Cisco AnyConnect VPN on RedHat/Centos Enterprise Linux

I've just wasted several hours on configuring VPN for my university's system.

The University adopted Cisco AnyConnect, which is provided in a shell script "vpnsetup.sh". There are several flaws in the script, however, which make this a relatively tough, confusing install. But it seems to work in the end.

Step 1. Install the RPM package "chkconfig". Without that, the vpnsetup script fails. vpnsetup.sh assumes chkconfig is installed and used to set daemons, but it is no longer default on Fedora or RedHat.

After installing chkconfig, run vpnsetup.sh again, then there is an error message you try to use Cisco AnyConnect client:

AnyConnect cannot confirm it is connected to your secure gateway. The
local network may not be trustworthy. Please try another network.

There is a separate fix for that. This makes no sense to me at all, but it does work.

Step 2. Carry out the weird, ad hoc fix that is described in the email I just received from KU IT and also on these websites.

I found it at these sites, just a few hours before I received this message from itcsc describing the same fix;

http://people.fas.harvard.edu/~pdurbin/blog/2011/09/15/getting-the-cisco-anyconnect-vpn-client-to-work-on-centos-6-x86_64.html

Blog posts at http://cuz.cx/lampshade/2010/01/running-cisco-anyconnect-on-64bit-fedora-12/
and http://puschitz.com/pblog/?p=39

This would have us insert symbolic links from several shared libraries in a directory /usr/local/firefox

# ln -s /usr/lib/libnss3.so .
# ln -s /usr/lib/libplc4.so .
# ln -s /usr/lib/libnspr4.so .
# ln -s /usr/lib/libsmime3.so .
# ln -s /usr/lib/nss/libsoftokn3.so .

Update: 2013-01-27

I just went through this same install with the VPN setup that the university is now providing. It is a
tarball, not a single self extracting script. anyconnect-linux-2.0.0343-k9.tar.gz. Inside, there is
a script vpn_install.sh. That still assumes that the chkconfig software is installed. That won't work when run with sudo, but logging in as root does work (sudo -s).

The script has some flaws I've not diagnosed fully yet, resulting in this error.

Removing previous installation...
insserv: warning: script 'K01vpnagentd_init' missing LSB tags and overrides
insserv: warning: script 'vpnagentd_init' missing LSB tags and overrides
insserv: warning: script 'vpnagentd_init' missing LSB tags and overrides
vpnagentd_init            0:off  1:off  2:on   3:on   4:on   5:on   6:off
Starting the VPN agent...
./vpn_install.sh: 166: [: unexpected operator
Done!

That unexpected operator error is annoying, but if you read vpn_install.sh, you see it is complaining
about the cleanup after the install, so I think it is harmless.

After that, the app menu does have Cisco AnyConnect under Internet, but it won't run. The error is "failed because of Certificate difficulties." Again, nobody can make it clear to me why we get that vague error or why this stupid fix works, but in /usr/local/firefox, create the symbolic links it asks for in Step 2.

Caution: I'm on Debian Multiarch right now, and first I tried to create the symbolic links from the
/usr/lib/x86-linux-gnu folder into /usr/local/firefox, but the certificate error still arose. However,
symlinking to the 32 bit versions fixed that. At the end, here's the output.

# ls -la /usr/local/firefox/
lrwxrwxrwx  1 root staff   35 Jan 27 20:41 libnspr4.so -> /usr/lib/i386-linux-gnu/libnspr4.so
lrwxrwxrwx  1 root staff   34 Jan 27 20:41 libnss3.so -> /usr/lib/i386-linux-gnu/libnss3.so
lrwxrwxrwx  1 root staff   34 Jan 27 20:42 libplc4.so -> /usr/lib/i386-linux-gnu/libplc4.so
lrwxrwxrwx  1 root staff   36 Jan 27 20:42 libsmime3.so -> /usr/lib/i386-linux-gnu/libsmime3.so
lrwxrwxrwx  1 root staff   38 Jan 27 20:42 libsoftokn3.so -> /usr/lib/i386-linux-gnu/libsoftokn3.so

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Linux and tagged . Bookmark the permalink.