Cisco Anyconnect 4.7x on Librem 15


#1

Hi there. I’m trying to use my company’s VPN on my Librem 15. I first tried with PureOS, and now with Ubuntu 18.04 LTS. The AnyConnect client is version 4.704056. I can use it successfully on my desktop which is running Ubuntu 18.04 LTS, but on my Librem 15 it won’t work.

I’ve read the information on this thread: Finspy warning!.

I also tried the proposed solution here: https://community.cisco.com/t5/vpn-and-anyconnect/anyconnect-on-linux-apparently-not-trusting-imported-root-ca-s/td-p/3903499

Neither of the above resolved the issue.

Does anyone know if there is a workaround? Could this somehow be an issue specific to the hardware in the Librem15?

If anyone has any information or advice they could share I would greatly appreciate it.

Thanks,
Pablo


#2

@pablogosse could you please explain what is not working with AnyConnect?
Is there any error output or something like that?
Like is the Program starting and the VPN connection not working or what’s wrong.
Last time I’ve used AnyConnect I had to install network-manager-openconnect-gnome
to install it but that was on an non Gnome Desktop.


#3

Did you also consider using the free and open source openconnect software? I have only experience with openconnect. But not on Librem hardware.
I think that it would be useful to provide more detailed (error) logging in order to have a better understanding of the problem you are encountering.
See here on how to find help in using openconnect.


#4

I am so sorry! It was a loooong week and I can’t believe I didn’t provide a screenshot or command line output!

I’m not at my laptop right now, but a quick google search gave me an example of the GUI error I received. The attached image shows the error.

I did try via openconnect and openssl on the command line and the below error is the I received from both:

Server certificate verify failed: signer not found

Certificate from VPN server “vpn.unbc.ca” failed verification.
Reason: signer not found

As per the post I referenced on the Cisco forums I’ve tried copying all the trusted certs from /etc/ssl/certs into /opt/.cisco/certificates/ca but it still didn’t work.

I tried minimal and normal Ubuntu installs with the same result.

The one thing I did notice, is that on my desktop Ubuntu, when I go to the network manager GUI and manually add a VPN Cisco AnyConnect is an option. When I do that on my laptop AnyConnect is not an option, only a Microsoft VPN type.

Thank you both for your replies. Much appreciated.

Pabloimage


#5

The dialog box message implies that this problem is only by default.

It wouldn’t be the recommended solution but have you tried configuring not to block untrusted servers? Unwilling? Unable? Tried it but it made no difference? If you tried it, what configuration options are offered?

The correct approach with a certificate problem is to examine the certificate to see who signed it or, more accurately, what CA certificate was used to sign it. That tells you which CA certificate you are trying to import. In theory you may have to repeat that process up the CA chain. However whether the AnyConnect software gives you the tools to examine the certificate is unknown. (If this VPN implementation is using SSL and you know what port it is connecting to then you may be able to use Firefox, or similar, to examine the certificate. A web browser will very likely fail to talk to the VPN server but if you don’t even get past the certificate, that may not matter.)

Doubt it. But it could be specific to PureOS i.e. different versions of different distros come with different sets of root CAs out of the box etc. - and potentially different directories holding CAs and other certificates.


#6

I did try, and it does work, but my head of security is adamant that I not do that, as it is inherently insecure.

The problem now is on Ubuntu 18.04 LTS, not PureOS (though it also happened on PureOS when I had that installed).

What I find most interesting is that it works on my desktop install of Ubuntu 18.04 LTS, but not on my Librem 15 install (this is why I wondered about the hardware layer, though I agree that’s likely not the cause).

The cert is signed by DigiCert, and the certs I have on my laptop install of Ubuntu are the same as the desktop.

I am able to examine the CA certificate via Firefox, so will look into that later. For now a calculus lab is calling my name.

Thanks for your input!

Cheers,
Pablo


#7

Understandable.

Ideally any SSL client software would allow you to add a temporary or permanent exception for a specific certificate. In some respects, that is more secure than having to add an extra CA.

Most likely to be settings / exact software version of some component / other environmental difference.

For simplicity, I would make sure that the two computers are using the same mirror for updates.

I don’t know whether it is an option but if you can try a single given Ubuntu LiveBoot USB on each computer, that would ideally get to a point where either both work or both fail.

You want to examine the end-user certificate, and then the CA chain, to find out at what point it is crapping out.

There are so many points at which certificate validation can fail that you really need a decent error message.

Example crap out reasons:

  • names on cert don’t match desired hostname
  • expired cert or other date problem
  • unrecognised CA

I have listed those in approximate descending order of frequency, based on my encounters (in a completely different context).


#8

Thank you so much for your response, Kieran. I actually set up a separate desktop at work last week using the same Liveboot USB, and today I verified that Cisco Anyconnect fails on that system as well.

The working system I have was created over a year ago, and I’m not certain I can find the disk from which I created the USB ISO. I’m going to try creating a new one and see if that works.

Thank you so much for your assistance. At this point I’m confident it’s nothing to do with the Librem 15 specifically, and is somehow caused by this specific ISO.

I was a little perplexed when I copied all the root certs from the working Ubuntu install onto my Librem 15 and it still didn’t work, but at this point I’m not going to lose much sleep over that.

I’ve got a second SSD in the Librem where all my data is stored, so I can easily flash it with a new Ubuntu ISO and see if I can get it resolved.

Thanks so much for all your feedback.

Cheers,
Pablo