Installing and using the Cisco AnyConnect client with Ubuntu for UCI VPN

- Jeff Stern (jas at uci dot edu) (1)

Introduction

OIT has a good general instruction page on setting up the Cisco AnyConnect VPN client software for Linux, but I got tripped up in a couple of places and thought I'd pass on some heads-ups for other Ubuntu users.

I originally wrote this "How-To" for Ubuntu version 10, but have updated it through version 13. It should also work for derived distributions (XUbuntu, KUbuntu, etc.).

Summary

To get the Cisco VPN client working for an Ubuntu system, you'll need to install at least the Cisco AnyConnect client (Section 1). This installs a shell vpn command to connect to / disconnect from the UCI VPN. KDE users (like myself) will have to use this method and stop here.

If you run a Gnome-based desktop, you can also optionally add the Linux NetworkManager OpenConnect GUI icon.(2) to connect and disconnect from the UCI VPN using your mouse. (Section 2)

Section 1: Installing and Using Core VPN Functionality (Cisco AnyConnect client)

Installation

1. Go to UCI'S VPN page.

2. Click on Download the Software VPN.

3. Log in with your UCINetID if it asks.

4. Click on Linux 32-bit AnyConnect or Linux 64-bit AnyConnect,
   depending on your system, and click get the VPN client.

5. Now, supposing you downloaded this to ~/Downloads, open a terminal and..

   $ cd ~/Downloads
   $ tar zxvf anyconnect-3.1.03103.tar.gz
   $ cd anyconnect-3.1.03103/vpn
   $ sudo ./vpn_install.sh

   (Of course by the time you read this, the anyconnect version number
   -- anyconnect-3.1.03103 -- will probably be different/newer
   for you -- make the appropriate replacements in the lines above,
   for yourself.)

6. Accept the terms and let it finish.

   Do you accept the terms in the license agreement? [y/n] y
   You have accepted the license agreement.
   Please wait while Cisco AnyConnect Secure Mobility Client is being installed...
   Starting Cisco AnyConnect Secure Mobility Client Agent...
   Done!


7. When the script is finished, the vpn client should now have been
   installed on your system and the vpnagentd process started. You can
   verify this by looking at the active processes:

   $ ps auxw | grep vpnagentd | grep -v grep
   root      3049  0.0  0.2 165960  8356 ?        Sl   09:07   0:04 /opt/cisco/anyconnect/bin/vpnagentd

8. During the installation, the vpnagentd daemon should now be set up
   to be started each time your system is booted. To verify:

   $ find /etc/rc?.d -type l -name *vpnagentd*
   /etc/rc2.d/K25vpnagentd
   /etc/rc2.d/S85vpnagentd
   /etc/rc3.d/K25vpnagentd
   /etc/rc3.d/S85vpnagentd
   /etc/rc4.d/K25vpnagentd
   /etc/rc4.d/S85vpnagentd
   /etc/rc5.d/K25vpnagentd
   /etc/rc5.d/S85vpnagentd

   or

   $ ls -l /etc/rc?.d/*vpn*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc2.d/K25vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc2.d/S85vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc3.d/K25vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc3.d/S85vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc4.d/K25vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc4.d/S85vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc5.d/K25vpnagentd -> /etc/init.d/vpnagentd*
   lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc5.d/S85vpnagentd -> /etc/init.d/vpnagentd*


9. Make an alias to point to the vpn command, so that you only have to
   type, "vpn" to start it.  Insert the following line into either your
   ~/.bashrc or ~/.bash_aliases file:

   alias vpn='/opt/cisco/anyconnect/bin/vpn'

10. Now sign out and back in so that alias takes effect.

Connecting (via command-line)

1. To start the client from a command-line prompt in a terminal
   window, using the alias you made above:

   $ vpn

2. At the "VPN>" prompt, type "connect vpn.uci.edu" and press return.
   You will now see:
   
   VPN> connect vpn.uci.edu
   >> Please enter your UCInetID and password.
   0) Default-WebVPN
   1) Merage
   2) MerageFull
   3) UCI
   4) UCIFull

   If you do not see this, but get a connect error instead, please
   see NOTE 1 - Connect Error below.

3. Ignore the message about entering your UCInetID and password, for
   now.

4. Choose one of the choices by number and press return -- usually
   "UCI" or "UCIFull". (See the differences in the Tunnels below.) For
   instance, for "UCI", press 3 and return.

5. Enter your UCInetID and password in the Username and Password boxes
   and press return.

6. At the "accept? [y/n]:" prompt, type "y" and press return. You may
   get several notices the first time about the downloader performing
   update checks.  At the end you should see a ">> state: Connected"
   message and a new "VPN>" prompt. You are now connected.

7. Either leave the VPN> prompt open or if you want your terminal back
   just type 'quit' at the VPN> prompt (the connection will remain
   active).

NOTE 1 - Connect-error

   In most cases I have seen, a connection is made.  I have, however,
   seen the below error before only once. It was when the person was
   installing on a netbook (running Gnome) which was on campus and
   using the campus wifi system (though I don't know if those factors
   were the cause).  It didn't matter if they answered y or n, they
   continued to get the error and be denied connection.

   If you get this error, call OIT Help desk at 949-824-2222, or
   write them at oit@uci.edu.  If you find a solution, I'd appreciate
   knowing what it is: (jas at uci dot edu). Thx.

   ------------------------------------------------------------------
   Error:

   VPN> connect vpn.uci.edu
   connect vpn.uci.edu
     >> contacting host (vpn.uci.edu) for login information...
     >> notice: Contacting vpn.uci.edu.
   VPN> AnyConnect cannot verify the VPN server: vpn.uci.edu
       - Certificate is from an untrusted source.
   Connecting to this server may result in a severe security compromise!

   Most users do not connect to untrusted VPN servers unless the
   reason for the error condition is known.

   Connect Anyway? [y/n]: 
   ------------------------------------------------------------------


To disconnect

1. At the "VPN>" prompt, type "disconnect" and hit return.

To exit

1. At the "VPN>" prompt, type "quit" and hit return.

De-installation / Removal

1. As root or sudo, run /opt/cisco/anyconnect/bin/vpn_uninstall.sh

Section 2: Installing and Using NetworkManager Icon (GUI)

If you prefer, you can actually stop here, and from now on, just
connect and disconnect using your terminal per the above instructions.

If, however, you're using a Gnome-based desktop environment, you
also have the option of connecting and disconnecting to the VPN via
the NetworkManager icon.  Instructions for adding that functionality
are below. (If you do install the NetworkManager icon functionality,
you can still use the command-line method, too.)
  1. Install core VPN functionality (above)
  2. Install Ubuntu Network Manager plugins

    in a terminal, type:

    sudo apt-get install network-manager-openconnect
    (or install via Synaptic)

  3. Configure a NetworkManager VPN profile for UCI

    1. find the "Network Manager" icon in your System Tray on your desktop. Examples:

      Ubuntu 10.04 with Gnome desktop:


      Xubuntu 13.04 with Xfce desktop:
    2. click on that Network manager icon, and choose VPN Connections->Configure VPN(3)
    3. click Add
    4. choose Cisco AnyConnect Compatible VPN (openconnect) and click Create
    5. Connection name: anything you want, e.g., UCI.
    6. Gateway: vpn.nacs.uci.edu
    7. User name: leave blank.
    8. hit Apply and then Close (or just Save)
  4. Connect/Disconnect

    (From now on, all you should have to do is this section any time you want to connect.)

    Connecting

    1. click on Network Manager icon in your system try and choose VPN Connections->UCI (or whatever you named your connection).
    2. click on the "plug" icon to the right of the vpn.nacs.uci.edu.

    3. choose your Group. this corresponds to the VPN Connection Tunnels documented on UCI's VPN-for-Linux page. For better speed when making non-UCI connections, i usually just choose the UCI (i.e., probably would communicate more if it were called UCI-only) "split tunnel" group.
    4. fill in Username and Password with your UCINETID credentials
    5. click Login

    now all your connections to UCI (web, ssh, ftp, etc.) will be through the VPN until you disconnect.

    Disconnecting

    1. when you're done using the UCI VPN, just left-click on Network Manager icon in your system try and choose VPN Connections->Disconnect VPN.

Feedback

Please email me to let me know how this process went for you, and/or with any suggestions for improvement on this page itself. Thanks.

Footnotes

(1) Tux Cisco image snarfed from Tom Distler's page, How to connect Linux to a Cisco VPN using a PCF file.

(2) ..thanks to a page at Georgia Tech, from which this page was adapted

(3) or from the main desktop menu, click System->Preferences->Network Connections and select the VPN tab. OR from the main desktop menu, click Settings Manager->Hardware->Network Connections. One of these (or something like them) should get you in the ballpark. (Don't you just love the Linux desktop Zoo???)


Last Updated June 6 2014