Connecting to openvpn server with Cisco Anyconnect SSL Client

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tonyppe
OpenVpn Newbie
Posts: 3
Joined: Tue May 22, 2018 1:46 am

Connecting to openvpn server with Cisco Anyconnect SSL Client

Post by tonyppe » Tue May 22, 2018 2:02 am

Hi all, new here.

I am looking to replicate a similar setup to an existing SSL VPN solution that I have by using openvpn and I am unsure if it's possible. Can the forum let me know if this is possible? Ultimately I require to use the cisco anyconnect vpn client which is the SSL client to connect to openvpn.

Server to use a custom SSL cert such as one from a public trusted CA although this is not critical as I can install the server cert onto the clients that will connect.
The clients will connect to the server and be prompted for a username and password as one option. Another option is to have the clients present a certificate to the server to authenticate them, but unfortunately the clients have this certificate hard coded and I am unable to change it.

As a test I would like to connect from anyconnect vpn software.

The problems I face so far have been the following:
[*]I can install a custom server certificate which clears the invalid certificate warning; but a knock-on affect of this is that authenticating a client by using a custom cert doesn't seem possible as it's not a subordinate of the server cert
[*]Seems that the only way to gain a connection is to use the downloaded user profile from the server; however I need to use HTTPS URL, and be prompted for username and password from the user (in lieu of being able to authenticate the client by a hard coded certificate that the client already has, instead of prompting for username and password)

Any pointers are welcome.

tonyppe
OpenVpn Newbie
Posts: 3
Joined: Tue May 22, 2018 1:46 am

Re: Connecting to openvpn server with Cisco Anyconnect SSL Client

Post by tonyppe » Tue May 22, 2018 9:08 am

As an update I've found that we can set username and password auth. for client and not expect a cert. I needed to use a PAM .so in the server.conf. Although I was still unable to get the anyconnect client to prompt for username and password.

While I was working on this, I figured out that the openvpn server is either configured for TCP or UDP and looking this up, if we select UDP then the authentication is done within the same udp connection. Whereas I believe anyconnect will attempt to auth. over TCP and then negotiate for a DTLS tunnel over udp/443. So I think this is more so incompatible within the client application / implementation than a configuration aspect.

Post Reply