Howto: Connect to Cisco AnyConnect VPN using OpenConnect and PKI Token

The OpenConnect VPN client for Cisco AnyConnect is now capable of using PKCS#11 tokens for certificate authentication. Here’s how…
First, make sure the token is installed and working. Refer to other HOWTOs for this. However, as far as I can tell, none of the existing HOWTOs mention p11-kit, so your token won’t automatically appear to applications which use p11-kit.
To fix this, create a file /etc/pkcs11/modules/opensc-module with content like the following:
module:/usr/lib64/opensc-pkcs11.so
Obviously you may need to adjust that library path on your system.
Now you can use the seahorse UI to import certificates, and ‘p11tool --list-all‘ should show your certificate. Of course, you can import or generate certificates any way you like; you don’t have to use seahorse.
Make sure you have OpenConnect v4.05 or newer, and that it is built with GnuTLS rather than OpenSSL. If you run ‘openconnect --version‘, it should report ‘PKCS#11’ in its feature list.
Next you need to know the PKCS#11 URL for your key/certificate, which will be shown by ‘p11tool --list-all‘. The URLs for the key and the cert should differ only in that the key will contain the attribute ‘;object-type=private‘, while the certificate will have ‘;object-type=cert‘.
Remove the ;object-type=xxx part from the URL, and pass that in the -c argument to OpenConnect, something like the following:

# openconnect -c 'pkcs11:manufacturer=EnterSafe;id=0%d5s%f8%09%99%ba%5c%c7' https://vpn.example.com/

For readability purposes you can remove other redundant information from the URL too, as I have done above. Since it contains semicolons, don’t forget to put quotes round it.
(Note that for the Feitian ePass PKI tokens and probably others, you do seem to need to specify the token; the key object isn’t even listed until you log in, so p11-kit doesn’t even know it’s there. So rather than logging in to every token that might possibly exist, the search will just fail. You need OpenConnect v4.05 for this too, as earlier versions would ‘forget’ the token information even if you did include it in the URL.)
You can also use PKCS#11 tokens when connecting with NetworkManager, but the GUI for configuring NetworkManager doesn’t let you set a PKCS#11 certificate. This is https://bugzilla.gnome.org/show_bug.cgi?id=679860 — to work around it, you can edit the NetworkManager configuration file for your VPN connection, probably in /etc/NetworkManager/system-connections/, and put your PKCS#11 URL into the usercert= field. Then when you connect from the GUI it should work correctly.

Source: Gooze.eu

Shopping Cart
Scroll to Top