Anyconnect Client Ubuntu

If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a “captive portal” environment. To prevent this, make sure the ASA certificate is properly configured. Sudo apt-get install -y network-manager-openconnect-gnome network-manager-openconnect network-manager-vpnc network-manager-vpnc-gnome vpnc vpnc-scripts. Even after this an option to create Anyconnect compatible VPN connection does not appear. Ubuntu 16.04 64bit, stock. 16.04 network-manager vpn cisco openconnect. Linux (Ubuntu 32 or 64bit) Anyconnect Installation Guide. Browse to NS VPN Client Download Page; Download the correct 'anyconnect-predeploy-linux' file (32 or 64 bit). This file should be saved to a directory on your computer.

Anyconnect Client Ubuntu Windows 10
Anyconnect Client Ubuntu Mac
Cisco Anyconnect Client Ubuntu Server
Cisco Anyconnect For Linux Ubuntu

by Jeff Stern

(Note: There is also an alternative method of installing UCI VPN support without using the Cisco client, but using the built-in Debian/Ubuntu openconnect and openvpn drivers, should you find the below method does not work for you, or if you prefer to use open-source non-proprietary software.)

Introduction

OIT has a good general VPN-Linux page with instructions on setting up the Cisco AnyConnect VPN client software for Linux, but I got tripped up in a couple of places and thought I'd pass on some heads-ups for other Debian and Ubuntu users.

I originally wrote this 'How-To' for Ubuntu v10, and have updated it through v17.04. It should work for most or all Debian-derived distributions through 9.0 ('Stretch').

Please do write me to let me know how it went for you, and/or with any suggestions. I'd love to hear that it helped someone and/or any improvements that could be added.

Thanks to several for the help getting here.

Summary

In the instructions below, I'll walk you through installing the Cisco VPN client on a Debian or Ubuntu system. When you're done, you'll have two commands available at the command-prompt, which you can run to connect to the campus VPN: 'vpn' (text mode) and 'vpnui' (graphical/windowing).

I used to also include instructions for getting VPN support to show up in the NetworkManager icon/applet in the system tray, for those who used a Gnome based desktop. I no longer do this, as it is too complicated these days to keep up with documenting the various desktop environments, and the changes (and unreliability) of NetworkManager. And it's not really necessary anyway. If you get it going for yourself, though, Kudos to You! :-)

Installing the Cisco AnyConnect client

First, make sure you have the necessary Debian/Ubuntu support packages installed:
Go to the UCI OIT Cisco Anyconnect/Linux instruction page.
Download the 32 or 64 bit client as a .gz file.

If you are usure whether you should use the 32 or 64 bit client: Most people are on 64-bit machines now. But if you are unsure, just run the uname command like this:As you can see from the above example, my machine has a 64-bit Intel (x86_64) based processor. If you see a '386' somewhere, then you are on a 32-bit machine.

From the command prompt, go to the directory you saved the file to, and unpack it and run, just like the OIT instructions. Note you might have to put in some back-slashes because the download file apparently comes with spaces in the file name these days:
If you get the following message at the end instead: it most likely means you did not install the two Ubuntu packages up in step 1, above.
- However, if you have installed those two packages, and are still getting this error, then user Steve Murphy wrote me (2015-12-7) with the tip that running the following did install enough dependent packages as to make it work for him:However, while this may help some users, this normally should not be necessary, and was not in my testing.
Now reload systemd, scanning for new or changed units:
The vpn client should now have been installed on your system and the vpnagentd process started. You can verify this by looking at the active processes:
During the installation, the vpnagentd daemon should now be set up to be started each time your system is booted. To verify:or
Make command aliases to point to the vpn and vpnui commands:
Also add these aliases to the end of your ~/.bashrc or ~/.bash_aliases file:(where you don't actually type the '^D': it means you hit Ctrl-D to finish).
If you want to edit your aliases file instead directly, you can run a simple editor, 'nano', which is usually available on Debian and Ubuntu systems:

Connecting and Disconnecting

Connecting (Graphical window)

Just run:

And it should show 'vpn.uci.edu' already. Just click Connect.

If you get an error message about an untrusted server or certificate..

..you can fix that following the instructions from Robert in the section NOTE 1 - Connect-error, below.

(By the way, depending on how the installation went, and whatever of the Linux desktop environments you are using (Gnome, Unity, KDE, Mate, Cinnamon, XFCE, etc.) you may also find that the vpnui graphical client now also appears somewhere in your Applications menu. But don't count on it! This is Linux, after all.. :-) )

Connecting (via command-line)

To start the client from a command-line prompt in a terminal window, using the alias you made above:
At the VPN> prompt, type connect vpn.uci.edu and press Enter. (If you get an error message about an untrusted server or certificate, you can fix that following the instructions from Robert in the section NOTE 1 - Connect-error, below.) Otherwise, you should now see:If you do not see this, but get a connect error instead, please see NOTE 1 - Connect Error below.
Ignore the message about entering your UCInetID and password, for now.
Choose one of the choices by number and press return -- usually UCI or UCIFull. (See the differences in the Tunnels below.) For instance, for UCI, press 3 and hit Enter.
Enter your UCInetID and password in the Username and Password boxes and press return.
At the accept? [y/n]: prompt, type y and press Enter. You may get several notices the first time about the downloader performing update checks. At the end you should see a >> state: Connected message and a new VPN> prompt. You are now connected.
Either leave the VPN> prompt open or if you want your terminal back just type quit at the VPN> prompt (the connection will remain active).

Connecting automatically via Command-line (w/o typing in your Username/Password)

I never (not yet?) figured out how to get the Cisco anyconnect software to run via script with command-line parameters sufficient for its running without having to type in your username (UCINetID) and password. I looked into the vpn command / executable supplied by Cisco (in the anyconnect-predeploy package) and running -h on it does not give much help.

Therefore, if you need something command-line and automated, I suggest you use the alternative method using open-source openvpn/openconnect software which I mentioned at the very top of this document. I include a way to do that in an automated way, and I find it works just as well and just as fast, but without having to install proprietary Cisco software. (This is the age of Ed Snowden's warning to us all, after all.. :-/

NOTE 1 - Connect-error

In most cases I have seen, a connection is made. I have, however, seen the below error before only once. It was when the person was installing on a netbook (running Gnome) which was on campus and usingthe campus wifi system (though I don't know if those factors were the cause). It didn't matter if they answered y or n, they continued to get the error and be denied connection.

Update 2015-12-6: 'Robert' wrote me with a solution to this:

..the connect error... can be resolved by sym-linking the cisco ca directory to the system ca directory as cisco only seems to include one root certificate by default. Or you can install the certificate chain from the VPN provider - sym-linking the system certs worked fine for me. Credit goes to: https://plus.google.com/+AndreasKotowicz/posts/2afhvvNZpE6

Thank you, Robert!

To disconnect (gui)

Just click disconnect in the window

To disconnect (command-line)

At the VPN> prompt, type disconnect and hit Enter.

To exit (command-line)

At the VPN> prompt, type quit and hit return.

De-installation / Removal

Run Cisco's provided un-install script
Optionally, also remove the cisco directory (if you don't need the .log files that were left behind):

Additional Hints, Tips, and Handling of Errors and Problems Contributed by Users

Anyconnect Client Ubuntu Windows 10

Several people have written in to me with some additional tips and solutions which I'll add here:

From pierrechauffour:
From zviad aburjania: This turned out to be a missing library fixable by:
From zviad aburjania (2): (If that link no longer works, it is just recommended to start /opt/cisco/anyconnect/bin/vpnagentd first.)
From pascal müller:
Pascal researched and found that the error, anyconnect was not able to establish a connection to the specified secure gateway is a known problem with Cisco clients before version 4, when these earlier clients are installed on Ubuntu 16.04+. The solution is either to downgrade your Ubuntu, or upgrade your Cisco client. At my university we have upgraded to offering version 4 (anyconnect-predeploy-linux-64-4.3.05017-k9.tar.gz), and this supposedly works with the newer Ubuntus. I did not myself test the new version 4 Anyconnect client with Ubuntus 15.x and 16.x. But I have tested it today (April 27 2017) with my Ubuntu 17.04 system, and it works great.

Contact / Feedback

Please email me to let me know how this process went for you, and/or with any suggestions for improvement on this page itself. Thanks.

Acknowledgements

Thanks to:

Mike Iglesias and Sylvia Bass at UCI's OIT for for putting up the link to here from their VPN-Linux page.
a page at Georgia Tech (now defunct), from which part of this page (the old Section 2, no longer included) was originally adapted.
Joe Remenak for clear, concise feedback on some additional steps (1 and 11) necessary now for the newer 64-bit Ubuntus.
Tom Distler, for the Tux/Cisco image at the top of this page, which I mooched from his page, How to connect Linux to a Cisco VPN using a PCF file.
James Condie at UCI, who encountered multiple problems with the latest changes in the 4.3.05017 version of Cisco's install -- but patiently stuck with it -- thus encouraging me to update this page once again, and clarify a few additional things for newer Linux users.
Philippe Moisan, who caught and reported an incompatibility with the find vpnagentd command above in Installation Step 8, for some versions of Linux, and offered also a fix: to put quotes around the '*vpnagentd*' which should work with all flavors of find.

Last Updated Oct 30 2017

Introduction

OCserv is the OpenConnect VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well. From Ubuntu 16.04 onward, OCserv is included in the standard Ubuntu repositories, so you do not need to compile it from source. In this tutorial the iOS 12.2 client, which could be an iPad or an iPhone, will connect to the VPN server using the Cisco AnyConnect VPN client.

Install packages on server

Log on to your server and install the OCserv package:

We will also need the GnuTLS package, since we use the GnuTLS utilities to generate our public key infrastructure (keys and certificates):

Build and Install

We can use self-signed certificates or using a purchased commercial certificate from CA certificate providers, such as Comodo, StartSSL, WoSign and etc.

Make CA certificate and server certificate

The GnuTLS certificate tool (certtool) allows you to specify the fields for your certificates in a configuration template file.

Start by creating a configuration template file for your Certificate Authority (CA) certificate:

Press the I key on your keyboard to enter insert mode.

Enter the following fields into the CA configuration file, customizing the values as you prefer:

When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.

Now generate a key and certificate for your CA, using the CA configuration template file you just created:

Anyconnect Client Ubuntu Mac

Now create a server certificate template file:

Press the I key on your keyboard to enter insert mode.

Enter the following fields into the server configuration file. Note that in the common name (cn) field, you must specify your actual server IP address or hostname (shown as vpn.xuri.me in the example that follows):

When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.

Generate the server key and certificate, using the configuration template file:

Use commercial certificate

For example I use WoSign Free SSL Certificates. I got 1_vpn.xuri.me_bundle.crt and 2_vpn.xuri.me.key two files. Convert .crt certificate to .pem format:

Convert .key file to .pem format:

Put server-cert.pem and server-key.pem on path /etc/ocserv/, and set file permission 600.

If you are use CA certificates issued by StartSSL, you have got certificate cert.crt file, I some case you should create certificate chain and merge sub certificate and root certificate like this:

Generate Certificates with Let's Encrypt

Confirm the port in the file /lib/systemd/system/ocserv.socket not used by other program, and generate certificates by certbot:

Select 1 and input domain name, certificates file located at /etc/letsencrypt/live/vpn.xuri.me/fullchain.pem, /etc/letsencrypt/live/vpn.xuri.me/privkey.pem.

Configure the OpenConnect VPN server

Edit the OCserv sample configuration file that is provided in /etc/ocserv:

Use the editor to comment out (#) the default values and replace them with those shown in the example that follows:

When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.

Create user id and password

Generate a user id and password that you will use to authenticate from AnyConnect to OCserv. For example, if you want your user id to be xuri:

You will be prompted to enter a password twice. The password will not be displayed on your terminal:

Enable packet forwarding

Allow forwarding in the Linux kernel by editing the system control configuration file:

Delete the # sign at the start to uncomment the line:

Write the file to disk and quit the editor, and make this change active now:

Open firewall

Open the server firewall for SSL:

Enable network address translation (NAT):

Assuming you have already installed iptables-persistent, reconfigure it to make your changes persist across server reboots:

Start OpenConnect VPN server

Check that nothing is already listening on port 443:

The command sudo lsof -i then showed systemd listening to port 443 on IPv6. I do not know why systemd was doing this. The command systemctl -all list-sockets showed the related unit as ocserv.socket. The solution was to issue the command sudo systemctl stop ocserv.socket.

Start OCserv:

Check that it is now listening on port 443 with the command:

Optimization

Add ocserv to system service:

Write the following script in the configuration file:

Now we can use service ocserv start and service ocserv stop to control the service.

Smart shunt

Set up no-route in the configuration file by your own rules.

Make CA certificate available for download

Your client such as Mac, iPad or iPhone needs to be able to validate the server certificate. To allow it to do this, you must install your CA certificate on the iPad or iPhone as a trusted root certificate. The first step in this is to make the CA certificate available for download from your server.

Open the firewall so that you can reach the server from a browser:

Install Apache:

Copy the CA certificate into the web root folder:

Download and install CA certificate

Connect OCserv on Mac

Download and install Cisco AnyConnect Secure Mobility Client for OS X with last version. Add your server IP address (e.g. vpn.xuri.me):

Enter your username:

Enter your password:

Connect to VPN

Connect OCserv on mobile client

Now go to your iOS device (iPad or iPhone).

Open the Safari browser.

Browse to the location of the CA certificate at your server’s IP address. For example, if your server is located at vpn.xuri.me, then in Safari you would browse to:

Follow the prompts to install the CA certificate as a 'Profile' on your iOS 12.2 device.

Once the 'Profile' (i.e., certificate) is installed, tap on Done:

Install AnyConnect on iOS 12.2 client

On your iPad or iPhone, open the the App Store, and search for Cisco AnyConnect or desktop client.

Cisco Anyconnect Client Ubuntu Server

Configure AnyConnect on iOS 12.2 client

Open the AnyConnect app.

Tap on Connections.

Tap on Add VPN Connection.

Cisco Anyconnect For Linux Ubuntu

Description is whatever you want
Server Address is your server IP address (e.g. vpn.xuri.me)

Tap Save.

Connect to VPN

Now connect from your iPad or iPhone to your VPN.

You will be prompted to enter your username (the one you set up with ocpasswd a few minutes ago, for example, xuri):

You will be prompted to enter your password (the one you set up for that username when you invoked ocpasswd):

The AnyConnect VPN toggle goes green when you are connected:

(Also, if you log on to your server and use a command such as sudo tail /var/log/syslog, you will see messages such as sec-mod: initiating session for user 'xuri'.)

Troubleshooting

Client get error: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.

Add MTU settings mtu = 1480 in the configuration file and restart the service.