Cisco Anyconnect VPN is part of the Cisco security product stream Anyconnect Secure Mobility Client. It is the company’s ‘next generation’ Virtual Private Network (VPN) client. The first thing to point out is that there are actually two available products, which are both commonly referred to as Cisco Anyconnect VPN client. The two products’ full names are:
- Cisco Anyconnect VPN client
- Cisco Anyconnect Secure Mobility client
Cisco Anyconnect VPN client is what it says: a VPN client that the end-user can download and install on an end-point device such as a PC, laptop or tablet. There are several versions for Windows, Linux, Mac, and Android and even versions that support installation on Apple iPhone, iPad and iPod. However be aware that Cisco Anyconnect VPN client, is just that a client, to function it needs to connect to a configured Cisco VPN server, such as the ASA Firewall or a high end Integrated Service IOS router.
Cisco Anytime Secure Mobility client is a packaged product containing several modules, which extends the clients capabilities and functions. These modules include the Anyconnect VPN client, which is the core functionality. It also has the following capabilities included within the bundled modules:
- Network Access Manager – provides device authentication and connections to optional layer-2 networks via access points for Wi-Fi.
- Posture Assessment – provides a host scan of the end-device in order to determine the OS, anti-virus, anti-spyware, and firewall software installed on the end-device before allowing it to connect to the network
- Telemetry – is used to send information in regards to malicious content detected by the antivirus software for analysis to the IronPort Web Security Appliance (WSA), which can act on the information by modifying URL content filtering rules to further protect the network
- Web security – routes web traffic (HTTP) to the ScanSafe Web Security Scanning proxy server for content analysis and malware detection. The scanning proxy also uses the web traffic information to apply acceptable use policy.
- Diagnostic and Reporting – captures snap-shots of the system logs of the client for use by the Cisco TAC when troubleshooting
- Start before Logon – starts the client VPN service before the end user can logon to the network
- Customer Experience Feedback – used to provide Cisco with product feedback
In order to use all these modules the server VPN head-end has to be one of the Cisco ASA (Adaptive Security Appliance) family of products. Routers with IOS security option can only support the basic webVPN SSL feature.
Using a VPN for Remote Access
Mobility is a major feature of the modern network with end-users who are no longer confined to geographical locations and static desktop host computers. Security policies have had to adapt to cater for the proliferation of BIYOD (Bring Your Own Device) as companies accepted the benefits of allowing customer end-devices to connect to their secure networks. Allowing devices to connect to the network is dangerous as the device might have outdated or no antivirus installed. Therefore, the security administrator should seriously consider installing some of the extended options when deploying Cisco Anyconnect Secure Mobility client.
Supported Linux OS Versions
The Anyconnect VPN client can be installed on a wide variety of Linux distributions such as Red Hat Enterprise, Fedora Core, OpenSuse, Slackware and Ubuntu.
Specifically Cisco Anyconnect VPN client version 3 supports
- Redhat Enterprise Desktop v5
- Redhat Enterprise Desktop v6
- Ubuntu 9.x
- Ubuntu 10.x
Installing Cisco Anyconnect on Linux
Step 1 – Cisco Anyconnect VPN client can be installed directly in stand-alone mode on the end-user’s computer by selecting the appropriate OS – in this case Linux. All the files for all OSes are located in the same place and are available for download here.
The files for the generic Linux distribution come in a Tar/gz archive. In order to unpack the archive with Tar enter
tar xvzf AnyConnect-Linux-Release-2.0.0xxx.tar.gz
The archive will be unpacked and the files placed in the folder ciscovpn.
Step 2 – Change to the ciscovpn folder as root and run the script vpn_install.sh as shown below
[root@linuxhost]# cd ciscovpn
The Anyconnect VPN client installs in the /opt/cisco/vpn directory. The script installs the vpnagentd daemon and initializes it as a service that will automatically start during the system boot process.
Step 3 – After the script has run and installed the client. The script starts the daemon vpnagend. The user can now start the VPN client from the user interface using the client VPN CLI command
Alternatively, the VPN client can be started using the Linux command /opt/cisco/vpn/bin/vpnui
Why Use Cisco Anyconnect VPN Client on Linux
A VPN client secures, authenticates and encrypts traffic between a client and its home network. This is a crucial requirement today in the age of increased mobility. Legacy VPN systems worked by utilizing the SSL (Secure Socket Layer) protocol to encapsulate the packets over a reliable TCP connection. SSL sits between the application and the transport layers and requires a reliable connection such as TCP. SSL therefore cannot be used to transport unreliable UDP datagram traffic.
A few years ago this wasn’t a problem but today many applications are using unreliable UDP transport. Protocols such as SIP for VoIP applications and the new gaming protocols, both require fast unreliable packet delivery to function. For these applications if a packet is lost it is pointless to resend it, it is already out of date. To cater for these new UDP protocols a new security protocol was devised called Datagram Transport Layer Security which can handle UDP datagram traffic.
How the VPN Client works
Linux supports both SSL, TLS and DTLS so the Cisco Anyconnect VPN client initially creates an SSL-Tunnel (Secure Socket Layer) on the standard port 433 to the Adaptive Security Appliance (ASA). When the TCP SSL-Tunnel has been established the client will try and negotiate a UDP DTLS-Tunnel (Datagram Transport Layer Security). While the DTLS-Tunnel is being negotiated and established data and control packets continue to traverse the SSL-Tunnel. Once the DTLS-Tunnel is fully established the client then shifts the data onto that tunnel leaving the SSL tunnel for control packets and as a backup. In the event that the DTLS tunnel is lost, then the client shifts the data stream back across to the SSL-tunnel. The ASA always responds on the tunnel which it received data.