Installing and using the Cisco AnyConnect client with Ubuntu for UCI VPN- Jeff Stern
OIT has a good general instruction page on setting up the Cisco AnyConnect VPN client software for Linux, but I got tripped up in a couple of places and thought I'd pass on some heads-ups for other Ubuntu users.
I originally wrote this "How-To" for Ubuntu version 10, but have updated it through version 14.10. It should also work for derived distributions (Xubuntu, Kubuntu, etc.), and, for that matter, would hopefully work for any Debian-derived distributions as well.
To get the Cisco VPN client working for an Ubuntu system, you'll need to install at least the Cisco AnyConnect client (Section 1). This gives you the core VPN functionality -- a shell vpn command to connect to / disconnect from the UCI VPN. KDE users (like myself) will have to use this method and stop here.
If you run a Gnome-based desktop, you can also optionally add the Linux NetworkManager OpenConnect GUI icon.(2) to connect and disconnect from the UCI VPN using your mouse. (Section 2)
1. Go to the Download site. 2. Log in with your UCINetID if it asks. 3. Click on Linux 32-bit AnyConnect or Linux 64-bit AnyConnect, depending on your system, and click get the VPN client. Save the anyconnect-linux-64-3.1.03103-k9.tar.gz (or some similarly named) file to your computer. The below assumes you stored it in your Downloads directory under your home dir. 4. Now, open a terminal and.. $ cd ~/Downloads $ tar zxvf anyconnect-linux-64-3.1.03103-k9.tar.gz $ cd anyconnect-3.1.03103/vpn $ sudo ./vpn_install.sh 5. Accept the terms and let it finish. Do you accept the terms in the license agreement? [y/n] y You have accepted the license agreement. Please wait while Cisco AnyConnect Secure Mobility Client is being installed... Starting Cisco AnyConnect Secure Mobility Client Agent... Done! 6. When the script is finished, the vpn client should now have been installed on your system and the vpnagentd process started. You can verify this by looking at the active processes: $ ps auxw | grep vpnagentd | grep -v grep root 3049 0.0 0.2 165960 8356 ? Sl 09:07 0:04 /opt/cisco/anyconnect/bin/vpnagentd 7. During the installation, the vpnagentd daemon should now be set up to be started each time your system is booted. To verify: $ find /etc/rc?.d -type l -name *vpnagentd* /etc/rc2.d/K25vpnagentd /etc/rc2.d/S85vpnagentd /etc/rc3.d/K25vpnagentd /etc/rc3.d/S85vpnagentd /etc/rc4.d/K25vpnagentd /etc/rc4.d/S85vpnagentd /etc/rc5.d/K25vpnagentd /etc/rc5.d/S85vpnagentd or $ ls -l /etc/rc?.d/*vpn* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc2.d/K25vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc2.d/S85vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc3.d/K25vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc3.d/S85vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc4.d/K25vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc4.d/S85vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc5.d/K25vpnagentd -> /etc/init.d/vpnagentd* lrwxrwxrwx 1 root root 21 Jun 5 09:07 /etc/rc5.d/S85vpnagentd -> /etc/init.d/vpnagentd* 8. Make an alias to point to the vpn command, so that you only have to type, "vpn" to start it. Insert the following line into either your ~/.bashrc or ~/.bash_aliases file: alias vpn='/opt/cisco/anyconnect/bin/vpn' 9. Now sign out and back in so that the alias takes effect.
1. To start the client from a command-line prompt in a terminal window, using the alias you made above: $ vpn 2. At the "VPN>" prompt, type "connect vpn.uci.edu" and press return. You will now see: VPN> connect vpn.uci.edu >> Please enter your UCInetID and password. 0) Default-WebVPN 1) Merage 2) MerageFull 3) UCI 4) UCIFull If you do not see this, but get a connect error instead, please see NOTE 1 - Connect Error below. 3. Ignore the message about entering your UCInetID and password, for now. 4. Choose one of the choices by number and press return -- usually "UCI" or "UCIFull". (See the differences in the Tunnels below.) For instance, for "UCI", press 3 and return. 5. Enter your UCInetID and password in the Username and Password boxes and press return. 6. At the "accept? [y/n]:" prompt, type "y" and press return. You may get several notices the first time about the downloader performing update checks. At the end you should see a ">> state: Connected" message and a new "VPN>" prompt. You are now connected. 7. Either leave the VPN> prompt open or if you want your terminal back just type 'quit' at the VPN> prompt (the connection will remain active). NOTE 1 - Connect-error In most cases I have seen, a connection is made. I have, however, seen the below error before only once. It was when the person was installing on a netbook (running Gnome) which was on campus and using the campus wifi system (though I don't know if those factors were the cause). It didn't matter if they answered y or n, they continued to get the error and be denied connection. If you get this error, call OIT Help desk at 949-824-2222, or write them at firstname.lastname@example.org. If you find a solution, I'd appreciate knowing what it is: (jas at uci dot edu). Thx. ------------------------------------------------------------------ Error: VPN> connect vpn.uci.edu connect vpn.uci.edu >> contacting host (vpn.uci.edu) for login information... >> notice: Contacting vpn.uci.edu. VPN> AnyConnect cannot verify the VPN server: vpn.uci.edu - Certificate is from an untrusted source. Connecting to this server may result in a severe security compromise! Most users do not connect to untrusted VPN servers unless the reason for the error condition is known. Connect Anyway? [y/n]: ------------------------------------------------------------------
1. At the "VPN>" prompt, type "disconnect" and hit return.
1. At the "VPN>" prompt, type "quit" and hit return.
1. As root or sudo, run /opt/cisco/anyconnect/bin/vpn_uninstall.sh
Having installed the core VPN functionality (in Section 1 above), you can actually stop there if you prefer, and from now on, just connect and disconnect using your terminal per the above instructions. If, however, you're using a Gnome-based desktop environment, you also have the option of connecting and disconnecting to the VPN via the NetworkManager icon. Instructions for adding that functionality are below. (If you do install the NetworkManager icon functionality, you can still use the command-line method, too.)
in a terminal, type:
sudo apt-get install network-manager-openconnect(or install via Synaptic)
(From now on, all you should have to do is this section any time you want to connect.)
now all your connections to UCI (web, ssh, ftp, etc.) will be through the VPN until you disconnect.
Please email me to let me know how this process went for you, and/or with any suggestions for improvement on this page itself. Thanks.
(1) Tux Cisco image snarfed from Tom Distler's page, How to connect Linux to a Cisco VPN using a PCF file.
(2) ..thanks to a page at Georgia Tech (now defunct), from which this page was originally adapted
(3) or from the main desktop menu, click System->Preferences->Network Connections and select the VPN tab. OR from the main desktop menu, click Settings Manager->Hardware->Network Connections. One of these (or something like them) should get you in the ballpark. (Don't you just love the Linux desktop zoo???)
Last Updated June 6 2014