01-05-2021

Openconnect Cisco



OpenConnect SSL VPN software was created to allow remote users and employees to securely connect to a Cisco, Juniper or Palo Alto SSL VPN gateway running in an enterprise environment from Linux systems..

OpenConnect is not officially supported by, or associated in any way with Cisco Systems, Juniper Networks, Pulse Secure, Palo Alto Networks, F5, or Fortinet, or any of the companies whose protocols we may support in the future. It just happens to interoperate with their equipment. Description The program openconnect connects to Cisco 'AnyConnect' VPN servers, which use standard TLS and DTLS protocols for data transport. The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow - by using a certificate, or password or SecurID, etc. Cisco Anyconnect CSD wrapper for OpenConnect (exhanced to autodownload and autoupdate hostscan) - csd-wrapper.sh.

OpenConnect is not officially supported by these network vendors (Cisco Systems, Juniper Networks, Pulse Secure, or Palo Alto Networks), However, if you’re using a Linux machine with no official or limited support, you should look at OpenConnect SSL VPN client instead to help you connect to your company’s VPN gateway…

Employees can use OpenConnect SSL VPN client to connect, and if authentication is approved, the connected users or employees are grant access to internal resources..

Cisco

To learn how to install the official Cisco’s AnyConnect SSL VPN client, read this post..

This post shows you how to install OpenConnct SSL VPN client on Ubuntu 18.04 or 16.04 and connect to popular VPN server gateway…

When you’re ready to install OpenConnect, follow the steps below:

Step 1: Install OpenConnect

OpenConnect SSL VPN client is included with Ubuntu repositories by default… No additional software and configurations needed to get the package..

Simply use the commands below to install OpenConnect on Ubuntu machines..

Step 2: Connect to SSL VPN Servers

Once OpenConnect package has been successfully installed on Ubuntu, you should be ready to connect to SSL VPN servers, which can Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure…

Simply run the commands below to establish VPN connection to your VPN server gateway… In this example, our VPN gateway is vpn.example.com

sudo openconnect -u user --passwd-on-stdin vpn.example.com

Replace vpn.example.com with the gateway of your SSL VPN gateway server name or IP… Press enter to initiate the connection… if the server is up, you should be prompted for a password to authenticate….

After a successful connection and authentication, you should see similar message as below:

That’s it! You’re not connected and can use internal resources from your Linux machine…

Congratulations! You have successfully installed and configure OpenConnect to access Cisco and other VPN providers gateway…

You may also like the post below:

Openconnect

OpenConnect is a cross-platform multi-protocol SSL VPN client which supports a number of VPN protocols:

  • Cisco AnyConnect (--protocol=anyconnect)
  • Juniper SSL VPN (--protocol=nc)
  • Pulse Connect Secure (--protocol=pulse
  • Palo Alto Networks GlobalProtect SSL VPN (--protocol=gp)
  • F5 Big-IP SSL VPN (--protocol=f5)
  • Fortinet Fortigate SSL VPN (--protocol=fortinet)

OpenConnect is not officially supported by, or associated in any waywith Cisco Systems, Juniper Networks, Pulse Secure, Palo Alto Networks, F5,or Fortinet, or any of the companies whose protocols we may support in the future.It just happens to interoperate with their equipment. Trademarks belong totheir owners in a rather tautological and obvious fashion.

An openconnect VPN server (ocserv), which implementsan improved version of the Cisco AnyConnect protocol, has also beenwritten.

OpenConnect is released under the GNU Lesser Public License, version 2.1.

Motivation

Development of OpenConnect was started after a trial of the Cisco AnyConnectclient under Linux found it to have many deficiencies:

  • Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
  • Lack of support for Linux platforms other than i386.
  • Lack of integration with NetworkManager on the Linux desktop.
  • Lack of proper (RPM/DEB) packaging for Linux distributions.
  • 'Stealth' use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed
  • Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
  • Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
  • Inability to audit the source code for further such 'Security 101' bugs.

Naturally, OpenConnect addresses all of the above issues, and more.

New protocols

Openconnect Vs Anyconnect

Adding new protocols to OpenConnect is relatively simple, andadditional protocols have been added over the years since usingOpenConnect allows a developer to concentrate on the protocol itselfand most of the boring details about platform-specific tunnel managementand IP configuration, and handling of client SSL certificates, are alreadyresolved.

If you have a protocol which you think it makes sense to support inOpenConnect, especially if you are able to help with interoperabilitytesting, please file an issuein GitLab.

Consistent multi-protocol support

Openconnect Cisco Remote

Wherever possible, OpenConnect presents a uniform API and command-lineinterface to each of these VPNs. For example,openconnect --force-dpd=10will attempt dead peer detection every 10 seconds on every VPN thatsupports it, even though the actual mechanism used may be protocol-specific.Protocol-specific features and deficiencies are described on theindividual protocol pages.