Connecting to Cisco AnyConnect VPN without stored certificate or shared secret
Many people have discussed configuring the OS X built-in VPN client to connect to Cisco VPNs in place of the AnyConnect client. However, all discussion focuses on copying critical config information (shared secret or certificate, in particular) from a PCF or Profile.xml file included in a site-specific AnyConnect installer.
The AnyConnect installer where I am now (version 4.2.01035) seems not to deploy any profile information. /opt/cisco/anyconnect/profile
contains only AnyConnectProfile.xsd
(a standard schema definition, not anything specific to this configuration). There’s no sign of any profile XML or PCF files that I can find in /opt/cisco
, /Library
, or $HOME/Library
.
This matches the UI experience: there don’t seem to be any preconfigured profiles. Instead, on first launch I just get a blank VPN field in which I simply enter a hostname by hand (in this case, ucbvpn.berkeley.edu
) and hit connect. This gives a login prompt including a group selection dropdown, and username and password fields. Simply entering a username and password initiates the connection in the mode specified by the given “group,” and everything works fine.
I cannot, however, figure out how this configuration can be fully transferred to the OS X native VPN client. Transferring a chosen group name from the list seemingly auto-discovered by the AnyConnect client, but the OS X VPN configuration seems to also require explicitly entering either a shared secret or a certificate.
My best guess is that the Cisco client is operating in a perhaps new mode where it can negotiate directly with the server to auto-discover any necessary configuration information, and that it’s not stored on disk anywhere. Does anyone have any experience with a setup like this, or have any suggestions of what else to try?
Solution 1:
I believe that the AnyConnect client can be used to connect to a number of different types of VPN offered by Cisco. The process you describe above leads me to believe that you are connecting to an SSL-VPN. SSL-VPN does not require the use of a shared secret for the first layer of encryption. Instead the client and the server auto-negotiate that first layer encryption using SSL. You are then asked for credentials and a group membership. The remainder of your VPN session is uniquely encrypted following Authentication.
You could script the connection so that instead of having to enter your credentials each time, you can store them in your keychain, and simply initiate the connection from the shell, or other script. I did so a few years ago here: http://www.wellingtonnet.net/code/2014-02-04/cisco_anyconnect_client_mac.html
I have noticed that with each update of AnyConnect, I have had to tweak this script, so use it as an example and go from there. It has been about a year since I last needed to connect via AnyConnect.