Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)
This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.
I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.
Create Client Certificates
Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.
Here is my user.tmpl:
1 2 3 4 5 6 |
cn = "sskaje" unit = "vpn" serial = 1000 expiration_days = 365 signing_key tls_www_client |
After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.
Update config
Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)
Now comes the certificate authentication related changes:
auth
1 2 3 4 5 6 |
# User authentication method. Could be set multiple times and in that case # all should succeed. # Options: certificate, pam. auth = "certificate" #auth = "plain[/opt/ocserv/etc/passwd]" #auth = "pam" |
I tried to use both certificate and plain, but failed.
Just keep the certificate one.
server-cert & server-key
You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:
1 2 3 |
cat ssl.crt > server-cert.pem; cat sub.class1.server.ca.pem >> server-cert.pem; cat ca.pem >> server-cert.pem |
If you don’t make these three in a right order, you’ll see errors below in syslog:
1 |
Jun 19 03:59:08 sskaje ocserv[11730]: GnuTLS error (at tlslib.c:510): The provided X.509 certificate list is not sorted (in subject to issuer order) |
The server-key I got from startssl is encrypted, decrypt it:
1 |
openssl rsa -in ssl.key -out server-key.pem |
Encrypted private key would result:
1 |
Jun 19 03:59:08 sskaje ocserv[11731]: GnuTLS error (at sec-mod.c:498): Decryption has failed. |
ca-cert
This ca-cert is for CLIENT certificates!
cert-user-oid & cert-group-oid
Follow the comment:
1 2 |
cert-user-oid = 2.5.4.3 cert-group-oid = 2.5.4.11 |
cisco-client-compat
Enable this! Thanks to @simamy.
1 |
cisco-client-compat = true |
Incoming search terms:
- anyconnect error OpenSSLCertificate cpp
- anyconect CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED
- ocserv user certificate
- openconnect auth with key
- cisco-client-compat = true
- CONNECTMGR_ERROR_UNEXPECTED
- impossiblehcn
- Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009)
- linux openconnect generate user cert
- ocserv auth certificate
- ocserv cert-group oid
- ocserv certificate authentication
- ocserv список пользователей
- OpenConnect import certificate
- The provided X 509 certificate list is not sorted