Cisco Anyconnect Centos 7

Update:I've created scripts to automate much of this process. You can findthem on GitHub.

VPN Client you will CentOS 7 - Cisco Applications - Internet). 5 Red Hat 6, 7 AnyConnect Software VPN on and Configure the Cisco to support Cisco's AnyConnect Linux using OpenConnect Set Up OpenConnect VPN need Admin rights Enterprise Linux using Community Install Cisco AnyConnect vpn for on Red the client from the 7, from the 7.6 trying to.

I often need to connect to a VPN with a Cisco ASA box at thehead-end, using a DoD CAC (smart card) for authentication.

On Windows, this is often accomplished using Cisco's AnyConnect VPN clientsoftware. On Linux however, that option would never work for me. I tried todownload it from the VPN https site, but it wouldn't load.

On Linux, we have an open-source alternative, called openconnect.The difficult part is getting it to use our smart card, and present the correctcertificate to the VPN.

2015-03-31 - Nikos Mavrogiannopoulos - 7.05-1 - Update to 7.05 release - Allow compiling with old gnutls version but using the new features when linked with a newer version. 2015-01-28 - Nikos Mavrogiannopoulos - 7.04-1 - Update to 7.04 release to align with f21. I often need to connect to a VPN with a Cisco ASA box at the head-end, using a DoD CAC (smart card) for authentication. On Windows, this is often accomplished using Cisco's AnyConnect VPN Jonathon Reinhart – Connecting to a Cisco ASA VPN with DoD CAC on CentOS 7. Installing Cisco AnyConnect on CentOS 7 is easy, but you should install the pangox-compat libraries to get the graphical user interface (GUI) working. Without this package you will get the following error message when you try to run it.

Installation

Several packages needed to be installed on my Fedora machine to get started.Unfortunately, I don't remember all of them, but you should probably start withthis:

Configure p11-kit

Cisco Anyconnect 4.8 Download Windows

openconnect uses p11-kit to interact with PKCS #11 modules.(PKCS #11 is the standard for interfacing with cryptographic tokens,like smart cards.) The first thing we need to do is tell p11-kit to use thelibcoolkey pkcs11 module. Do this by creating a new file named/etc/pkcs11/modules/libcoolkey.module, and adding the following line to it:

Identify token and cert

Next, we'll use p11tool --list-tokens to list all of the tokens on oursystem. You should see your smart card in this list. Mine showed up like this(along with others):

Now, we want to look at all of the certificates available on our smart card.We'll use p11tool --list-all-certs , where is the URL of oursmart card token from the previous step:

So we can see the three certificates available on our smart card.

Connect with certificate

The Windows AnyConnect software will pop-up a dialog asking you to select thecertificate for authentication when the server asks for a client certificate.openconnect currently has no such functionality, so we need to explicitlytell it which certificate to use. In my case, I already knew it was thecertificate with ID: 00:02, the 'CAC Email Signature Certificate'. So I passthe -c option, with the minimal URL to unambiguously refer to thatcertificate:

Note that I had to use sudo because openconnect will invoke some scripts to setup the tun device and routing.

At this point, openconnect should ask for your PIN, and then successfullyconnect to the VPN! If not, you may need to try the other certificates, bychanging the id= part of the certificate URL.

Cisco Anyconnect Centos 7 Software

Notes

Centos 7 Iso

Install Cisco Anyconnect Vpn

There are still a few outstanding warnings that occur during this process:

• Certificate from VPN server 'vpn.example.com' failed verification. Reason: signer not found - I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.

On Linux, we have an open-source alternative, called openconnect.The difficult part is getting it to use our smart card, and present the correctcertificate to the VPN.

2015-03-31 - Nikos Mavrogiannopoulos - 7.05-1 - Update to 7.05 release - Allow compiling with old gnutls version but using the new features when linked with a newer version. 2015-01-28 - Nikos Mavrogiannopoulos - 7.04-1 - Update to 7.04 release to align with f21. I often need to connect to a VPN with a Cisco ASA box at the head-end, using a DoD CAC (smart card) for authentication. On Windows, this is often accomplished using Cisco's AnyConnect VPN Jonathon Reinhart – Connecting to a Cisco ASA VPN with DoD CAC on CentOS 7. Installing Cisco AnyConnect on CentOS 7 is easy, but you should install the pangox-compat libraries to get the graphical user interface (GUI) working. Without this package you will get the following error message when you try to run it.

Installation

Several packages needed to be installed on my Fedora machine to get started.Unfortunately, I don't remember all of them, but you should probably start withthis:

Configure p11-kit

Cisco Anyconnect 4.8 Download Windows

openconnect uses p11-kit to interact with PKCS #11 modules.(PKCS #11 is the standard for interfacing with cryptographic tokens,like smart cards.) The first thing we need to do is tell p11-kit to use thelibcoolkey pkcs11 module. Do this by creating a new file named/etc/pkcs11/modules/libcoolkey.module, and adding the following line to it:

Identify token and cert

Next, we'll use p11tool --list-tokens to list all of the tokens on oursystem. You should see your smart card in this list. Mine showed up like this(along with others):

Now, we want to look at all of the certificates available on our smart card.We'll use p11tool --list-all-certs , where is the URL of oursmart card token from the previous step:

So we can see the three certificates available on our smart card.

Connect with certificate

The Windows AnyConnect software will pop-up a dialog asking you to select thecertificate for authentication when the server asks for a client certificate.openconnect currently has no such functionality, so we need to explicitlytell it which certificate to use. In my case, I already knew it was thecertificate with ID: 00:02, the 'CAC Email Signature Certificate'. So I passthe -c option, with the minimal URL to unambiguously refer to thatcertificate:

Note that I had to use sudo because openconnect will invoke some scripts to setup the tun device and routing.

At this point, openconnect should ask for your PIN, and then successfullyconnect to the VPN! If not, you may need to try the other certificates, bychanging the id= part of the certificate URL.

Cisco Anyconnect Centos 7 Software

Notes

Centos 7 Iso

Install Cisco Anyconnect Vpn

There are still a few outstanding warnings that occur during this process:

• Certificate from VPN server 'vpn.example.com' failed verification. Reason: signer not found - I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.

Note: I've had to install various packages and make various changes inplaying with my smart card, so if something isn't working for you, or I'veskipped a step, please leave a comment so I can make this post more accurate.Thanks!

Update: Additional steps - I'll work these in above at some point:

• CAC modules - openconnect-devel mailing list