LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   CentOS (https://www.linuxquestions.org/questions/centos-111/)
-   -   Problems with anyconnect vpn under CentOS8 (IPsec protocol) (https://www.linuxquestions.org/questions/centos-111/problems-with-anyconnect-vpn-under-centos8-ipsec-protocol-4175702704/)

anon198 10-27-2021 12:53 PM
Problems with anyconnect vpn under CentOS8 (IPsec protocol)
 
In my institution we can use VPN to get access to our servers. For that we got a PKCS #12 certificate, let's name it johndoe.p12 and an anyconnect profile, let's name this johndoe.xml, and it looks like that:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
<LocalLanAccess UserControllable="false">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>O</Name>
<Pattern>University Hospital Jena</Pattern>
</DistinguishedNameDefinition>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>OU</Name>
<Pattern>UKJatHome</Pattern>
</DistinguishedNameDefinition>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>CN</Name>
<Pattern>ukj@home</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>JohnDoeatHome</HostName>
<HostAddress>vpnathome.organisation.de</HostAddress>
<UserGroup>JohnDoeatHome</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>


I use CentOS release 8.4.2105 and Anyconnect 4.10.000093. Everytime i want to connect i get these two messages (i guess the second one relates to the first one):

First: Certificate Validation Failure
Second: The IPsec VPN Connection was terminated due to an authentication failure or timeout...


I searched all informations about certificates, but nothing worked. I tried to include the certificate to the firefox bundle (i read it in some forum) which is no problem, but i didn't work for anyconnect.

Then i tired to add the certificate to CentOS, i converted the *p12 to a *.pem format and copied it to

/etc/pki/ca-trust/source/anchors/
/usr/share/pki/ca-trust-source/

together with the command: update-ca-trust

The certificate is part of the created bundles, but it didn't help with anyconnect.


My last try was openconnect.
openconnect --protocol=anyconnect --xmlconfig=johndoe.xml --authgroup=JohnDoeatHome -k PKCS12 -c JohnDoe.p12 -u SECRET vpnathome.organisation.de

Did not work "Login failed"



I have no clue how to proceed further, thanks for all hints. How can i include the certificate into anyconnect. The profile is no problem. Can the IPsec protocol be a problem?


All times are GMT -5. The time now is 04:57 AM.