” bit.
  • When prompted for a password, make sure you are using the password you set for the certificate locally, *not* the one you may have set when you created the certificate, otherwise, it won’t work.
Hopefully it works! If not, the unfortunate thing is that the Cisco VPN client has very vague error messages. Make sure the certificates are in the store and you have not gotten any errors during the installation/configuration process. If you did, read onward for using the logging facility and see if you can piece together the symptoms, error messages, and log events for clues as to what might be wrong.
.
.
If you have problems, here’s how to use the Cisco VPN client logging facility. It’s a pain to use if you don’t know how so this should save you from banging your head against the wall a bit.
At the command line, enter:
  • ipseclog filename  – where filename is any file name you choose.
Then tail filename on another virtual terminal
  • tail -f filename
Then try connecting or importing — whatever you are having trouble with — in another virtual terminal. Go back to the terminal where you are tailing the log file and see what it says. That might give you some clues as to what the problem might be.
.
.
The following sites/blogs were very helpful in drafting this post:
http://leifmadsen.wordpress.com/2009/11/27/cisco-vpn-client-on-ubuntu-karmic-9-10/
http://ilapstech.blogspot.com/2009/09/cisco-vpn-client-on-karmic-koala.html
http://www.lamnk.com/blog/vpn/how-to-install-cisco-vpn-client-on-ubuntu-jaunty-jackalope-and-karmic-koala-64-bit/

OpenConnect, an Excellent Alternative to Cisco AnyConnect for Unix Clients

Leave a reply

I recently ran into trouble connecting to a Cisco AnyConnect SSL VPN gateway, which requires the Cisco AnyConnect client software, from my Linux workstation. Cisco does make a Linux AnyConnect client and seems to keep it fairly current but it suddenly stopped working for me (updates were performed on both the VPN and client machines within a couple of weeks of each other, so maybe the issues had something to do with that).

Eventually, I stumbled across OpenConnect, which is an open source client made for Unix systems (It has been tested on Linux, OpenBSD, FreeBSD, and Mac OSX). Installing OpenConnect was straightforward and once on my workstation, I was able to connect to the Cisco VPN again without issue.

By the way, if you are looking to connect to a Cisco IPsec VPN, you probably need to use vpnc instead of AnyConnect or OpenConnect. There are a few different GUI front-ends for vpnc such as KVpnc and the NetworkManager vpnc plug-in.

If you are a user of a recent Fedora release, you’re in luck — OpenConnect and its accompanying NetworkManager plug-in are available in the yum repositories so you can easily install them that way. Similarly, there is an OpenConnect package in the Debian unstable repository (though the plug-in is not available there).

To get OpenConnect going on your workstation from source code, read on.

First, ensure you have the prerequisites, libxml2 (Development files for the GNOME XML library) and OpenSSL.

I had to install libxml2 for my system. Since I am running Ubuntu on my PC, this was easily done via “sudo apt-get update” followed by “sudo apt-get install libxml2-dev.” I suspect this library is also in the yum repositories for popular RPM distributions — if not, try one of the RPM sites such as RPM Find or DAG.

Download the OpenConnect source from it’s web site.

Unpack the tarball as in tar -xvzf openconnect-*.tar.gz.

Run make (type “make” without the quotes at the command line).

Run make install. (I actually use checkinstall instead, myself,  so I can easily remove the application, if necessary).

Connecting to the VPN

Once installed, you can connect to the VPN by typing openconnect yourvpn.yourhost.com.

You will then be prompted separately for a user name, password, and group.  You should be connected after filling each of those in.

Press ctrl-c to terminate OpenConnect and disconnect from the VPN.

I wrote a simple script for myself, shown below, to make connecting a bit easier.

#!/bin/bash

sudo openconnect -u mike –authgroup=’TunnelAllTraffic(Advanced)’ vpn.mikestestnetwork.com

I didn’t bother with the NetworkManager plug-in since it had a bunch of dependencies and using this script at the command line works pretty well for me but remember the plug-in is a nice option to connect to your VPN in a few clicks.

There are many options and features for OpenConnect listed at the project page. Huge thanks to the OpenConnect developers for creating a vital application that works great!