Problems with anyconnect vpn under CentOS8 (IPsec protocol)
In my institution we can use VPN to get access to our servers. For that we got a PKCS #12 certificate, let's name it johndoe.p12 and an anyconnect profile, let's name this johndoe.xml, and it looks like that:
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>All</CertificateStore> <CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings> <AllowLocalProxyConnections>false</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> <AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart> <MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect> <LocalLanAccess UserControllable="false">false</LocalLanAccess> <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> <AutoReconnect UserControllable="true">true <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> </AutoReconnect> <AutoUpdate UserControllable="false">true</AutoUpdate> <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> <PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> </PPPExclusion> <EnableScripting UserControllable="false">false</EnableScripting> <CertificateMatch> <DistinguishedName> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled"> <Name>O</Name> <Pattern>University Hospital Jena</Pattern> </DistinguishedNameDefinition> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled"> <Name>OU</Name> <Pattern>UKJatHome</Pattern> </DistinguishedNameDefinition> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled"> <Name>CN</Name> <Pattern>ukj@home</Pattern> </DistinguishedNameDefinition> </DistinguishedName> </CertificateMatch> <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> </EnableAutomaticServerSelection> <RetainVpnOnLogoff>false </RetainVpnOnLogoff> </ClientInitialization> <ServerList> <HostEntry> <HostName>JohnDoeatHome</HostName> <HostAddress>vpnathome.organisation.de</HostAddress> <UserGroup>JohnDoeatHome</UserGroup> <PrimaryProtocol>IPsec</PrimaryProtocol> </HostEntry> </ServerList> </AnyConnectProfile> I use CentOS release 8.4.2105 and Anyconnect 4.10.000093. Everytime i want to connect i get these two messages (i guess the second one relates to the first one): First: Certificate Validation Failure Second: The IPsec VPN Connection was terminated due to an authentication failure or timeout... I searched all informations about certificates, but nothing worked. I tried to include the certificate to the firefox bundle (i read it in some forum) which is no problem, but i didn't work for anyconnect. Then i tired to add the certificate to CentOS, i converted the *p12 to a *.pem format and copied it to /etc/pki/ca-trust/source/anchors/ /usr/share/pki/ca-trust-source/ together with the command: update-ca-trust The certificate is part of the created bundles, but it didn't help with anyconnect. My last try was openconnect. openconnect --protocol=anyconnect --xmlconfig=johndoe.xml --authgroup=JohnDoeatHome -k PKCS12 -c JohnDoe.p12 -u SECRET vpnathome.organisation.de Did not work "Login failed" I have no clue how to proceed further, thanks for all hints. How can i include the certificate into anyconnect. The profile is no problem. Can the IPsec protocol be a problem? |
All times are GMT -5. The time now is 04:57 AM. |