Cisco AnyConnect VPN CentOS 7

This procedure is for configuring Cisco Anyconnect VPN on CentOS7 desktop. This procedure was done on a brand-new install of CentOS7 on a Lenovo ThinkPad P70 laptop. This install of CentOS7 desktop was a straight-out-of-the box install with no tweaks at all wherein I selected the GNOME desktop option (not the Plasma!) and I selected a bunch of development tools and libraries as well, but everything was selected from the default installer menu, there were no hacks or tweaks. It's a straightforward procedure not hard to do at all. However, I could not find anywhere on the web where all the steps were gathered in one place. This should theoretically work for RedHat7 desktop and OracleLinux7 Desktop, but it is only tested on CentOS7 GNOME desktop. The setup of Cisco AnyConnect VPN is detailed below.

Install EPEL RPM

Basically, this webpage here was the starting point which got this successful Cisco AnyConnect VPN configuration rolling. The first step therefore is to install EPEL which more or less is a project of Fedora which provides a high-quality library of packages which are interoperable with CentOS7 and other similar Linuxes. I downloaded the EPEL rpm from here, but for convenience I have attached it to this post as well just in case that link is down for any reason. It's recommended to use the link instead of the copy attached to this post so that you get the latest EPEL from Fedora Genuine. Now install EPEL as shown below. Note that as dependencies EPEL will also install the packages VPNC and VPNC-SCRIPT. That's a good thing those are also needed for Cisco Anyconnect so no worries.

[root@localhost Downloads]# rpm -Uvh epel-release-7-8.noarch.rpm

warning: epel-release-7-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY

Preparing... ################################# [100%]

Updating / installing...

1:epel-release-7-8 ################################# [100%]

[root@localhost Downloads]# yum install vpnc

Loaded plugins: fastestmirror, langpacks

epel/x86_64/metalink | 14 kB 00:00:00

epel | 4.3 kB 00:00:00

(1/3): epel/x86_64/group_gz | 170 kB 00:00:00

(2/3): epel/x86_64/updateinfo | 594 kB 00:00:00

(3/3): epel/x86_64/primary_db | 4.3 MB 00:00:00

Loading mirror speeds from cached hostfile

* base: mirror.beyondhosting.net

* epel: muug.ca

* extras: mirrors.liquidweb.com

* updates: mirror.stjschools.org

Resolving Dependencies

--> Running transaction check

---> Package vpnc.x86_64 0:0.5.3-22.svn457.el7 will be installed

--> Processing Dependency: vpnc-script for package: vpnc-0.5.3-22.svn457.el7.x86_64

--> Running transaction check

---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================

Package Arch Version Repository Size

===================================================================================================================================================================================================================

Installing:

vpnc x86_64 0.5.3-22.svn457.el7 epel 85 k

Installing for dependencies:

vpnc-script noarch 0.5.3-22.svn457.el7 epel 14 k

Transaction Summary

===================================================================================================================================================================================================================

Install 1 Package (+1 Dependent package)

Total download size: 99 k

Installed size: 210 k

Is this ok [y/d/N]: y

Downloading packages:

warning: /var/cache/yum/x86_64/7/epel/packages/vpnc-0.5.3-22.svn457.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY

Public key for vpnc-0.5.3-22.svn457.el7.x86_64.rpm is not installed

(1/2): vpnc-0.5.3-22.svn457.el7.x86_64.rpm | 85 kB 00:00:00

(2/2): vpnc-script-0.5.3-22.svn457.el7.noarch.rpm | 14 kB 00:00:00

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Total 261 kB/s | 99 kB 00:00:00

Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

Importing GPG key 0x352C64E5:

Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"

Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5

Package : epel-release-7-8.noarch (installed)

From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

Is this ok [y/N]: y

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Warning: RPMDB altered outside of yum.

Installing : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2

warning: /etc/vpnc/vpnc-script created as /etc/vpnc/vpnc-script.rpmnew

Installing : vpnc-0.5.3-22.svn457.el7.x86_64 2/2

Verifying : vpnc-script-0.5.3-22.svn457.el7.noarch 1/2

Verifying : vpnc-0.5.3-22.svn457.el7.x86_64 2/2

Installed:

vpnc.x86_64 0:0.5.3-22.svn457.el7

Dependency Installed:

vpnc-script.noarch 0:0.5.3-22.svn457.el7

Complete!

[root@localhost Downloads]#

Install Required Libraries and OpenConnect

I got the CentOS7 OpenConnect RPM from Springdale but there should be several places where it can be obtained. This one I will also attach to this blog post so that the exact RPM that I used is available. I did this configuration between midnight and 3AM this morning, so now in the afternoon I'm retracing my footsteps while it's still fresh to get this guide created. However, I believe you can also get this same RPM from elders.princeton.edu. So that's three places to get it - Springdale, Princeton, and here at this blog attached at the bottom of this page. But you can't install it yet because unless you have previously done so, there are some libraries that will be needed to satisfy dependencies for the OpenConnect RPM. Just so that you see what the issue is, below is an example of what you get when trying to install the OpenConnect RPM without the required libraries. In a subsequent step below, those libraries will be easily obtained and then OpenConnect installed perfectly.

[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm

warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY

error: Failed dependencies:

liblz4.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64

libstoken.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64

libstoken.so.1(STOKEN_1.0)(64bit) is needed by openconnect-7.06-1.sdl7.x86_64

[root@localhost Downloads]#

Install lz4 Library

It's easy as shown below to get the lz4 library. Just run the following command simply using yum to install the library as shown below.

[root@localhost Downloads]# yum install lz4

Loaded plugins: fastestmirror, langpacks

Loading mirror speeds from cached hostfile

* base: mirror.beyondhosting.net

* epel: mirror.steadfast.net

* extras: mirrors.liquidweb.com

* updates: mirror.stjschools.org

Resolving Dependencies

--> Running transaction check

---> Package lz4.x86_64 0:r131-1.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================

Package Arch Version Repository Size

===================================================================================================================================================================================================================

Installing:

lz4 x86_64 r131-1.el7 epel 70 k

Transaction Summary

===================================================================================================================================================================================================================

Install 1 Package

Total download size: 70 k

Installed size: 220 k

Is this ok [y/d/N]: y

Downloading packages:

lz4-r131-1.el7.x86_64.rpm | 70 kB 00:00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Installing : lz4-r131-1.el7.x86_64 1/1

Verifying : lz4-r131-1.el7.x86_64 1/1

Installed:

lz4.x86_64 0:r131-1.el7

Complete!

Install libstoken Library

The libstoken library is also needed so install it simply using yum again as shown below.

[root@localhost Downloads]# yum install stoken-libs

Loaded plugins: fastestmirror, langpacks

Loading mirror speeds from cached hostfile

* base: mirror.beyondhosting.net

* epel: ca.mirror.babylon.network

* extras: mirrors.liquidweb.com

* updates: mirror.stjschools.org

Resolving Dependencies

--> Running transaction check

---> Package stoken-libs.x86_64 0:0.6-1.el7 will be installed

--> Processing Dependency: libtomcrypt.so.0()(64bit) for package: stoken-libs-0.6-1.el7.x86_64

--> Running transaction check

---> Package libtomcrypt.x86_64 0:1.17-23.el7 will be installed

--> Processing Dependency: libtommath >= 0.42.0 for package: libtomcrypt-1.17-23.el7.x86_64

--> Processing Dependency: libtommath.so.0()(64bit) for package: libtomcrypt-1.17-23.el7.x86_64

--> Running transaction check

---> Package libtommath.x86_64 0:0.42.0-4.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================

Package Arch Version Repository Size

===================================================================================================================================================================================================================

Installing:

stoken-libs x86_64 0.6-1.el7 epel 36 k

Installing for dependencies:

libtomcrypt x86_64 1.17-23.el7 epel 224 k

libtommath x86_64 0.42.0-4.el7 epel 35 k

Transaction Summary

===================================================================================================================================================================================================================

Install 1 Package (+2 Dependent packages)

Total download size: 296 k

Installed size: 707 k

Is this ok [y/d/N]: y

Downloading packages:

(1/3): libtomcrypt-1.17-23.el7.x86_64.rpm | 224 kB 00:00:00

(2/3): libtommath-0.42.0-4.el7.x86_64.rpm | 35 kB 00:00:00

(3/3): stoken-libs-0.6-1.el7.x86_64.rpm | 36 kB 00:00:00

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Total 368 kB/s | 296 kB 00:00:00

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Installing : libtommath-0.42.0-4.el7.x86_64 1/3

Installing : libtomcrypt-1.17-23.el7.x86_64 2/3

Installing : stoken-libs-0.6-1.el7.x86_64 3/3

Verifying : libtommath-0.42.0-4.el7.x86_64 1/3

Verifying : libtomcrypt-1.17-23.el7.x86_64 2/3

Verifying : stoken-libs-0.6-1.el7.x86_64 3/3

Installed:

stoken-libs.x86_64 0:0.6-1.el7

Dependency Installed:

libtomcrypt.x86_64 0:1.17-23.el7 libtommath.x86_64 0:0.42.0-4.el7

Complete!

Install OpenConnect

Now the OpenConnect RPM can be installed successfully as shown below.

[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm

warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY

Preparing... ################################# [100%]

Updating / installing...

1:openconnect-7.06-1.sdl7 ################################# [100%]

[root@localhost Downloads]# rpm -qa | egrep 'openconnect|vpnc'

openconnect-7.06-1.sdl7.x86_64

vpnc-script-0.5.3-22.svn457.el7.noarch

vpnc-0.5.3-22.svn457.el7.x86_64

[root@localhost Downloads]#

Test the Cisco AnyConnect VPN

This AnyConnect client has no GUI so it is just run from a terminal as root as shown below. Name of the vpn server used for this example and other private information has been redacted in the example connection shown below. When you get the "Established blah blah blah connection..." it means that the VPN is connected and ssh to servers and other resources such as websites on the VPN is now available. Be sure to leave that terminal window open for the duration of the VPN session. Closing that window terminates the VPN session.

[oracle@localhost Downloads]$ su - root

Password:

Last login: Sat Aug 13 19:57:21 EDT 2016 on pts/0

[root@localhost ~]# openconnect https://vpn.xxxxxxxxxxxx.com

POST https://vpn.xxxxxxxxxxxx.com/

Attempting to connect to server xx.xx.xxx.x:443

SSL negotiation with vpn.xxxxxxxxxxxx.com

Server certificate verify failed: signer not found <-- Means the VPN certificate for this VPN unsigned np...just answer yes below and continue...

Certificate from VPN server "vpn.xxxxxxxxxxxx.com" failed verification.

Reason: signer not found

Enter 'yes' to accept, 'no' to abort; anything else to view: yes

Connected to HTTPS on vpn.xxxxxxxxxxxx.com

XML POST enabled

Please enter your username and password.

GROUP: [datacenter|dmz|poc-mgmt|poc1|poc2|poc3|poc5|selfservice]:datacenter

POST https://vpn.xxxxxxxxxxxx.com/

XML POST enabled

Please enter your username and password.

Username:xxxxxxx

Password:

POST https://vpn.xxxxxxxxxxxx.com/

Got CONNECT response: HTTP/1.1 200 OK

CSTP connected. DPD 30, Keepalive 20

Connected tun0 as xx.xx.xxx.xx, using SSL

Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).

Comments, Questions, Observations

Please send me an email at gilstanden@hotmail.com if you find any errors or omissions in this procedure or to share your observations with it such as improvements or simplifications.