Your company decided to use Cisco AnyConnect. You are on Linux, and you are provided with Cisco AnyConnect Linux client, and you are happy: At last, they had Linux in mind… But your happiness lasts only for a half an hour, when you realize, that the client just does not work. Or you might be lucky and the client work as expected, but in that case you wouldn’t be here… 😉
But fear not, there is a better solution for your problem. And it is called Openconnect. What you will need:
- Windows machine with configured AnyConnect — needed just to create an initial configuration; not needed for operation
- any flavor of Linux, – but I’m using Ubuntu, so the there will be some Ubuntu specific parts, but you’ll know how to translate those to your flavor of Linux
- about 1h
1st step: setup Windows client
As the first step set up the Windows client and make sure it works properly: you can connect to the VPN, routing is fine, etc.
2nd step: steal the certs from the windows store
AFAIK there are two possibilities, but only one of them work on both 32-bit and 64-bit Windows, so we’ll use that one. (FYI: the other one is Jailbreak)
- Mimikatz latest from: http://blog.gentilkiwi.com/mimikatz
- (optional) Jailbreak latest from: https://www.isecpartners.com/tools/application-security/jailbreak.aspx
(Optional) I use Jailbreak to check which key is the one I need (by modification date), – as Mimikatz will export all the keys.
You can follow the video and skip to next section: http://www.youtube.com/watch?v=M3XX3CHihJY
Now start mimikatz as Adminstartor (right click Run as adminsitrator…) and do:
3rd step: convert keys
In your Linux box…
To convert keys, you will need openssl package, but that’s most probably already installed.
Do this, from command line:
- openssl pkcs12 -in exported.pfx -out cert.pem -nokeys
- openssl pkcs12 -in exported.pfx -out key.pem -nocerts
When asked, the import password is: mimikatz
Now you have cert.pem and key.pem.
4th step: install openconnect
Install Openconnect Gnome client. I do it like this:
- apt-get install network-manager-openconnect-gnome
You could use the command line client too, but in that case I assume you know what to do…
5th stop: setup the openconnect vpn
- Open Netwok Connections, go to VPN tab click new…
- select Cisco AnyConnect Compatible VPN (openconnect)
- Gateway: [you company vpn gateway] — usually something like this: vpn.mycompany.com
- CA Certificate: you could get this from the admins, or you could export this one from windows with Jailbreak, or you could use Firefox…
- User Certificate: cert.pem
- Private key: key.pem
That’s it. Now just connect.
Kudos goes to:
- Openconnect: http://www.infradead.org/openconnect/
- Mimikatz: http://blog.gentilkiwi.com/mimikatz
- Jailbreak: https://www.isecpartners.com/tools/application-security/jailbreak.aspx