Cisco Anyconnect Arch Linux

Posted onby
Cisco anyconnect client arch linux

Cisco Anyconnect Client Arch Linux

LinuxLinux

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

2016-02-05 09:55:51 UTC
Cisco Anyconnect Arch Linux

Cisco Anyconnect Arch Linux Update

Hi.
Please help to make friends OpenConnect VPN server and Cisco AnyConnect.
uname -a
Linux server 3.18.11-smp #1 SMP i686 Intel(R) XEON(TM) CPU 1.80GHz
GenuineIntel GNU/Linux
gnutls-3.3.17.1
./configure
--prefix=/usr
--libdir=/usr/lib${LIBDIRSUFFIX}
--sysconfdir=/etc
--localstatedir=/var
--infodir=/usr/info
--mandir=/usr/man
--enable-static=no
--disable-rpath
--with-included-libtasn1
--build=$ARCH-slackware-linux
--host=$ARCH-slackware-linux
ocserv-0.9.2
./configure --prefix=/usr --host=$HOST
LIBGNUTLS_CFLAGS='-I/usr/include' LIBGNUTLS_LIBS='-L/usr/lib -lgnutls'

LIBREADLINE_CFLAGS='-I/usr/include/readline'
LIBREADLINE_LIBS='-L/usr/lib -lreadline -lncurses'
--enable-local-libopts=yes
Cisco AnyConnect Secure Mobility Client Version 3.1.04072
Connection attempt has failed due to server communication errors.
Please retry the connection. :(
ocserv[26214]: main: putting process 26999 to cgroup 'cpuset:test'
ocserv[26214]: main: main-misc.c:837: cannot open:
/sys/fs/cgroup/cpuset/test/tasks
ocserv[26999]: worker: 10.10.10.9:35625 accepted connection
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: Allocating epoch #0
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_constate.c:586
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: Allocating epoch #1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_buffers.c:1138
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: SSL 3.1 Handshake packet
received. Epoch 0, length: 57
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: Expected Packet Handshake(22)
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: Received Packet Handshake(22)
with length: 57
ocserv[26999]: TLS[<5>]: REC[0x80e9008]: Decrypted Packet[0]
Handshake(22) with length: 57
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: CLIENT HELLO (1) was
received. Length 53[53], frag offset 0, frag length: 53, sequence: 0
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Client's version: 3.1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_db.c:263
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_extensions.c:158
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_extensions.c:158
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_extensions.c:158
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Received safe renegotiation CS
ocserv[26999]: TLS[<3>]: ASSERT: server_name.c:297
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Requested PK algorithm: RSA
(1) -- ctype: X.509 (1)
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: certificate[0] PK algorithm:
RSA (1) - ctype: X.509 (1)
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_x509.c:1403
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_x509.c:1403
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA384
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_3DES_EDE_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_ECDSA_ARCFOUR_128_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_AES_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_AES_256_CBC_SHA384
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_CAMELLIA_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_CAMELLIA_256_CBC_SHA384
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_3DES_EDE_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
ECDHE_RSA_ARCFOUR_128_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_AES_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_AES_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_AES_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_AES_256_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_CAMELLIA_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_CAMELLIA_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_CAMELLIA_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_CAMELLIA_256_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_3DES_EDE_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_ARCFOUR_128_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
RSA_ARCFOUR_128_MD5
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_AES_128_CBC_SHA1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_AES_128_CBC_SHA256
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_AES_256_CBC_SHA1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_AES_256_CBC_SHA256
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA256
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA256
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3370
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_RSA_3DES_EDE_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_AES_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_AES_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_AES_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_AES_256_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA256
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_3DES_EDE_CBC_SHA1
ocserv[26999]: TLS[<4>]: HSK[0x80e9008]: Removing ciphersuite:
DHE_DSS_ARCFOUR_128_SHA1
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:962
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:667
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:2250
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:1463
ocserv[26999]: TLS[<3>]: ASSERT: gnutls_handshake.c:3098
ocserv[26999]: GnuTLS error (at worker-vpn.c:349): Could not negotiate
a supported cipher suite.
ocserv[26214]: main: 10.10.10.9:35625 main-misc.c:506: command socket closed
ocserv[26214]: main: 10.10.10.9:35625 removing client ' with id '26999'
ocserv.conf
# User authentication method. Could be set multiple times and in
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate,
# plain, pam, radius, gssapi.
#
# Note that authentication methods cannot be changed with reload.
# certificate:
# This indicates that all connecting users must present a certificate.
#
# pam[gid-min=1000]:
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
# The plain option requires specifying a password file which contains
# entries of the following format.
# 'username:groupname1,groupname2:encoded-password'
# One entry must be listed per line, and ?ocpasswd? should be used
# to generate password entries. The ?otp? suboption allows to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in
https://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
# The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user will be
overriden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# The supported atributes for radius configuration are:
# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server,
MS-Secondary-DNS-Server,
# Acct-Interim-Interval.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=false,tgt-freshness-time=900,gid-min=1000]
# The gssapi option allows to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for
require-local-user-map
# is true. The ?tgt-freshness-time? if set, it would require the TGT
tickets presented
# to have been issued within the provided number of seconds. That
option is used to
# restrict logins even if the KDC provides long time TGT tickets.
# The gid-min option is used by auto-select-group option, in order to
select the minimum
# valid group ID.
#auth = 'certificate'
#auth = 'pam'
#auth = 'pam[gid-min=1000]'
#auth = 'plain[passwd=/etc/ocserv/ocpasswd]'
#auth = 'radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]'
auth = 'plain[/etc/ocpasswd]'
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = 'certificate'
#enable-auth = 'gssapi'
#enable-auth = 'gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]'
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
# radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
# a validation of the connecting user?s name using PAM. It is
# superfluous to use this method when authentication is already
# PAM.
#
# Only one accounting method can be specified.
#acct = 'radius[config=/etc/radiusclient/radiusclient.conf]'
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP HOSTNAME]
# TCP and UDP port number
#tcp-port = 4443
#udp-port = 4443
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /var/run/ocserv-conn.socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
#run-as-user = nobody
run-as-user = root
#run-as-group = nogroup
run-as-group = root
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# socket file used for server IPC (worker - sec-mod), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = /var/run/ocserv-socket
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
#server-cert = /path/to/cert.pem
#server-key = /path/to/key.pem
#server-cert = /etc/server-cert.pem
#server-key = /etc/server-key.pem
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ssl/certs/ca-cert.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged.
# Whether to enable seccomp/Linux namespaces worker isolation. That
restricts the number of
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a
performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested
on a Linux 3.17.8).
#isolate-workers = true
isolate-workers = false
# A banner to be displayed on clients
#banner = 'Welcome'
banner = 'Welcome'
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 3
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
#dpd = 90
dpd = 1900
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# ?X-AnyConnect-Identifier-DeviceType?.
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
# If set, this forces all UDP packets to carry the don?t fragment
# (DF) bit.
#try-mtu-discovery = false
try-mtu-discovery = true
# The revocation list of the certificates issued by the ?ca-cert? above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate?s DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate?s
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
#no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use 'gnutls-cli --benchmark-tls-ciphers', to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
#tls-priorities = 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0'
tls-priorities = 'NORMAL:%SERVER_PRECEDENCE:%COMPAT'
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS)
# on the main channel.
#tls-priorities =
'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128'
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
#auth-timeout = 40
auth-timeout = 4000
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a client is allowed to stay connected
# Unset to disable.
#session-timeout = 86400
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 120
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
#max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
#ban-reset-time = 300
# In case you?d like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he?s provided a cookie with
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
#cookie-timeout = 300
cookie-timeout = 86400000
# Cookie rekey time (in seconds)
# The time after which the key used to encrypt cookies will be
# refreshed. After this time the previous key will also be valid
# for verification. It is recommended not to modify the default
# value.
#cookie-rekey-time = 14400
#cookie-rekey-time = 172800
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and re-establish the channel.
# Use this option only if the connecting clients have issues with the ssl
# option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local
# interface IP the client connected), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be 'connect' or 'disconnect'.
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command ?who?.
#use-utmp = true
use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
net-priority = 5
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = 'cpuset,cpu:test'
cgroup = 'cpuset,cpu:test'
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = vpkits.vitebsk.by
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable proxy arp in the LAN interface (see
http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
#ipv4-network = 192.168.1.0
#ipv4-netmask = 255.255.255.0
ipv4-network = 10.7.7.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to enforce an MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# ?default?.
## Comment out the route of the field, which means that
#all traffic is sent through the VPN
route = 10.7.7.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
# Subsets of the routes above that will not be routed by
# the server. Note, that this may currently be not be supported
# by openconnect clients.
no-route = 192.168.5.0/255.255.255.0
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# When set to true, all client?s iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
# and session-timeout.
#
# Note that the ?iroute? option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. Note also, that, any DNS or NBNS servers
# present will overwrite the global ones, while any routes or no-routes set
# will be appended to the default set.
#
# Also explicit addresses, are only allowed when they are odd. In that
# case the next even address will be used as the remote address (in PtP).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the
(tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the
argument of iroute).
#route-add-cmd = 'ip route add %{R} dev %{D}'
#route-del-cmd = 'ip route delete %{R} dev %{D}'
route-add-cmd = 'ip route add %{R} dev %{D}'
route-del-cmd = 'ip route delete %{R} dev %{D}'
# This option allows to forward a proxy. The special keywords ?%{U}?
# and ?%{G}?, if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# You can have the same path used for multiple realms. To authenticate
# in client side, in MIT kerberos you?ll need to add in krb5.conf:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/KdcProxy
# http_anchors = FILE:/etc/ocserv-ca.pem
# }
# This option is available if ocserv is compiled with GSSAPI support.
#kkdcp = SERVER-PATH KERBEROS-REALM ***@SERVER:PORT
#kkdcp = /KdcProxy KERBEROS.REALM ***@127.0.0.1:88
#kkdcp = /KdcProxy KERBEROS.REALM ***@127.0.0.1:88
#kkdcp = /KdcProxy KERBEROS.REALM [email protected][::1]:88
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# This option must be set to true to support legacy CISCO clients.
# A side effect of this option is that it will no longer be required
# for clients to present their certificate on every connection.
# That is they may resume a cookie without presenting a certificate
# (when certificate authentication is used).
cisco-client-compat = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker?s chroot.
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).
#user-profile = /path/to/file.xml
user-profile = /etc/ocserv/profile.xml
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn?t
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords ?%{U}?
# and ?%{G}?, if present will be replaced by the username and group name.
#custom-header = 'X-My-Header: hi there'
custom-header = 'X-DTLS-MTU: 1200'
custom-header = 'X-CSTP-MTU: 1200'
createsectificate.sh
#!/bin/bash
#! /usr/bin/expect -f
#Generated CA certificate
certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ >ca.tmpl
cn = 'company VPN'
state = 'City'
country = CH
organization = 'ORG'
serial = 1
expiration_days = 999
email = '***@gmail.com'
ca
signing_key
encryption_key
ipsec_ike_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem --template
ca.tmpl --outfile ca-cert.pem
#Generate local server certificate
certtool --generate-privkey --outfile server-key.pem
cat << _EOF_ >server.tmpl
cn = 'www.company.org'
organization = 'ORG'
email = '***@gmail.com'
dns_name = 'ns.org.com'
country = CH
state = 'City'
serial = 2
#expiration_days = -1
expiration_days = 999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
ipsec_ike_key
time_stamping_key
_EOF_
certtool --generate-certificate --load-privkey server-key.pem
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
--template server.tmpl --outfile server-cert.pem
#Generate a client certificate
certtool --generate-privkey --outfile user-key.pem
cat << _EOF_> user.tmpl
cn = 'org_client'
o = 'ORG'
email = '***@gmail.com'
dns_name = 'ns.org.com'
country = CH
state = 'City'
unit = 'admins'
serial = 3
expiration_days = 999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key
_EOF_
certtool --generate-certificate --load-privkey user-key.pem
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
--template user.tmpl --outfile user-cert.pem
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name
'user VPN Client Cert' -certfile ca-cert.pem -out user.cert.p12
cp ./ca-cert.pem /etc/ssl/certs
cp ./ca-key.pem /etc/ssl/private
cp ./ca-cert.pem /opt/.cisco/certificates/ca
cp ./ca-key.pem /opt/.cisco/certificates/ca
cp ./server-cert.pem /etc/ssl/certs
cp ./server-key.pem /etc/ssl/private
ocpasswd root -c /etc/ocpasswd
***@server:/etc/ocserv# openssl s_client -connect 10.10.10.9:443
CONNECTED(00000003)
depth=0 CN = xxxxxx, O = xxxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = xxxxxx, O = xxx
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = xxxxxx, O = xxx
verify error:num=21:unable to verify the first certificate
verify return:1
ocserv -f -d 9999 --config=/etc/ocserv/ocserv.conf
...
ocserv[31120]: TLS[<9>]: INT: CLIENT WRITE KEY [16]:
8a13e15928cf46222d6fc4b45d3bed07
ocserv[31120]: TLS[<9>]: INT: SERVER WRITE KEY [16]:
d4ea01fd3adbc39ff44ec3f963ba7aea
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Epoch #1 ready
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: Cipher Suite:
ECDHE_RSA_AES_128_GCM_SHA256
ocserv[31120]: TLS[<3>]: ASSERT: gnutls_buffers.c:1138
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: SSL 3.3 Handshake packet
received. Epoch 0, length: 40
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Expected Packet Handshake(22)
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Received Packet Handshake(22)
with length: 40
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Decrypted Packet[0]
Handshake(22) with length: 16
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: FINISHED (20) was received.
Length 12[12], frag offset 0, frag length: 12, sequence: 0
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: recording tls-unique CB (recv)
ocserv[31120]: TLS[<4>]: REC[0x94fd008]: Sent ChangeCipherSpec
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: Cipher Suite:
ECDHE_RSA_AES_128_GCM_SHA256
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: Initializing internal [write]
cipher sessions
ocserv[31120]: TLS[<4>]: HSK[0x94fd008]: FINISHED was queued [16 bytes]
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Preparing Packet
ChangeCipherSpec(20) with length: 1 and min pad: 0
ocserv[31120]: TLS[<9>]: ENC[0x94fd008]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Sent Packet[5]
ChangeCipherSpec(20) in epoch 0 and length: 6
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Preparing Packet
Handshake(22) with length: 16 and min pad: 0
ocserv[31120]: TLS[<9>]: ENC[0x94fd008]: cipher: AES-128-GCM, MAC:
AEAD, Epoch: 1
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Sent Packet[1] Handshake(22)
in epoch 1 and length: 45
ocserv[31120]: worker: 10.10.10.9:35633 sending message 'resume data
store request' to main
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Start of epoch cleanup
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: Epoch #0 freed
ocserv[31120]: TLS[<5>]: REC[0x94fd008]: End of epoch cleanup
ocserv[31120]: worker: 10.10.10.9:35633 TLS handshake completed
ocserv[31058]: main: 10.10.10.9:35633 main received message 'resume
data store request' of 337 bytes
ocserv[31058]: main: 10.10.10.9:35633 TLS session DB storing
cee0f3c16d0a6f3c0536f7009afcdc4b6aad149258310b24a5dedaaca0294191
Yours faithfully Sergio.

Linux Cisco Anyconnect Vpn

Cisco Anyconnect Arch Linux

Cisco Anyconnect Arch Linux Free

Supported protocols are anyconnect for Cisco AnyConnect (the default), nc for experimental support for Juniper Network Connect (also supported by most Junos Pulse servers), pulse for experimental support for Junos Pulse, and gp for experimental support for PAN GlobalProtect. OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse.