Give any user highly secure access to the enterprise network, from any device, at any time, in any location.
Cisco AnyConnect - Empower your employees to work from anywhere, on company laptops or personal mobile devices, at any time. AnyConnect simplifies secure endpoint access and provides the security necessary to help keep your organization safe and protected.
Cisco AnyConnect Secure Mobility Client v4.x AnyConnect macOS 11 Big Sur Advisory 12-Oct-2020 AnyConnect HostScan Migration 4.3.x to 4.6.x and Later 29-Aug-2019. Access to NC State Computing Resources from off campus. NC State students, faculty, and staff who are off the NC State campus are reminded to use the Virtual Private Networking (VPN) service when connecting to the campus network to access sensitive data. Jul 07, 2020 Download Cisco AnyConnect for Windows to accelerate your business success with industry-leading, simplified secure endpoint VPN client connectivity to enterprise network. Cisco AnyConnect has had.
Gain more insight into user and endpoint behavior with full visibility across the extended enterprise. With AnyConnect's Network Visibility Module (NVM), you can defend more effectively and improve network operations.
Defend against threats, no matter where they are. For example, with Cisco Identity Services Engine (ISE), you can prevent noncompliant devices from accessing the network. And with Cisco Umbrella Roaming, you can extend protection when users are off the VPN.
Provide a consistent user experience across devices, both on and off premises, without creating a headache for your IT teams. Simplify management with a single agent.
Introduction
OCserv is the OpenConnect VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well. From Ubuntu 16.04 onward, OCserv is included in the standard Ubuntu repositories, so you do not need to compile it from source. In this tutorial the iOS 12.2 client, which could be an iPad or an iPhone, will connect to the VPN server using the Cisco AnyConnect VPN client.
Install packages on server
Log on to your server and install the OCserv package:
We will also need the GnuTLS package, since we use the GnuTLS utilities to generate our public key infrastructure (keys and certificates):
Build and Install
We can use self-signed certificates or using a purchased commercial certificate from CA certificate providers, such as Comodo, StartSSL, WoSign and etc.
Make CA certificate and server certificate
The GnuTLS certificate tool (certtool) allows you to specify the fields for your certificates in a configuration template file.
Start by creating a configuration template file for your Certificate Authority (CA) certificate:
Press the I key on your keyboard to enter insert mode.
Anyconnect Profile Editor Online
Enter the following fields into the CA configuration file, customizing the values as you prefer:
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Now generate a key and certificate for your CA, using the CA configuration template file you just created:
Now create a server certificate template file:
Press the I key on your keyboard to enter insert mode.
Enter the following fields into the server configuration file. Note that in the common name (cn) field, you must specify your actual server IP address or hostname (shown as vpn.xuri.me in the example that follows):
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Generate the server key and certificate, using the configuration template file:
Use commercial certificate
For example I use WoSign Free SSL Certificates. I got 1_vpn.xuri.me_bundle.crt and 2_vpn.xuri.me.key two files. Convert .crt certificate to .pem format:
Convert .key file to .pem format:
Put server-cert.pem and server-key.pem on path /etc/ocserv/, and set file permission 600.
If you are use CA certificates issued by StartSSL, you have got certificate cert.crt file, I some case you should create certificate chain and merge sub certificate and root certificate like this:
Generate Certificates with Let's Encrypt
Confirm the port in the file /lib/systemd/system/ocserv.socket not used by other program, and generate certificates by certbot:
Select 1 and input domain name, certificates file located at /etc/letsencrypt/live/vpn.xuri.me/fullchain.pem, /etc/letsencrypt/live/vpn.xuri.me/privkey.pem.
Configure the OpenConnect VPN server
Edit the OCserv sample configuration file that is provided in /etc/ocserv:
Use the editor to comment out (#) the default values and replace them with those shown in the example that follows:
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Create user id and password
Generate a user id and password that you will use to authenticate from AnyConnect to OCserv. For example, if you want your user id to be xuri:
You will be prompted to enter a password twice. The password will not be displayed on your terminal:
Enable packet forwarding
Allow forwarding in the Linux kernel by editing the system control configuration file:
Delete the # sign at the start to uncomment the line:
Cisco Anyconnect Online
Write the file to disk and quit the editor, and make this change active now:
Open firewall
Open the server firewall for SSL:
Enable network address translation (NAT):
Assuming you have already installed iptables-persistent, reconfigure it to make your changes persist across server reboots:
Start OpenConnect VPN server
Check that nothing is already listening on port 443:
The command sudo lsof -i then showed systemd listening to port 443 on IPv6. I do not know why systemd was doing this. The command systemctl -all list-sockets showed the related unit as ocserv.socket. The solution was to issue the command sudo systemctl stop ocserv.socket.
Start OCserv:
or
Check that it is now listening on port 443 with the command:
Optimization
Add ocserv to system service:
Write the following script in the configuration file:
Now we can use service ocserv start and service ocserv stop to control the service.
Smart shunt
Set up no-route in the configuration file by your own rules.
Make CA certificate available for download
Your client such as Mac, iPad or iPhone needs to be able to validate the server certificate. To allow it to do this, you must install your CA certificate on the iPad or iPhone as a trusted root certificate. The first step in this is to make the CA certificate available for download from your server.
Open the firewall so that you can reach the server from a browser:
Install Apache:
Copy the CA certificate into the web root folder:
Download and install CA certificate
Connect OCserv on Mac
Download and install Cisco AnyConnect Secure Mobility Client for OS X with last version. Add your server IP address (e.g. vpn.xuri.me):
Enter your username:
Cisco Anyconnect Online
Enter your password:
Connect to VPN
Connect OCserv on mobile client
Now go to your iOS device (iPad or iPhone).
Open the Safari browser.
Browse to the location of the CA certificate at your server’s IP address. For example, if your server is located at vpn.xuri.me, then in Safari you would browse to:
Follow the prompts to install the CA certificate as a 'Profile' on your iOS 12.2 device.
Once the 'Profile' (i.e., certificate) is installed, tap on Done:
Install AnyConnect on iOS 12.2 client
On your iPad or iPhone, open the the App Store, and search for Cisco AnyConnect or desktop client.
Configure AnyConnect on iOS 12.2 client
Open the AnyConnect app.
Tap on Connections.
Tap on Add VPN Connection.
- Description is whatever you want
- Server Address is your server IP address (e.g.
vpn.xuri.me)
Tap Save.
Connect to VPN
Now connect from your iPad or iPhone to your VPN.
You will be prompted to enter your username (the one you set up with ocpasswd a few minutes ago, for example, xuri):
You will be prompted to enter your password (the one you set up for that username when you invoked ocpasswd):
The AnyConnect VPN toggle goes green when you are connected:
(Also, if you log on to your server and use a command such as sudo tail /var/log/syslog, you will see messages such as sec-mod: initiating session for user 'xuri'.)
Troubleshooting
Client get error: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.
Add MTU settings mtu = 1480 in the configuration file and restart the service.