openconnect packages to connect to a Cisco AnyConnect VPN

dschauer · 2009-04-04 05:37:09

I just submitted these packages to the AUR.

network-manager-openconnect-git Plugin for Gnome Network Manager Applet
openconnect-git VPN client (intended to be) compatible with Cisco AnyConnect
openssl-cisco-dtls openssl/crypto libraries only (with patch for Cisco DTLS) (does not conflict with standard package)

I was unable to get openconnect-git to work with the standard openssl libary, so I tracked down the DTLS patch for it.
http://rt.openssl.org/Ticket/Display.ht … pass=guest

The official AnyConnect client did not play well with me....

dschauer · 2009-04-04 23:20:45

I just made non git AUR submission for the openconnect and networkmanager-openconnect packages.

I updated openssl-cisco-dtls so that openconnect can statically link against it.

dschauer · 2009-04-04 23:41:47

While the network manger plugin for openconnect does work, I prefer to use a single script in a terminal to connect.

Here is the script I use:

#!/bin/bash
# requires: screen sudo ifconfig route openconnect

VPN_USER=yourusername
VPN_HOST=vpn.yourcompany.com
TUN_IFAC=yourcompanyinitials.tun0
NETWORKS='192.168.10.0/24 192.168.20.0/24 192.168.30.0/24' # Add your work networks here as needed

RUN_USER=${USER}
SOK_NAME=${VPN_USER}.${VPN_HOST}
STY_NAME=${PPID}.${SOK_NAME}

# connects to VPN, does not return. 
function vpn_connect
{
  exec sudo openconnect \
    --interface=${TUN_IFAC} \
    --setuid=${RUN_USER} \
    --user=${VPN_USER} \
    --script=${0} \
    ${VPN_HOST}
}

# adds routes, called indirectly from openconnect --script
function add_routes
{
  echo "Gateway: ${GW}"
  sudo ifconfig ${TUN_IFAC} inet ${GW}
  for net in ${NETWORKS} ; do
      sudo route add -net ${net} gw ${GW} dev ${TUN_IFAC}
  done
  route -n
}

# check if openconnect is makding this call
if [ "${TUNDEV}" == "${TUN_IFAC}" ]; then
  # if so, then if this a connect routes need to be added
  if [ "${reason}" == "connect" ]; then
    GW="${INTERNAL_IP4_ADDRESS}"
    add_routes
  fi
  exit 0
fi

# check if VPN has already been created
ifconfig ${TUN_IFAC} >/dev/null 2>&1 && exec screen -R ${SOK_NAME}

# check if script has been rexecuted, otherwise reexecute it in screen
if [ "${STY}" == "${STY_NAME}" ]; then
  vpn_connect
else
  exec screen -S ${SOK_NAME} ${0}
fi

The script assumes the user running it has sudo access. It executes itself in screen automatically. It will prompt for sudo and vpn passwords as is needed. To exit and leave running, use Ctrl-A,D as is normal for screen. To quit, Ctrl-C. If you rexecute the script while the VPN is up, it will take you back to the screen session that the VPN was started in.

dschauer · 2009-05-11 01:01:26

I just updated openconnect from 1.10 to 1.20 (which was released on 2009-05-08).

jwbwater · 2009-08-28 19:52:03

Thanks for all the work on this, dschauer.

I just wanted to record my experience installing openconnect in the hopes that it might benefit someone else.

The steps required for me:

-install patch (required to build openssl-cisco-dtls) using pacman

-download openssl-cisco-dtls tarball from AUR and build

-move pkg/opt/openssl-cisco-dtls to /opt

-install pkgconfig using pacman

-download openconnect tarball from AUR and build forcing no dependency checks (eg makepkg -d) as openssl-cisco-dtls is not found for some reason

-move pkg/usr/* to /usr

Last edited by jwbwater (2009-08-28 19:53:08)

jwbwater · 2009-09-15 19:55:48

In hindsight the move commands I used are probably better replaced by using "pacman -U" to install the built packages.

dschauer · 2009-11-28 14:55:40

Thanks to ibiru openconnect is now in extra. http://repos.archlinux.org/wsvn/packages/openconnect/ openconnect

However, it does not have DTLS support. I added openconnect-dtls to AUR so that I can still have a working VPN.

Last edited by dschauer (2009-11-28 14:56:02)

wonder · 2009-11-28 15:04:52

dschauer wrote:

Thanks to ibiru openconnect is now in extra. http://repos.archlinux.org/wsvn/packages/openconnect/ openconnect
However, it does not have DTLS support. I added openconnect-dtls to AUR so that I can still have a working VPN.

thanks to me . our patching policy doesn't allow to add dtls patch to openssl. until this feature is not supported by upstream, it should stay in aur.

dschauer · 2009-11-28 15:37:28

Well, this is something that will be solved in due time, as DTLS has been added to OpenSSL 1.0. http://www.openssl.org/news/changelog.html (or so it seems).

indianahorst · 2009-11-29 12:33:32

Hello,

I'm trying openconnect the first time and have the problem that openconnect doesn't set a new default route through the tun0 device (like vpnc does):

$ openconnect -u USERNAME -v --no-dtls 139.30.252.227
Attempting to connect to 139.30.252.227
SSL negotiation with 139.30.252.227
Connected to HTTPS on 139.30.252.227
GET 139.30.252.227/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 29 Nov 2009 12:30:03 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Attempting to connect to 139.30.252.227
SSL negotiation with 139.30.252.227
Connected to HTTPS on 139.30.252.227
GET 139.30.252.227/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
Fixed options give 
Please enter your username and password.
Password:
POST 139.30.252.227/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=2843813898@114421760@1259497810@D134DC1DB1F198F45931ADC007142257BACC1572; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:2482EF506E3B5A58964EA632D54F3375AF3E2FB4&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
X-Transcend-Version: 1
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 139.30.26.104
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 139.30.8.7
X-CSTP-DNS: 139.30.8.8
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Split-Exclude: 10.10.0.0/255.255.0.0
X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0
X-CSTP-Keep: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Content-Encoding: deflate
X-DTLS-Session-ID: ABBE99338223D3C92CF71640CD5162F67E1A96D3F57B7166BEDADA9E3563C1A3
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 139.30.26.104, using SSL + deflate
Did no work; sleeping for 20000 ms...
Send CSTP Keepalive
Did no work; sleeping for 10000 ms...
Send CSTP DPD
Did no work; sleeping for 15000 ms...
Got CSTP DPD response
Did no work; sleeping for 20000 ms...

 $ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:139.30.26.104  P-t-P:139.30.26.104  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1406  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
default         mygateway       0.0.0.0         UG    0      0        0 eth0

Can anybody help?

dschauer · 2009-11-29 14:29:42

For me by default it does not set the route either, which is why I use the script mentioned in this post.

Not setting the default seems to be the standard behavior of openconnect, which is why you must use a script.In reality you don't need to use a script like mine, you can just pass the parameters to openconnect. I made the script mentioned above so that I can make the connection then disconnect from screen session, run the script again to check it, and then ctrl-c rather than ctrl-a-d to kill the vpn session.

I'm not the openconnect author, I just maintain the AUR package for it.

wonder · 2009-11-29 16:20:43

you can use the script fron vnpc as upstream how to does it:

openconnect --script /etc/vpnc/vpnc-script vpn.mycompany.com

indianahorst · 2009-11-29 18:18:25

Thank you for the quick answers, the last one does it!

dschauer, your script works and connects correctly to the VPN, but seems to set a wrong route.

Explanation:
I'm using an Linksys WRT (192.168.1.1) as router. The WRT provides a local area network with 192.168.1.0/24, where my computer is located. The VPN Gateway is 139.30.252.227.

Normal routing (without VPN) on my computer looks like this:

 $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

With your script it looks like this:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     139.30.26.107   255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Perhaps it can help you to improve your script

dschauer · 2009-11-29 18:44:16

Did you list 192.168.1.0 as one of your NETWORKS in the script?

You can only list networks there that are on the remote side of tun0

# from my script
TUN_IFAC=EE.tun0
NETWORKS='192.168.XX.0/24 192.168.YY.0/24 10.GG.HH.0/24 192.168.ZZ.0/24'

XX, YY, GG, HH, ZZ represent real numbers in the remote network I'm trying to connect to.
EE represents the remote network name.

192.168.0.0 is my local network. The network you are trying to connect can't be the same as your local network. My local network use to be the same as one of the remote networks, so I had to change my local network.

When I run my script I get this for my routes:

$route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.XX.0    AA.BB.CC.DD      255.255.255.0   UG    0      0        0 EE.tun0
192.168.0.0     0.0.0.0          255.255.255.0   U     203    0        0 br0
10.GG.HH.0      AA.BB.CC.DD      255.255.255.0   UG    0      0        0 EE.tun0
192.168.YY.0    AA.BB.CC.DD      255.255.255.0   UG    0      0        0 EE.tun0
192.168.ZZ.0    AA.BB.CC.DD      255.255.255.0   UG    0      0        0 EE.tun0
0.0.0.0         192.168.0.11     0.0.0.0         UG    203    0        0 br0

Where AA.BB.CC.DD is the address assigned to EE.tun0

192.168.0.11 is the address of the router on my local network.

Even when I was using eth0 rather than br0, it was still working. (I'm using br0 now because I'm using Linux Containers on this machine).

Don't know what to say. My script has been working for me for several months now, on several different computers.

Maybe I should use REMOTE_NETWORKS in the script rather than NETWORKS to be more clear about what it means.

Last edited by dschauer (2009-11-29 19:09:16)

indianahorst · 2009-11-29 18:58:34

Ok, thank you for the answer. Yes, I had

NETWORKS='192.168.1.0/24'

in my script. I assume, you connect to the VPN of your company or something similar?

My case is vice versa: The VPN Gateway connects me to the internet:
My PC (192.168.1.6) -> Linksys WRT (192.168.1.1) -> VPN Gateway (139.30.252.227) -> Internet
What would I have to insert in "NETWORKS" in the script?

dschauer · 2009-11-29 19:40:33

Yes, I use my script to connect to my company's VPN.

I tried 0.0.0.0/0 and a few other things, but was unable to successfully make the VPN Gateway my default gateway. There should be a way of doing that though.

I tried adding it as my default route and even deleting my existing default route having only the VPN gateway as my default route. Neither seemed to work.

Dunno. Maybe contact the openconnect author? David Woodhouse, dwmw2 AT infradead.org maybe?

I updated the openconnect-dtls PKGBUILD url with http://www.infradead.org/openconnect.html now that David Woodhouse has a web page for openconnect.

Last edited by dschauer (2009-11-29 19:50:45)

Arch Linux

#1 2009-04-04 05:37:09

openconnect packages to connect to a Cisco AnyConnect VPN

#2 2009-04-04 23:20:45

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#3 2009-04-04 23:41:47

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#4 2009-05-11 01:01:26

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#5 2009-08-28 19:52:03

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#6 2009-09-15 19:55:48

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#7 2009-11-28 14:55:40

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#8 2009-11-28 15:04:52

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#9 2009-11-28 15:37:28

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#10 2009-11-29 12:33:32

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#11 2009-11-29 14:29:42

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#12 2009-11-29 16:20:43

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#13 2009-11-29 18:18:25

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#14 2009-11-29 18:44:16

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#15 2009-11-29 18:58:34

Re: openconnect packages to connect to a Cisco AnyConnect VPN

#16 2009-11-29 19:40:33

Re: openconnect packages to connect to a Cisco AnyConnect VPN

Board footer