OpenConnect Public Key Authentication

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual:
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:


I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like
I got my certificates from, class 1, I got three files: ca.pem,, and my own ssl.crt:

If you don’t make these three in a right order, you’ll see errors below in syslog:

The server-key I got from startssl is encrypted, decrypt it:

Encrypted private key would result:


This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:


Enable this! Thanks to @simamy.

OpenConnect Public Key Authentication by @sskaje:

Incoming search terms:

IPSec VPN Working for OS X Mavericks

In iOS IPSec VPN Server on Ubuntu, I host a VPN on Ubuntu 13.10 based on StrongSwan 4.x, working for iOS, but not for OSX.

Then I upgraded to Ubuntu 14.04, which has StrongSwan upgraded to 5.x, error like:

To fix this, install all strongswan’s plugins by:

And make some changes to configurations:

Replace with strongswan.conf.dpkg-dist

After these, VPN is connectable by OS X but DNS settings is not pushed to the client-side



If you get a error saying the certificate is not trusted, and then check /var/log/system.log, you may found

If you have debug logging enabled in /etc/racoon/racoon.conf like

You may see more detail in /var/log/racoon.log, kSecTrustResultRecoverableTrustFailure might be a useful keyword.
Google it, the only useful article is but still not working here.

I tried on my macbook pro, and also as a dude told me, the Root CA I gave and the mobileconfig worked without any error nor warning.
But on my mac mini and from some others, error like above, which stopped me getting ipsec on os x work before.

I tried to delete the certificate, both root ca and client’s, from Keychain Access app, and the mobileconfig from Profiles in Preferences, reinstall like firstly CA secondly mobileconfig, check if the mobileconfig is signed and has passed the certificate verification, green light on then there it goes.

IPSec VPN Working for OS X Mavericks by @sskaje:

Incoming search terms:

Open Connect Server Configuration (Working for iOS)

Working for iOS only, but for OSX, (Cisco AnyConnect Client for OS X 3.1.05160), captive portal is detected.
‘Web Authentication Required’ and error log like

OpenConnect on Ubuntu
Generate Certificate with GnuTLS and Sign with OpenSSL

Continue reading “Open Connect Server Configuration (Working for iOS)” »

Open Connect Server Configuration (Working for iOS) by @sskaje:

Incoming search terms:

Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

You are not authorised to read all content in this post.

Please login…

Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160) by @sskaje:

Incoming search terms:

OpenConnect on Ubuntu

This post is not yet finished

OpenConnect is an open source implementation of Cisco’s AnyConnect SSL VPN which is natively supported by iOS(You can create profile with Apple Configurator like iOS IPSec VPN Server on Ubuntu).

OpenConnect VPN Server can be found on and downloaded from, manual
Let’s build it on Ubuntu 13.10!

Download & Extract


Continue reading “OpenConnect on Ubuntu” »

OpenConnect on Ubuntu by @sskaje:

Incoming search terms: