Prerequisites
- Make sure that your operating system is compatible. For instance:
$ uname -r
4.3.0-kali1-amd64
amd64 means a 64-bit machine. If it says 386 instead, what follows won’t work.
- Get Cisco AnyConnect Mobility Client from the Cisco download page (if under service contract) or from your organization. Usually a gzipped tarball named anyconnect-linux-64-x.y.zzzz-vpnapi.tar.gz
- Install the support packages:
$ sudo apt-get update
$ sudo apt-get install lib32z1 lib32ncurses5
Install the client
Extract the archive in a directory anyconnect-x.y.zzzzz, and run the installer:
$ sudo /anyconnect-x.y.zzzzz/vpn/vpn_install.sh
Accept the licence agreement when prompted. A successful installation should look like the following:
Installing Cisco AnyConnect VPN Client ...
Client Software License Agreement of Cisco Systems
[...]
Do you accept the terms in the license agreement? [y/n]
y
You have accepted the license agreement.
Please wait while Cisco AnyConnect VPN Client is being installed...
Starting the VPN Agent...
Done!
If you see an error of the form:
Failed to start vpnagentd.service: Unit vpnagentd.service failed to load: No such file or directory.
It is most likely (although not necessarily) because you forgot to install to install the support packages.
Reload the system manager configuration:
$ sudo systemctl daemon-reload
Your VPN client is now installed, and vpnagentd should be up and running:
$ ps -e | grep vpnagentd
17422 ? 00:00:02 vpnagent
Also, the daemon should start each time the system is booted:
$ find /etc/rc?.d -name *vpnagentd
/etc/rc2.d/K25vpnagentd
/etc/rc2.d/S85vpnagentd
/etc/rc3.d/K25vpnagentd
/etc/rc3.d/S85vpnagentd
/etc/rc4.d/K25vpnagentd
/etc/rc4.d/S85vpnagentd
/etc/rc5.d/K25vpnagentd
/etc/rc5.d/S85vpnagentd
Install the certificate
The .pfx has to be translated into .pem and .key. Run the following commands:
$ openssl pkcs12 -in certificate.pfx -out certificate.pem -nokeys
Enter Import Password:
MAC verified OK
$ openssl pkcs12 -in certificate.pfx -out certificate.key -nocerts
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You can choose any file name, although make sure that both .pem and .key share the same base name. Both openssl commands will require the password used for creating the .pfx. The .key will also require a password (can be different) that you will have to type during future connections.
Create the following directories:
$ sudo mkdir /opt/.cisco/certificates/client
$ sudo mkdir /opt/.cisco/certificates/client/private
AnyConnect installer only creates /opt/.cisco/certificates/ca/ . Move your .pem and .key there:
$ sudo mv <path>/certificate.pem /opt/.cisco/certificates/client/
$ sudo mv <path>/certificate.key /opt/.cisco/certificates/client/private/
Make sure that read rights are set properly.
Start the client
Terminal:
$ /opt/cisco/anyconnect/bin/vpn
VPN> connect <server>
[...]
VPN> disconnect
VPN> quit
Or graphical interface:
$ /opt/cisco/anyconnect/bin/vpnui
Set the Group to Certificate. AnyConnect should find it. You will be prompted for the PEM password defined above, and your certificate password.