Work

Cisco AnyConnect VPN Client

I got into an argument disagreement conversation today with Network Services – and it’s not their fault, managing Windows servers and Desktops they do a great job. This project has forced them almost into an “uncomfortable” zone where Linux just scares them.

I requested the Linux server I built and then transported from the previous office (where I had network control) and placed in the new office with Network Services to open ports 22,80,443,3306 on the new public IP. After answering their demands as to why any port other than 80 and 443 needed to be open they said “We can provide you VPN access to the network – from which you can access the box on the LAN and not need other ports open” – Okay fairly straight forward. I do some poking around – they use Cisco AnyConnect to manage the VPN, which has a Linux Client. Their instructions showed ActiveX and .exe tools being used and you have to have special Cisco account to get the client tools. I requested the Linux client and they replied “There is no Linux client for the VPN – it only works with Windows. Don’t you have a windows machine at home”

Okay aside from the obvious – almost naive comment about having a Windows Box – I provided them, in my original email, with proof this “elusive” Linux Client exists yet the blow me off. Later I was told that if Network Services doesn’t have an answer – then they just say no. So I grudgingly go home, boot my Laptop into the Windows Partition and setup the VPN client to make sure it works. It freaked because I was using Firefox and instead of pulling some ActiveX hackery just provided me with the .exe download.

I tested it – it works. Yet I am in Windows – I like to be in Linux since I’m most comfortable in that platform. I reboot and repeat. This time a Java window launches and I get prompted to download vpnsetup.sh – WHOA! The Cisco gateway picked up my version and prompted me a download. Nice! (Props to Cisco for that) Downloaded, installed, ran. Shit – errors about a Certificate not being readable. Cant’ get past this popup box even after I press “Accept”. Quick check of their site, it’s only 32bit. When I ran an STRACE and checked the logs I found it was either failing at /usr/lib files being 64bit or just flat out not finding the right libs at all.

Google pointed me to some old threads with borrowing 32bit lib files from Firefox.

HERE IS HOW I DID IT
I made sure these were installed:

sudo apt-get install curl ia32-libs lib32nss-mdns libcurl3 libxml2

After that install the vpnsetup file.

Next download the latest 32bit Firefox (they don’t seem to distinguish on the page, I just went here and downloaded the Linux version. I extracted it to a temporary location. These are the libs I needed:

libfreebl3.so  libnspr4.so  libnss3.so  libnssdbm3.so  libnssutil3.so  libplc4.so  libplds4.so  libsmime3.so  libsoftokn3.so  libsqlite3.so

Most of those are already covered in other pages – but libsoftokn3.so – which is part of nss-devel was needed to read the cert properly – hence the weird blank pop-up (After getting that in place the certificate was read and I could accept it)

Place those, or soft link them to /usr/lib32 and for good measure (though I found it no necessary) /opt/cisco/vpn/lib/

Lastly – run the setup one more time and re-launch the tool.

DON’T BE AN IDIOT LIKE ME AND HARD COPY THESE LIB FILES TO /usr/lib IT WILL ONLY MAKE YOU WANT TO CRY

That should do it. If it doesn’t these are other steps I did that I don’t think matter:

Install Getlibs then run the following:

getlibs libsqlite3.so.0

I will be packaging the modified libs into a support deb and rpm package for easy distribution. Right now I’m the only Linux User in the entire company (with a company that is over 10,000 employees world wide) but with this new initiative there will be a lot more Linux users in the future.

I look forward to emailing Network Services about how I connected via VPN on Linux to the network – Thanks Cisco for meeting me half way!