Problems with anyconnect vpn under CentOS8 (IPsec protocol)

Issues related to configuring your network
Post Reply
Thomas_Jena
Posts: 1
Joined: 2021/10/27 17:34:53

Problems with anyconnect vpn under CentOS8 (IPsec protocol)

Post by Thomas_Jena » 2021/10/27 17:38:39

In my institution we can use VPN to get access to our servers. For that we got a PKCS #12 certificate, let's name it johndoe.p12 and an anyconnect profile, let's name this johndoe.xml, and it looks like that:

Code: Select all

    <?xml version="1.0" encoding="UTF-8"?>
    <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
    	<ClientInitialization>
    		<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
    		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
    		<ShowPreConnectMessage>false</ShowPreConnectMessage>
    		<CertificateStore>All</CertificateStore>
    		<CertificateStoreOverride>false</CertificateStoreOverride>
    		<ProxySettings>Native</ProxySettings>
    		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
    		<AuthenticationTimeout>12</AuthenticationTimeout>
    		<AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
    		<MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
    		<LocalLanAccess UserControllable="false">false</LocalLanAccess>
    		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
    		<AutoReconnect UserControllable="true">true
    			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
    		</AutoReconnect>
    		<AutoUpdate UserControllable="false">true</AutoUpdate>
    		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
    		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
    		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
    		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
    		<PPPExclusion UserControllable="false">Disable
    			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
    		</PPPExclusion>
    		<EnableScripting UserControllable="false">false</EnableScripting>
    		<CertificateMatch>
    			<DistinguishedName>
    				<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
    					<Name>O</Name>
    					<Pattern>University Hospital Jena</Pattern>
    				</DistinguishedNameDefinition>
    				<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
    					<Name>OU</Name>
    					<Pattern>UKJatHome</Pattern>
    				</DistinguishedNameDefinition>
    				<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
    					<Name>CN</Name>
    					<Pattern>ukj@home</Pattern>
    				</DistinguishedNameDefinition>
    				</DistinguishedName>
    		</CertificateMatch>
    		<EnableAutomaticServerSelection UserControllable="false">false
    			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
    			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
    		</EnableAutomaticServerSelection>
    		<RetainVpnOnLogoff>false
    		</RetainVpnOnLogoff>
    	</ClientInitialization>
    	<ServerList>
    		<HostEntry>
    			<HostName>JohnDoeatHome</HostName>
    			<HostAddress>vpnathome.organisation.de</HostAddress>
    			<UserGroup>JohnDoeatHome</UserGroup>
    		<PrimaryProtocol>IPsec</PrimaryProtocol>
    		</HostEntry>
    	</ServerList>
    </AnyConnectProfile>
I use CentOS release 8.4.2105 and Anyconnect 4.10.000093. Everytime i want to connect i get these two messages (i guess the second one relates to the first one):

First: Certificate Validation Failure
Second: The IPsec VPN Connection was terminated due to an authentication failure or timeout...


I searched all informations about certificates, but nothing worked. I tried to include the certificate to the firefox bundle (i read it in some forum) which is no problem, but i didn't work for anyconnect.

Then i tired to add the certificate to CentOS, i converted the *p12 to a *.pem format and copied it to

/etc/pki/ca-trust/source/anchors/
/usr/share/pki/ca-trust-source/

together with the command: update-ca-trust

The certificate is part of the created bundles, but it didn't help with anyconnect.


My last try was openconnect.
openconnect --protocol=anyconnect --xmlconfig=johndoe.xml --authgroup=JohnDoeatHome -k PKCS12 -c JohnDoe.p12 -u SECRET vpnathome.organisation.de

Did not work "Login failed"



I have no clue how to proceed further, thanks for all hints. How can i include the certificate into anyconnect. The profile is no problem. Can the IPsec protocol be a problem?

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Problems with anyconnect vpn under CentOS8 (IPsec protocol)

Post by aks » 2021/11/03 20:08:57

Well first I'd look to check that IPSec does agree on the "stuff" to use on boath sides.

Next I'd check the CA chain of the certificates on both sides.

Post Reply