Solved: Hello, I have a ASA 5505 with a SSL VPN Setup. My question is about certificates. To be secure do i need to buy a third party Certificate or can i self sign a certificate in the ASA and add the certificate to the client so it doesn't throw a. Anyconnect uses 'ssl-vpn' by default, but it can be configured to run IKEv2 vpn also (i think, you have to place a connection profile on the VPN gateway to force anyconnect to use IKEv2). Also anyconnect is alble to run (and mybe will do so by default) 'ssl-vpn over dtls', which uses tunneling over udp/443 instead of tcp/443. The AnyConnect client provides remote end users running Microsoft Vista, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. In addition, the AnyConnect client supports IPv6 over an IPv4 network.
Overview
ASA: 8.3+ (Written/Tested on 9.0)
Authentication: Local (Local ASA User Database)
Anyconnect Ssl Client 2020
Type: Split-tunnel OR Non split-tunnel
The below configurations will work with 8.3+, but was written and tested with 9.0. When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel. In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all. The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA. I will give examples of each configuration below.
Network Diagram
The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps. Here are the results of that command:
There are a few important things to note from Cisco’s directions:
- They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
- The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
- They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
- They are using outdated “svc” commands, which were replaced with “anyconnect”.
With that said, let’s move on to the configurations!
Anyconnect Configuration 1: Tunnel All
Anyconnect Configuration 2: Split Tunnel
Testing the Configuration
Anyconnect Ssl Client App
Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login. You can login with the user account you’ve created in the configuration above. The Anyconnect client will automatically install, if it fails you may need to download and manually install it. Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.
Additional Notes
You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings. Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party. You can create the self signed certificate as follows:
OpenConnect is a cross-platform multi-protocol SSL VPN client which supports a number of VPN protocols:
- Cisco AnyConnect (--protocol=anyconnect)
- Juniper SSL VPN (--protocol=nc)
- Pulse Connect Secure (--protocol=pulse
- Palo Alto Networks GlobalProtect SSL VPN (--protocol=gp)
- F5 Big-IP SSL VPN (--protocol=f5)
- Fortinet Fortigate SSL VPN (--protocol=fortinet)
OpenConnect is not officially supported by, or associated in any waywith Cisco Systems, Juniper Networks, Pulse Secure, Palo Alto Networks, F5,or Fortinet, or any of the companies whose protocols we may support in the future.It just happens to interoperate with their equipment. Trademarks belong totheir owners in a rather tautological and obvious fashion.
An openconnect VPN server (ocserv), which implementsan improved version of the Cisco AnyConnect protocol, has also beenwritten.
OpenConnect is released under the GNU Lesser Public License, version 2.1.
Motivation
Development of OpenConnect was started after a trial of the Cisco AnyConnectclient under Linux found it to have many deficiencies:
- Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
- Lack of support for Linux platforms other than i386.
- Lack of integration with NetworkManager on the Linux desktop.
- Lack of proper (RPM/DEB) packaging for Linux distributions.
- 'Stealth' use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed
- Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
- Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
- Inability to audit the source code for further such 'Security 101' bugs.
Naturally, OpenConnect addresses all of the above issues, and more.
Download Cisco Ssl Vpn Client
New protocols
Adding new protocols to OpenConnect is relatively simple, andadditional protocols have been added over the years since usingOpenConnect allows a developer to concentrate on the protocol itselfand most of the boring details about platform-specific tunnel managementand IP configuration, and handling of client SSL certificates, are alreadyresolved.
If you have a protocol which you think it makes sense to support inOpenConnect, especially if you are able to help with interoperabilitytesting, please file an issuein GitLab.
Consistent multi-protocol support
Wherever possible, OpenConnect presents a uniform API and command-lineinterface to each of these VPNs. For example,openconnect --force-dpd=10will attempt dead peer detection every 10 seconds on every VPN thatsupports it, even though the actual mechanism used may be protocol-specific.Protocol-specific features and deficiencies are described on theindividual protocol pages.