I'm trying to connect to an unsecured server (with a self signed certificate) using Cisco AnyConnect Secure Mobility Client (version 3.1.00495).
In a test server with x-window installed thus using anyconnect gui I'm able to establish the connection, but when I try to use the cli I can not.
The problem, I think, is that when the vpn client tries to download the connection configuration, it doesn't ask for certificate acceptance (as it does in the initial connection).
This is what happens:
VPN> block 0
>> Sucessfully updated preference to allow for untrusted servers
VPN> connect xxx.xxx.xxx.xxx/proj
>> contacting host (xxx.xxx.xxx.xxx/proj) for login information...
>> notice: Contacting xxx.xxx.xxx.xxx/proj.
VPN> AnyConnect cannot verify the VPN server: xxx.xxx.xxx.xxx
- Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!
Most users do not connect to untrusted VPN servers unless the reason for the error condition is known.
Connect Anyway? [y/n]: y
Always trust this VPN server and import the certificate? [y/n]: n
>> Please enter your username and password.
>> notice: Please respond to banner.
UNAUTHORISED ACCESS IS PROHIBITED BY LAW!
accept? [y/n]: y
>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator.
>> error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
>> notice: Connection attempt has failed.
>> state: Disconnected
Is there any way to correct this so I can establish the connection via cli?
Thanks in advance.
After a little digging around I found this:
Especially this part worked for me.
Thanks for putting up these notes Brian. I had this same problem (Ubuntu 10.04, AnyConnect 2.5 and 3.0 clients). To make it simpler, I just did 3 steps:
Get the actual certificate name:
openssl s_client -connect example.com:443 |& sed -n '/^issuer=/s/.*CN=//p'
Launch Firefox (using 12), go to Preferences -> Advanced -> View Certificates. Scroll down till you see the exact name step 1 printed. Select that cert, then hit Export and save with .pem extension.
sudo cp YourExported.pem /opt/.cisco/certificates/ca/