Description

This article will describe installing the Cisco AnyConnect client and establishing a client-to-site VPN connection to an OOD environment.

Prerequisites:

  1. The following commands use the sudo facility of Red Hat Linux to do administrative functions such as installing software or starting/stopping services. If you are logged in as root, then remove the 'sudo' command from the command line examples.

    The AnyConnect client requires the libxml2 libraries. This can be installed with the following command:

    $ sudo yum install libxml2

Content / Solution:

  1. Download the AnyConnect software. If you have a Cisco login, you may be able to download the AnyConnect client from Cisco's web site (you need at least version 2.4, prior versions had bugs that prevented connecting to OOD environments.)
     

  2. Unpack the AnyConnect package into a temporary directory:

    $ mkdir temp
    $ cd temp
    $ unzip ../anyconnect-linux-2.4.0202-k9.zip

  3. Install the AnyConnect agent:

    $ sudo ./binaries/vpnsetup.sh

    The client software gets installed to the /opt/cisco/vpn directory and sets up the vpnagentd_init service. If the vpnagentd_init service is not running, you will not be able to establish vpn connections. You can verify the agent is running with the command:

    $ sudo /sbin/service vpnagentd_init status
    vpnagentd (pid  2465) is running...

    If the agent is not started, start it with the command:

    $ sudo /sbin/service vpnagentd_init start



  4.  Establish a client-to-site vpn tunnel by connecting to the VPN service where your OOD environment is located. You must use your OOD VPN account username and password to connect. OOD and Cloud accounts are completely separate. You will get prompted to accept the VPN server certificate once:

    $ /opt/cisco/vpn/bin/vpn connect vpn.lhr.opsource.net
    Cisco AnyConnect VPN Client (version 2.4.0202) .
    Copyright (c) 2004 - 2009 Cisco Systems, Inc.
    All Rights Reserved.
    
      >> state: Disconnected
      >> warning: No profile is available.  Please enter host to "Connect to".
      >> registered with local VPN subsystem.
      >> state: Disconnected
    VPN> connect vpn.lhr.opsource.net
      >> contacting host (vpn.lhr.opsource.net) for login information...
      >> notice: Contacting vpn.lhr.opsource.net.
      >> warning: Unable to process response from vpn.lhr.opsource.net.
      >> notice: Please respond to Server Certificate Acceptance Request.
    VPN> 
    Warning: The following Certificate received from the Server could not be verified:
    Name: C=US, O=vpn.lhr.opsource.net, OU=GT02669844, OU=See www.geotrust.com/resources/cps (c)09, OU=Domain Control Validated - QuickSSL Premium(R), CN=vpn.lhr.opsource.net
    Common Name: vpn.lhr.opsource.net
    Department: GT02669844
    Company: vpn.lhr.opsource.net
    Country: US
    Fingerprint: 3304A677F8E19D3D1146630C987C28D304C7DADF
    
    accept? [y/n]: y
      >> Please enter your username and password.
    Group: ssl_url
    Username: jstoner
    Password: 
      >> state: Connecting
      >> notice: Establishing VPN session...
      >> notice: Checking for profile updates...
      >> notice: Checking for product updates...
      >> notice: Checking for customization updates...
      >> notice: Checking for localization updates...
      >> notice: Establishing VPN session...
      >> notice: Establishing VPN - Initiating connection...
      >> notice: Establishing VPN - Examining system...
      >> notice: Establishing VPN - Activating VPN adapter...
      >> notice: Establishing VPN - Configuring system...
      >> notice: Establishing VPN...
      >> state: Connected
      >> notice: VPN session established to vpn.lhr.opsource.net.
    VPN> quit
    goodbye...
      >> note: VPN Connection is still active.

    The AnyConnect client is firewall-aware and will automatically inject firewall rules into the iptables rulesets.

  5. You can verify the AnyConnect status with the 'stats' command:

    $ /opt/cisco/vpn/bin/vpn stats
    Cisco AnyConnect VPN Client (version 2.4.0202) .
    Copyright (c) 2004 - 2009 Cisco Systems, Inc.
    All Rights Reserved.
    
      >> state: Connected
      >> warning: No profile is available.  Please enter host to "Connect to".
      >> registered with local VPN subsystem.
      >> state: Connected
    VPN>
    [ Connection Information ]
        Time Connected:    00:00:57
        Client Address:    10.120.2.82
        Server Address:    93.92.208.21
    [ Connection Details ]
        Mode:              Split Include
        Protocol:          DTLS
        Cipher:            RSA_3DES_168_SHA1
        Compression:       None
        Fips Mode:         Disabled
    [ Data Transfer ]
        Bytes Sent:        0
        Bytes Received:    955
        Packets Sent:      0
        Packets Received:  1
    [ Secure Routes ]
        Network     Subnet
        10.120.0.0     255.248.0.0
        93.92.208.80     255.255.255.240
        93.92.208.32     255.255.255.224
        93.92.208.144     255.255.255.240
        93.92.208.192     255.255.255.240



  6. To disconnect from the OOD environment, use the 'disconnect' command: 

    $ /opt/cisco/vpn/bin/vpn disconnect
    Cisco AnyConnect VPN Client (version 2.4.0202) .
    Copyright (c) 2004 - 2009 Cisco Systems, Inc.
    All Rights Reserved.
    
      >> state: Connected
      >> warning: No profile is available.  Please enter host to "Connect to".
      >> registered with local VPN subsystem.
      >> state: Connected
      >> notice: Disconnect in progress, please wait...
      >> state: Disconnecting
      >> notice: Disconnect in progress, please wait...
      >> notice: Disconnect in progress, please wait...
      >> state: Disconnected
      >> notice: VPN session ended.
    VPN>

Related Articles: