Connect to Cisco VPN with IPSec as security

antivirus64 · 2018-02-08 11:08:34

Hi all,

Before I conitinue I should confess that I'm not very fimiliar with VPN networks and the technologies behind them. I will try to be as specific as possible. Please ask me if I have named something too vaguely.

I've been banging my head against a wall trying to connect a to Cisco VPN server using either openconnect or Cisco's very own AnyConnect. Up until very recenty I used to connect to that VPN using openconnect without a hassle. But then our administrators notified us that they need to patch some component of the VPN network (or server?), because of a known vulnerability and Cisco urges patching as soon as possible, as no work around exists.

This is the article from Cisco Remote Code Execution and Denial of Service Vulnerability. Our admins told us that they will drop SSL support and instead use IPSec for security. This rendered openconnect obsolete and we were given a linux version of the AnyConnect client. Some colleagues who run Ubuntu (or other debian derived distributions) managed to run AnyConnect. Though buggy, it does its job (it needs to be relaunched several times, or needs to be restarted every once in a while). In my case (running up to date Arch) there is nothing in AUR so I had to run the custom vpn_install.sh script inside AnyConnect's package and hope for the best. Running the actual client (there were no symlinks in my PATH, so I run it directly from the installation directory) reveals a decent GUI window where I'm prompted to enter host/user/password. Unfortunately clicking connect always results in error.

Most of the time it says:
The VPN client driver encountered an error. Please restart your computer or device, then try again.

Another error is:
The AnyConnect package on the secure gateway could not be located. You may be experiencing network activity issues. Please try connecting again.

I tried to find a guide of how to force openconnect to use IPSec instead of SSL and found this Connecting to Cisco IPSec VPNs on Arch Linux. It looks very promising and fairly straightforward, but unfortunately I cannot reproduce it. Running a bare openconnect on the command line displays usage message and exits immediatelly. I couldn't find an option to force interactive mode.

In the end I would prefer to stick with openconnect as it is at least supported on Arch (I got the impression that AnyConnect is a taboo for the community), but it seems to have complex dependencies underneath and I really cannot comprehend everything in a practical term.

Thanks

lo1 · 2018-02-08 21:04:10

Wiki wrote:

Simply run openconnect as root and enter your username and password when prompted:
# openconnect vpnserver

Note that you need a root shell. What happens if you specify the vpn server you wish to connect to? Meanwhile try to come back with some more info. Depending on how the vpn has been setup, this would be easier if you could get a config file to use with the `--config=your_configfile` option.

And yes, it is better if you stick with an arch pkg rather than custom scripts.

antivirus64 · 2018-02-09 08:53:17

Thanks for your time lo1,

Running `openconnect servername` brings this (it always used to be that case):
OpenConnect output

Entering group, user and password brings this: (the following screenshot contains output seen in the above screenshot)
OpenConnect output

I don't get the chance to configure the client interactively

Thanks

Slithery · 2018-02-09 16:17:31

Please don't past images of code, post the actual code.
CoC - Pasting pictures and code

lo1 · 2018-02-09 19:09:21

Try to ask to someone if they can pass you a config file as I suggested (assuming that openconnect will understand any config file as openvpn does). If it doesn't, check for some examples like this one and make it fit your own usage requirements.

Also, for the next posts please do as Slithery suggested and post code in code tags.

Arch Linux

#1 2018-02-08 11:08:34

Connect to Cisco VPN with IPSec as security

#2 2018-02-08 21:04:10

Re: Connect to Cisco VPN with IPSec as security

#3 2018-02-09 08:53:17

Re: Connect to Cisco VPN with IPSec as security

#4 2018-02-09 16:17:31

Re: Connect to Cisco VPN with IPSec as security

#5 2018-02-09 19:09:21

Re: Connect to Cisco VPN with IPSec as security

Board footer